Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

MD102

Download as pdf or txt
Download as pdf or txt
You are on page 1of 312

Question 1:

Skipped
You need to ensure that the Microsoft Office application used on iOS mobile
devices by Nutex employees is restricting Save-As and Cut, Copy, Paste to protect
sensitive corporate documents from being compromised. You decide to implement
an Application Protection Policy in Microsoft Intune.

After defining the required data protection settings in the policy for the specific
apps you wish to protect, what else must you do to implement this policy?

A) On the Assignments pane select the Azure AD groups to apply this policy
to

(Correct)

B) In the Overview pane for your policy, click Activate

C) Ensure all devices are protected by Intune Mobile Device Management

D) Configure the IntuneMAMUPN setting in your policy


Explanation
You will need to select the user groups from Azure Active Directory to which you
want to apply the policy. On the Assignments pane you should include the Azure AD
groups to apply this policy to. This Application Protection policy will not apply to
anyone unless assignments are made to include specific groups.

You cannot click Activate in the Overview pane for your policy. This option is not
available for Application Protection policies.

You do not have to ensure that all devices are protected by Intune Mobile Device
Management. While Application Protection policies can be applied to devices
protected by Intune Mobile Device Management, it is not a requirement for
implementing these policies.

You do not have to configure the IntuneMAMUPN setting in your policy. This is only
required when you are implementing these policies for devices protected by Intune
Mobile Device Management and is therefore not necessary for the specified
scenario.
Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

What is app management in Microsoft Intune? | Microsoft Learn

Create and deploy app protection policies - Microsoft Intune | Microsoft Learn

Question 2:
Skipped
Verigon Corporation plans to put a large touchscreen in their reception area to
assist visitors in finding the correct department. A Windows 10 laptop will run an
application created for this purpose. For security purposes, only the touchscreen
and keyboard will be accessible. The laptop is not domain-joined.

What should you do to ensure that visitors cannot perform any action that is not
part of the reception application? (Choose all that apply.)

A) Join the laptop to the Verigon.com domain

B) Configure Windows Spotlight on the lock screen

C) Change the default sign-in options

D) Enable User Account Control on the laptop

(Correct)

E) Create a kiosk account

(Correct)

Explanation
You must enable User Account Control on the laptop. This action is required to
enable Kiosk Mode. There are several ways to choose Kiosk mode, including via
Group Policy and configuring a single-app within XML in a provisioning package by
using a kiosk profile. The easiest method, however, is to select Set up a Kiosk
in Settings.

You will need to create a kiosk account. This account is extremely limited and
restricted. In addition, you will probably want to implement device restrictions, such
as disabling the camera and disabling the power button.

There is no reason to join the laptop to the Verigon.com domain. This action would
decrease security.

There is no requirement to configure Windows Spotlight on the lock screen, although


you may want to. Windows Spotlight displays a new image on the lock screen every
day. It is unlikely that the lock screen would be displayed in this scenario.

You do not need to change the default sign-in options. By default, on a standalone
device, the last-signed-in user will be signed in automatically and the special app will
be launched automatically upon restart. (The kiosk account will need to be the last
signed-in user.)

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Set up a single-app kiosk on Windows - Configure Windows | Microsoft Learn

Prepare a device for kiosk configuration on Windows 10/11 - Configure Windows |


Microsoft Learn
Question 3:
Skipped
The following Windows 10 computers are being transferred from a sister company
to your office:

You need to decide which feature of Windows 10 can be used on the computers
without a PIN. Which of the following is TRUE? (Choose all that apply.)

A) WKS11 can support BitLocker and Hello.

(Correct)

B) WKS10 can support BitLocker and Hello.

C) WKS11 can support virtual smart cards (VSCs) and Miracast.

D) WKS12 can support virtual smart cards (VSCs) and Hello.

E) WKS12 can support BitLocker and Miracast.

F) WKS10 can support virtual smart cards (VSCs) and Miracast.


G) WKS13 can support BitLocker and Miracast.

H) WKS13 can support virtual smart cards (VSCs) and Hello.


Explanation
The following statements are TRUE:
• WKS11 can support BitLocker and Hello
• WKS12 can support BitLocker and Miracast

Virtual smart cards (VSCs) are similar to physical smart cards in that they use two-
factor authentication. Virtual smart cards are created in the Trusted Platform
Module (TPM) chip, version 1.2 or greater, that is inside a computer. The keys used
by the virtual smart card for authentication are stored in cryptographically secured
hardware within the TPM. Only WKS10 and WKS13 support virtual smart cards
because they are the only computers that have a TPM chip.

Miracast allows you to project your screen to a TV or to another device that has a
wireless display (WiDi) receiver. Your computer must have WiDi support to use
Miracast. Only WKS11 and WKS12 support Miracast.

Hello is a feature of Windows 10 that allows a user to authenticate with her face, iris,
or fingerprint. You will need a fingerprint reader to authenticate using a fingerprint.
You will need an infrared (IR) camera to support facial or iris recognition. You can
also use a PIN with Hello. Only WKS11 supports Hello because it has an infrared
camera.

BitLocker is a drive encryption technology that comes with Windows 8 and higher.
You can enable BitLocker on the operating system drive in a Windows 10 computer if
the computer does not have a TPM chip. You can use a USB flash drive so it can
contain the BitLocker startup key for the computer. A computer with a TPM chip
version 1.2 or greater can use the system integrity verification that BitLocker can
also provide, while a computer without a TPM chip will not. All of the computers in
this scenario can support BitLocker.

Objective:
Deploy Windows client

Sub-Objective:
Prepare for a Windows client deployment

References:

Virtual Smart Card Overview - Windows Security | Microsoft Learn


BitLocker FAQ (Windows 10) - Windows Security | Microsoft Learn

Screen mirroring and projecting to your PC - Microsoft Support

How to set up multiple monitors on Windows 11 | Windows Central

Fix connections to wireless displays or docks in Windows - Microsoft Support

Windows Hello | Microsoft Learn

BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker - Windows


Security | Microsoft Learn

Question 4:
Skipped
You plan to implement Microsoft Defender for Endpoint to detect and investigate
threats. You want to be able to use the following features of Microsoft Defender for
Endpoint:
• Attack surface reduction
• Identify attacker tools, techniques, and procedures
• Generate alerts when attackers are observed.

Which of the following licensing, hardware, and software requirements are required
to onboard devices to Microsoft Defender for Endpoint? Choose all that apply.

A) Access to Defender for Endpoint is supported through the Safari


browser

B) Requires a Windows 10 Enterprise E5 license

(Correct)

C) Access to Defender for Endpoint is supported through the Microsoft


Explorer browser


D) Access to Defender for Endpoint is supported through the Microsoft
Edge browser

(Correct)

E) Access to Defender for Endpoint is supported through the Chrome


browser

(Correct)

F) Eligible licensed users may use Microsoft Defender for Endpoint on up to


10 concurrent devices

G) Requires a Windows 10 Education A5 license

(Correct)

H) Eligible licensed users may use Microsoft Defender for Endpoint on up


to five concurrent devices

(Correct)

Explanation
Microsoft Defender for Endpoint is supported on a Windows 10 Enterprise E5 and
Windows 10 Enterprise A5 license. It is also supported on the following licenses:
• Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
• Microsoft 365 A5 (M365 A5)
• Microsoft 365 E5 Security
• Microsoft 365 A5 Security
• Microsoft Defender for Endpoint

Any licensed user can use Microsoft Defender for Endpoint on up to five concurrent
devices, not 10 concurrent devices.

Access to Defender for Endpoint is supported through the Google Chrome browser
and Microsoft Edge browser. Access to Defender for Endpoint is not supported
through the Safari browser or Internet Explorer. Microsoft will no longer support
Internet Explorer after 6/15/2022.
Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

Minimum requirements for Microsoft Defender for Endpoint | Microsoft Learn

Question 5:
Skipped
You are a system administrator for Nutex, Inc. They have an Active Directory
domain called nutex.com and an Azure AD subscription. There are 10,000 devices,
and all devices are enrolled in Microsoft Intune.

The following devices have been returned by employees. You need to wipe the
devices. However, you want to retain the enrollment state and user account data
while wiping the devices.

Which of the following devices can be wiped while also retaining the enrollment
state and user account data? (Choose all that apply.)

A) DevicePC3

(Correct)

B) DevicePC2

C) DevicePC1

D) DevicePC4

(Correct)

Explanation
In the given scenario, you can retain the enrollment state and user account data for
devices DevicePC3 and DevicePC4. The Retain enrollment state and user
account option is only available for devices with Windows 10 version 1709 or later.

DevicePC1 and DevicePC2 will not be able to retain the enrollment state and user
account data because the Windows operating system is earlier than Windows 10
version 1709.

The wipe feature restores the device to default factory settings. You can choose to
keep user data if you select the Retain enrollment state and user account checkbox
and the device’s operating system supports the option. If you do, all data, apps, and
settings will be removed from the device. If Retain enrollment state and user
account is unchecked, the wipe action will remove the device from Intune
management and remove all account information, data, MDM policies, and settings.
This will reset the operating system to the default state and settings.

When Retain enrollment state and user account is checked, the wipe action will
remove all MDM policies while retaining user accounts and data. User settings will
be reset to the default, and the operating system will be reset to the default state and
settings.

To wipe a device, you would follow these steps:

1. Log in to Microsoft Endpoint Manager admin center.


2. Select Devices > All devices.
3. Select the name of the device you want to wipe.
4. In the pane that shows the device name, select Wipe.
5. On devices running Windows 10 version 1709 or later, the Wipe device, but
keep enrollment state and associated user account option is also available.
6. The Wipe device, and continue to wipe even if device loses power option
makes sure that the wipe action cannot be avoided by rebooting or shutting
down the device. This option will keep trying to reset the device until it is
successful.
7. To confirm the wipe, select Yes.

Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune

References:

Retire or wipe devices using Microsoft Intune | Microsoft Learn

Question 6:
Skipped
Your company's network consists of Windows 10, Windows 11, Windows Server
2019, and Windows Server 2022 computers. Several of the Windows 10 computers
are used as kiosks by guests and are connected to an isolated network segment,
which is the only network that these computers can access. The network segment is
named Network2 and is configured as a public network.

Recently you have noticed that users are changing the network location type on
these computers to Private network. You must ensure that this network is always
configured as a public network and prevent users from changing the location type.

You decide to implement a Group Policy. On one of the kiosk computers, you open
the Computer Configuration / Policies / Windows Settings / Security Settings /
Network List Manager Policies section in the local security policy.

What should you configure? Click the image to select the correct option. (More than
one option can be selected.)

A) 134,199,29,179

B) 188,319,28,302

(Correct)

C) 135,221,20,203

(Correct)

D) 133,176,31,155

E) 142,274,27,257

F) 186,297,30,278
Explanation
You should open the Network1 policy. On the Network Location tab, select
the Public location type setting and the User cannot change location setting, and
click Apply. This will ensure that Network1 is always configured as a public network
and that users cannot change the location type. An example of the Network
Location tab is shown in the following exhibit:

You can also configure the network name and prevent users from changing the
name on the Network Name tab, as shown in the following exhibit:
Finally, you can configure the icon settings on the Network Icon tab, as shown in the
following exhibit:
You should not open the Unidentified Networks policy, select the Public Location
Type setting and the User cannot change location setting, and click Apply. This
would configure the default settings for any unidentified networks on the Windows
10 computer. The Unidentified Networks policy is shown in the following exhibit:
You should not open the Identifying Networks policy, select the Public Location
Type setting, and click Apply. This will configure the temporary settings for any
networks that are identified on the Windows 10 computer. The Identifying
Networks policy is shown in the following exhibit:
You should not open the All Networks policy, select the User cannot change
location setting, and click Apply. The All Networks policy is shown in the following
exhibit:
This can be used to allow users to change the network name, network location, and
network icon for all currently configured networks on a Windows 10 computer. This
policy affects all the networks on the computer.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Network List Manager policies - Windows Security | Microsoft Learn

Network List Manager Policies | Microsoft Learn

Windows 8 Private Network | Also Public Network Settings


(computerperformance.co.uk)
Question 7:
Skipped
You are a system administrator for Nutex Inc. Your organization has an on-
premises and Azure AD environment. Employees use Android Enterprise and iOS
devices to access the on-premises resources.

You plan to configure Microsoft Tunnel for Intune. You have installed Red Hat
(RHEL) 8.4 on the on-premises server and have reviewed and configured the
prerequisites for Microsoft Tunnel.

What should you do next?

A) Create a server configuration.

B) Run the Microsoft Tunnel readiness tool.

(Correct)

C) Install Microsoft Tunnel Gateway.

D) Create a site configuration.


Explanation
Your next step would be to run the Microsoft Tunnel readiness tool on a Linux server.
Microsoft recommends that you download and use the most recent version of
the mst-readiness tool. This tool includes the following actions:
• Validates that the Azure AD account being used for the installation has the
required roles.
• Checks and confirms that the network configuration allows Microsoft Tunnel
to access all the required endpoints.
• Checks and confirms the ip_tables module on the Linux server.

After running the Microsoft Tunnel readiness tool, you would create the server
configuration. You can create a server configuration once and then use it for multiple
servers. Configuration parameters include the IP address range, DNS servers, and
split-tunnelling rules. You can create the server configuration from the Microsoft
Intune admin center.

After creating the server configuration, you would create the site configuration. Sites
are logical groupings of servers that host Microsoft Tunnel. You would assign a
server configuration to each site you create. You can create the site configuration
from the Microsoft Intune admin center.

After creating the site configuration, you would install Microsoft Tunnel Gateway.
You can use the script available for download from the Microsoft Intune admin
center to install Microsoft Tunnel Gateway (as shown in the exhibit).

You would run the script as root on the server. When the script is started, it
downloads the images from Microsoft Tunnel Gateway container images in the
Intune service and creates the required files and folders on the server. You would
complete the required steps that the script will prompt for while it is running the
setup.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Microsoft Learn > Microsoft Intune > Intune service > Microsoft Tunnel for Microsoft
Intune
Microsoft Learn > Microsoft Intune > Intune service > Prerequisites for the Microsoft
Tunnel in Intune

Microsoft Learn > Microsoft Intune > Intune service > Configure Microsoft Tunnel for
Intune

Question 8:
Skipped
You are an enterprise admin for the Verigon Corporation. Your company recently
received a shipment of new desktop computers that will be distributed to all your
offices onsite. The machines are preloaded with the latest version of Windows 10
Professional Edition and have not yet been configured. You want to bulk enroll
them in your MDM solution.

Which of the following options will accomplish this objective?

A) Create a configuration profile using Microsoft Endpoint Manager.

B) Create a group policy that will trigger MDM auto-enrollment.

C) Create a provisioning package with the Windows Configuration Designer


app.

(Correct)

D) Create an MDM enrollment profile using Microsoft Configuration


Manager.
Explanation
You would choose to create a provisioning package with the Windows Configuration
Designer (WCD) app. This will enable you to configure the machines to join an Azure
AD tenant and enroll in Microsoft Endpoint Manager.
While you can create a GPO using Group Policy to trigger MDM auto-enrollment for
domain-joined machines, these computers are new and are not domain joined.
Therefore they cannot be managed by Group Policy.

You would not choose to create a configuration profile using Microsoft Endpoint
Manager. You cannot create a configuration profile for these machines because they
have not yet been MDM enrolled.

You would not choose to create an MDM enrollment profile using Microsoft
Configuration Manager because the devices have not yet been MDM enrolled.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

Bulk enrollment for Windows devices - Microsoft Intune | Microsoft Learn

Question 9:
Skipped
After implementing an Application Protection Policy in Microsoft Intune, you
discover that there are a few iOS users who are still able to violate the policy by
saving sensitive corporate documents to their personal devices using Microsoft
Office Apps on iOS. You have selected the correct apps and settings for your policy
and assigned the correct groups to include. You verify that the users in question
are part of the correct groups as specified in the policy assignments.

What else could you do to ensure the Application Protection Policy is properly
being applied?

A) Turn on Multi-Factor Authentication to validate the offending users


B) Use the Intune App Wrapping Tool to ensure the Application is
enforceable

C) Make sure the users have been assigned Microsoft Intune licenses

(Correct)

D) Assign certificates to the users’ iOS devices


Explanation
You should make sure that the users have been assigned Microsoft Intune licenses.
Any users in the groups selected for policy assignment who have a valid Microsoft
Intune license assigned will be restricted by the policy, but if they do not have a valid
license assigned then the policy will not apply to them.

You should not assign certificates to the users’ iOS devices. Certificate assignment
would only be necessary to grant users protected connections through a VPN,
authenticated Wi-Fi, or protected email profiles. This is not necessary for the current
situation.

You should not use the Intune App Wrapping Tool to ensure that the Application is
enforceable. This tool is used mostly on internally developed Line-of-Business apps
that you want to be managed by Intune policies. Apps that already support Intune
management (such as MS Office apps) do not need this step.

You should not turn on Multi-Factor Authentication (MFA) to validate the offending
users. MFA will certainly bring more security in authentication by forcing the user to
provide more than just their username/password, but it will not resolve the problem
as specified.

Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

Create and deploy app protection policies - Microsoft Intune | Microsoft Learn
Learn about the types of certificate that are supported by Microsoft Intune |
Microsoft Learn

Prepare apps for mobile application management with Microsoft Intune | Microsoft
Learn

Question 10:
Skipped
You are a system administrator for your organization. They have an Azure AD
environment. All workstations in your organization are running the Windows 11
operating system and joined to Azure AD, and all devices are registered with
Microsoft Intune.

You are configuring a compliance policy to protect your organization’s resources


from devices that are non-compliant with your organization’s security policies. You
have created a notification message template that will be used to send an email to
users when their device is non-compliant.

While configuring a compliance policy, which of the following Actions of


noncompliance should you configure to remove all company data from the device
and remove the device from Intune management?

A) Send push notification to end user

B) Send email to users

C) Retire the noncompliant device

(Correct)

D) Remotely lock the noncompliant device


Explanation
In the given scenario, you should configure Actions of noncompliance and select
your Action to “Retire the noncompliant device”. Then you would enter 0 days under
Configure a Schedule for the grace period.

To add Actions of noncompliance, you should follow these steps:

1. Log in to Microsoft Endpoint Manager admin center.


2. Select Devices > Compliance policies > Policies, choose one of your policies,
and then select Properties.
3. Select Actions for noncompliance > Add.
4. Select your Action: Retire the noncompliant device. Selecting this option will
remove all company data from the device and remove the device from
Microsoft Intune management.
5. Configure a Schedule: Enter the number of days (0 to 365) after
noncompliance to trigger the action on the users' devices.
6. When finished, select Add > OK to save your changes.

Selecting the Action to “Send email to users” will not work in the given scenario. This
option will only send a notification email when the device is non-compliant. It can be
configured with other Actions of noncompliance. Configuring this option alone will
not ensure company data is removed from the device and the device is removed
from Intune management.

Selecting the Action to “Remotely lock the noncompliant device” will not work in the
given scenario. This option will only lock the device when the device is non-
compliant. It can be configured with other Actions of noncompliance. Configuring
this option alone will not ensure company data is removed from the device and the
device is removed from the Intune management.

Selecting the Action to “Send push notification to end user” will not work in the given
scenario. This option will send a notification about non-compliance to a device
through the company portal app or Intune app on the device. This option can be
configured with other Actions of noncompliance. Configuring this option alone will
not ensure company data is removed from the device and the device is removed
from Intune management.

Objective:
Manage identity and compliance

Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune

References:
Configure compliance policies with actions for noncompliance in Microsoft Intune |
Microsoft Learn

Question 11:
Skipped
You are a system administrator for Verigon Inc. Your organization has acquired the
Nutex Corporation, which has 10,000 Windows 10 devices. Most of the Nutex
employees work from home.

You are planning to upgrade all Windows 10 devices to Windows 11. You have been
tasked with establishing requirements and determining which Windows 11 editions
will suit the existing devices. You are investigating the Windows 11 Home and Pro
editions.

Which of the following features is NOT supported by Windows 11 Home Edition?

A) Secure boot

B) Firewall and network protection

C) BitLocker device encryption

(Correct)

D) Windows Security
Explanation
Windows 11 Home Edition does not support the BitLocker device encryption feature.
BitLocker encrypts your device and secures your information. If you misplace your
device or it is stolen, BitLocker will lock everything, and unauthorized individuals will
not be able to access your system or data. This feature requires Trusted Platform
Module (TPM) 2.0 or later.

The following features are supported by both Windows 11 Home and Pro Editions.
• Device encryption – Helps protect the device by encrypting your data.
• Find my device – Helps in locating your device or digital pen.
• Firewall and network protection – Protects your device against viruses,
malware, and ransomware.
• Internet protection – Secures your device against malicious apps, files,
websites, and downloads.
• Paternal controls and protection – Helps you limit access to adult content,
limit screen time, and control online purchases when connecting your family
Microsoft accounts.
• Secure boot – Protects your device from malicious apps and unauthorized
operating system services loading when the device starts.
• Windows Hello – Provides passwordless authentication and uses facial
recognition, fingerprint, or a PIN for a secure, password-free login method.
This feature only works with compatible Windows devices.
• Windows Security – Helps you view and manage device health and security.

Objective:
Deploy Windows client

Sub-Objective:
Prepare for a Windows client deployment

References:

Compare Windows 11 Versions: Home & Pro vs. Windows 10 | Microsoft

Question 12:
Skipped
You have recently joined the Nutex Corporation as the Security Administrator.
Nutex is a growing company in the e-commerce sector. They are planning to start
offices in multiple geographical locations. The IT team at Nutex is planning the
implementation of Azure AD and Intune to manage the core infrastructure and
Windows 11 endpoints. You are tasked with coming up with secure practices for
managing endpoints. You plan to implement Local Administrator Password
Solution (LAPS).

Which of the following statements about LAPS are TRUE? (Choose two.)

A) With LAPS, the maximum password age is always set to 30 days.

B) LAPS policy works only for endpoints with an existing administrator


account.

C) LAPS policy can be configured with the reset administrator password if


the local administrator account authenticates on an endpoint.

(Correct)

D) Local administrator account passwords protected with LAPS are


tamperproof.

(Correct)

Explanation
The following statements are true:
• Local administrator account passwords protected with LAPS are
tamperproof.
• LAPS policy can be configured with the reset administrator password if the
local administrator account authenticates on an endpoint.

Local administrator account passwords protected with LAPS are tamperproof. Local
Administrator Password Solution (LAPS) is a Microsoft solution for the potential
security issues related to using a common local account with an identical password
on every computer in a domain. LAPS generates different, random passwords for the
common local administrator account on the endpoints in the domain. For situations
where support is needed on endpoints using the administrator account, the domain
administrator can grant access to authorized helpdesk technicians to read the
password from Azure AD and log in to the administrator account. LAPS is designed
to be tamperproof and completely managed from Azure AD, without any ability to
change the password locally. Such attempts are logged, and you can see them in
Event Viewer.

LAPS policy can be configured with the reset administrator password if the local
administrator account was actively used on an endpoint. You can do this using the
PostAuthenticationResetDelay and PostAuthenticationActions settings. Use the
PostAuthenticationResetDelay setting to set a specific time to wait after an
authentication before executing the specified post-authentication actions. Use the
PostAuthenticationActions setting to specify one of the following actions after the
wait time: Reset password, Reset password and log off, or Reset password and
reboot.

LAPS not only works for endpoints with an existing administrator account, but you
can also specify a new local administrator account for which the LAPS policy must
apply when pushing the policy. Use the AdministratorAccountName setting to
specify the account name. However, the account must be created on the endpoint
before pushing the LAPS policy.

The maximum password age is configurable with LAPS, as in Windows AD or Azure


AD. You can set the maximum password age using the PasswordAgeDays setting
from anywhere between 1 to 365 days. If you choose Azure AD as the Backup
directory, the minimum value is seven days. If you choose Windows AD, it is one day.

Objective:
Manage identity and compliance

Sub-Objective:
Manage identity

References:

LAPS CSP - Windows Client Management | Microsoft Learn

Key concepts in Windows LAPS | Microsoft Learn

Use Windows LAPS event logs | Microsoft Learn

Question 13:
Skipped
You have recently joined the Nutex Corporation as the Windows Client
Administrator. Nutex is a growing company in the e-commerce sector. All
employees use Windows 10 endpoints. You are tasked with identifying a suitable
Microsoft service for remotely managing and troubleshooting issues on the
endpoints. You plan to use Windows Admin Center for this.

Which of the following statements about Windows Admin Center are TRUE?
(Choose two.)

A) Microsoft recommends using Windows Admin Center for local


management of the same server on which it is installed.

B) Shared Connections can be configured to allow all gateway users to


manage all endpoints.

(Correct)

C) Only Windows 10 and 11 endpoints can be managed from Windows


Admin Center.

D) In Windows Admin Center, extensions can be made available only at the


level of a gateway.

(Correct)

Explanation
The following statements are true:
• In Windows Admin Center, extensions can be made available only at the level
of a gateway.
• Shared Connections can be configured to allow all gateway users to manage
all endpoints.

Windows Admin Center is an extensible platform that allows you to integrate with
other IT administration products and solutions seamlessly. It contains Solution and
Tool extensions built using modern web technologies, including HTML5, CSS,
Angular, TypeScript, and jQuery, and can manage target servers via PowerShell or
WMI. Extension is a gateway-level setting that the Gateway Administrator must
enable for the gateway users.

Shared Connections can be configured to allow all gateway users to manage all
endpoints. Gateway users are IT team members who manage endpoints remotely
and have been assigned access to the Windows Admin Center service by a Gateway
Administrator. The Gateway Administrator must add the endpoints that must be
managed to Windows Admin Center. Adding all the endpoints using the Shared
Connections feature automatically authorizes all Gateway users’ access to the
endpoints. You can also add a specific set of high-priority endpoints as Shared
connections to make remote support available.

Machines running Windows 11, Windows 10, Windows Server Semi-Annual Channel,
Windows Server 2019, Windows Server 2016, Microsoft Hyper-V Server 2016,
Windows Server 2012 R2, Microsoft Hyper-V Server 2012 R2, and Windows Server
2012 can be managed from Windows Admin Center. You can also manage Arc-
enabled servers, Azure Stack HCI cluster nodes, and Azure VMs.
Microsoft does not recommend using Windows Admin Center for local management
of the same server on which it is installed. You can use Windows Admin Center to
connect to a server remotely from a management PC or other computer to manage
the server. Windows Admin Center client does not need to be installed on the
endpoints that must be managed. Windows Admin Center is a browser-based app
for managing Windows servers, clusters, hyper-converged infrastructure, and
Windows 10/11 endpoints. To manage endpoints, you would install Windows Admin
Center on a Windows endpoint or Windows server acting as a gateway server, and
remotely connect to the endpoints.

Objective:
Deploy Windows client

Sub-Objective:
Configure remote management

References:

What type of installation is right for you | Microsoft Learn

Extensions for Windows Admin Center | Microsoft Learn

Configure shared connections for all users of the Windows Admin Center gateway |
Microsoft Learn

Question 14:
Skipped
You are planning to implement Microsoft Intune to ensure protection of sensitive
corporate materials on unmanaged user devices. As part of your plan you decide to
create security groups in Azure Active Directory to aid in assigning appropriate
protections.

What next steps should be part of the plan to ensure that Nutex Corporation’s
documents are properly secured when using applications on user devices? (Choose
three.)


A) Enable device platforms

B) Assign Intune and Office 365 user licenses appropriately

(Correct)

C) Create and assign certificates to user devices

D) Create and assign App Protection Policies

(Correct)

E) Require device enrollment

F) Add and deploy apps to Intune

(Correct)

Explanation
Your plan should include the following:
• Assign Intune and Office 365 user licenses appropriately
• Add and deploy apps to Intune
• Create and assign App Protection Policies

Intune and Office 365 user licenses must be assigned appropriately. If an


appropriate license is not assigned to a user, Intune cannot manage that user.

The apps must be added and identified to Intune so that Intune can manage
application capabilities.

App Protection Policies should be created and assigned. App Protection Policies are
the part that makes Mobile Application Management work. The devices do not have
to be managed as long as the App Protection Policies are created and appropriately
assigned.
Your plan does not require device enrollment. Device Enrollment is necessary for
using Intune in a Mobile Device Management (MDM) environment but not for Mobile
Application Management (MAM) as described in our scenario.

Your plan does not need to include creating and assigning certificates to user
devices. Certificates ensure protected connections over VPN, Wi-Fi, and more secure
Email profiles. This, however, is not necessary in our specified scenario.

Your plan does not need to enable device platforms. Device platforms do not need to
be enabled for MAM. In an MDM environment this would be required, especially if
preparing for iOS or MacOS devices.

Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

Migration guide to Microsoft Intune | Microsoft Learn

Technology decisions for BYOD with EMS | Microsoft Learn

Question 15:
Skipped
Your network contains an Active Directory domain named nutex.com that is synced
to Microsoft Azure Active Directory (Azure AD).

You have a Microsoft 365 subscription. You have devices that run Android, iOS, and
Windows. Devices can connect either in the office or remotely. You want to have a
conditional access policy to enforce Microsoft Cloud App Security session control
when Android, iOS, or Windows devices are unmanaged and not joined to Azure AD.

Which settings should you configure in a conditional access policy?

A) Device Platform

B) Filter for device


(Correct)

C) User and groups

D) Locations
Explanation
You should choose Filter for device. Filter for device condition replaces the
deprecated Device state condition. The Filter for device condition is more granular
than the Device state condition and can exclude hybrid Azure AD-joined devices
from a conditional access policy. It can also mark a device as compliant in a
conditional access policy. Device state can be used to apply a conditional access
policy to unmanaged devices to enforce the Microsoft Cloud App Security session
control when a device is unmanaged.

You should not choose Device Platform in a conditional policy. Device


Platform allows you to include or exclude specific device platforms. In this scenario,
all platforms are included. There is no need to exclude any.

You should not choose Locations in the conditional policy. By default, all locations
are included in the conditional policy.
You should not choose Users and Groups. This condition is used to include or
exclude guest users, directory roles, or a specific group of users.

Objective:
Manage identity and compliance

Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:

Conditions in Conditional Access policy - Azure Active Directory - Microsoft Entra |


Microsoft Learn

Question 16:
Skipped
You are the cybersecurity admin for the Nutex Corporation.

You want to secure corporate data on your endpoint MDM-enrolled client devices
and prevent users from copying and pasting corporate data when using
applications in order to prevent data leakage.

Which of the following options will achieve this objective using Microsoft Endpoint
Manager?

A) Create an app protection policy.

(Correct)

B) Create a Windows 10 compliance policy that requires BitLocker


encryption.

C) Create an Endpoint Security profile that enables full disk encryption.

D) Create an app configuration policy.


Explanation
You would choose to create an app protection policy. You can prevent app data
leakage by creating an app protection policy for enterprise-enhanced data
protection. Mobile Application Management (MAM) app protection policies protect
data with an application and allow you to manage the data. An app protection policy
(APP) can be a rule that is enforced when corporate data is moved or accessed by
the user. You could have an APP that prohibits a set of actions when a user is inside
an app. Once an APP has been applied to an application, it can be managed in
Intune.

You would not choose to create an app configuration policy. App configuration
policies are used to deploy desired application settings and cannot prevent app data
leakage.

You would not choose to create a Windows 10 compliance policy that requires
BitLocker encryption. While BitLocker can protect data at rest, it cannot prevent app
data leakage.

You would not choose to create an Endpoint Security profile that enables full disk
encryption. While enabling full disk encryption can protect data at rest, it does not
prevent app data leakage.

Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

Create and deploy app protection policies - Microsoft Intune | Microsoft Learn

Question 17:
Skipped
You plan to implement Windows Hello with devices that run Windows 10.

What hardware requirements must the devices meet?

A) HD webcam

B) Near-infrared camera
(Correct)

C) Night vision camera

D) High contrast camera


Explanation
The devices must have a near-infrared camera. Near infrared (IR) is used by
Windows Hello to identify the user who is attempting to authenticate.

Windows Hello cannot be used with night vision, high contrast, or HD webcams, as
they do not provide a consistent image, regardless of the ambient lighting conditions
in the room.

Objective:
Manage identity and compliance

Sub-Objective:
Manage identity

References:

Windows Hello for Business Deployment Prerequisite Overview - Windows Security |


Microsoft Learn

Windows Hello face authentication | Microsoft Learn

Question 18:
Skipped
Nutex Corporation uses Microsoft Intune as its mobile device management
solution. All devices are enrolled using the Hybrid AD Join method. You have been
asked to provide regular reports on the health of these devices.

What products can give you this information? (Choose all that apply.)

A) Microsoft Endpoint Manager

(Correct)

B) Azure Monitor Log Analytics

(Correct)

C) Windows Security Center

(Correct)

D) Windows Autopilot

E) System Center Configuration Manager


Explanation
You should choose the following:
• Windows Security Center
• Microsoft Endpoint Manager
• Azure Monitor Log Analytics

Windows Security Center offers device health information and would work in this
scenario. To enable it, go to Windows Security and choose Device Performance and
Health. However, a cloud-based solution would be a better choice.

Windows compatibility reports in the Microsoft Endpoint Manager admin center can
report on devices that crash frequently and identify drivers that are causing those
crashes.

Azure Monitor Log Analytics can provide information on device health. It depends on
the Microsoft Monitoring Agent Service to collect information and provide it to Azure
Monitor.

System Center Configuration Manager is not a health reporting tool by itself. It is a


device management tool.
Windows Autopilot does not monitor device health. It is used for the deployment of
new devices.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Monitor devices

References:

Desktop Analytics - Configuration Manager | Microsoft Learn

Log Analytics agent overview - Azure Monitor | Microsoft Learn

Fundamentals of managing devices - Configuration Manager | Microsoft Learn

Question 19:
Skipped
You are the remote desktop administrator for the nutex.com domain. You have
several RemoteApps that users need to run on their mobile devices.

Which of the following are TRUE regarding remote desktop clients?

A) You must run at least the iOS 6.x operating system on an iPad to run the
remote desktop client.

(Correct)

B) You must run at least the iOS 5.x operating system on an iPad to run the
remote desktop client.


C) You must run at least Android 4.1.x (Jelly Bean) operating system on an
Android device to run the remote desktop client.

(Correct)

D) You must run at least the iOS 4.x operating system on an iPad to run the
remote desktop client.

E) You must run at least the Android 2.3.7 (Gingerbread) operating system
on an Android device to run the remote desktop client.

F) You must run at least Android 4.0.4 (Ice Cream Sandwich) operating
system on an Android device to run the remote desktop client.

G) You must run at least Android 3.2.6 (Honeycomb) operating system on


an Android device to run the remote desktop client.
Explanation
The Remote Desktop client can be used on Android devices, iOS devices, Windows
phones, and Windows clients. You must run at least the iOS 6.x operating system on
an iPad or any iOS device to run the Remote Desktop client. You must run at least
Android 4.1.x (Jelly Bean) operating system on an Android device to run the Remote
Desktop client.

All other answers are incorrect.

Objective:
Deploy Windows client

Sub-Objective:
Configure remote management

References:

Remote Desktop clients for Remote Desktop Services and remote PCs - Windows
Server | Microsoft Learn
Get started with the Android client | Microsoft Learn

Question 20:
Skipped
You are the enterprise admin for the Verigon Corporation. The company has an
Employee Choice program that allows employees to choose their own company
device. All devices are then enrolled in Microsoft Endpoint Manager. You want to
create a policy that will enforce a minimum OS version for both iOS and Windows
10 devices.

Which of the following will allow you to achieve this objective using Microsoft
Endpoint Manager?

A) Create a device configuration profile.

B) Create a conditional access policy.

C) Deploy a security baseline.

D) Create a device compliance policy.

(Correct)

Explanation
You would choose to create a device compliance policy. Device compliance policies
set the conditions by which devices and users are allowed to access the company’s
network and resources as long as they meet compliance. One such requirement can
be a minimum version for designated operating systems.

You would not choose to deploy a security baseline. Security baselines in Intune are
settings that are pre-configured and represent best practice recommendations from
the relevant Microsoft security teams for the product. They do not involve minimum
operating system requirements.

You would not choose to create a device configuration profile. Device configuration
profiles are used to deploy desired settings to client machines and users. They
cannot enforce a minimum operating system version.
You would not choose to create a conditional access policy. Conditional access
policies are used to enforce which devices and apps can access your corporate
resources. They cannot enforce a minimum operating system version.

Objective:
Manage identity and compliance

Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune

References:

Manage endpoint security in Microsoft Intune | Microsoft Learn

Question 21:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
environment and has procured a Microsoft Intune subscription. All Windows 11
devices are registered with Microsoft Intune. You want users enrolling their
Windows devices and signing in for the first time to see their provisioning status on
the Enrollment Status Page (ESP). The enrollment should meet the following
requirements:
• Users should see a custom error message specific to your organization when
they encounter enrollment errors.
• Users should not be able to use their devices until all required apps are
successfully installed.

What should you do FIRST to deploy the ESP on the devices?

A) Install the Intune Connector for Azure AD on the Windows 11 machines.

B) Create an ESP profile in Microsoft Intune.


(Correct)

C) Create an Autopilot deployment profile.

D) Create an Autodiscover service connection point (SCP) in Microsoft


Intune.
Explanation
To deploy the Enrollment Status Page (ESP) on the Windows 11 devices, you need to
create an ESP profile in Microsoft Intune.

The ESP displays the provisioning status to users enrolling their Windows devices
and signing in for the first time. This helps users view their progress in the setup
process. You can also configure the ESP to block the device from being used until all
the mandatory policies have been applied and applications installed.

To create a new ESP profile, log in to the Microsoft Intune admin center and
select Devices. Choose Windows > Windows enrollment > Enrollment Status
Page and click Create.

Next, navigate to Settings, and configure the following required settings:


• Set Show app and profile configuration progress to Yes.
• Retain the default setting of 60 for Show an error when installation takes
longer than specified number of minutes.
• Set Show custom message when time limit or error occurs to Yes.
• Set Turn on log collection and diagnostics page for end users to Yes.
• Set Only show page to devices provisioned by out-of-box experience (OOBE) –
Yes / No
• Set Block device use until all apps and profiles are installed to Yes.
• Set Allow users to reset device if installation error occurs to No.
• Set Allow users to use device if installation error occurs to No.
• Set Block device use until required apps are installed if they are assigned to
the user/device to All.

Click Next. Navigate to Assignments and select the groups to receive the profile.
Review your settings in Review + Create and then click Create.
Creating an Autodiscover service connection point (SCP) in Microsoft Intune is not
the first thing you would do to deploy the ESP on the devices. Autodiscover SCPs are
not created in Intune. A service connection point (SCP) object in Active Directory
provides a way for domain-joined clients to find Autodiscover servers. Intune does
not use an SCP.

Installing the Intune Connector for Azure AD on the Windows 11 machines is not the
first thing you would do to deploy the ESP on the devices. Using the Intune
Connector creates autopilot-enrolled computers in the on-premises domain. It does
not allow you to see their provisioning status on the Enrollment Status Page (ESP).

While joining devices to a domain using Windows Autopilot, you would follow these
steps:

• Register the device with Windows Autopilot.


• Make an Autopilot deployment profile.
• Specify Hybrid Azure AD as the method.
• Install the Intune Connector for Azure AD on the Windows 11 computer.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Set up the Enrollment Status Page in the admin center - Microsoft Intune | Microsoft
Learn

Enrollment for hybrid Azure AD-joined devices - Windows Autopilot | Microsoft Learn

Manually register devices with Windows Autopilot | Microsoft Learn

Question 22:
Skipped
Employees at Verigon Corporation use company-provided Windows 10 laptops that
are managed with Intune. Verigon has decided to allow some employees to use
their personal iPhones to access company email.

What steps will be part of the process to allow users to enroll their personal
devices? (Choose all that apply.)

A) Create a CSV file with a list of devices to add

B) Get an Apple MDM Push certificate

(Correct)

C) Have users install the Intune Company Portal application on their iOS
devices

(Correct)

D) Have users install the Lookout for Work application on their iOS devices

E) Add a device enrollment manager account to Intune


Explanation
You will need to get an Apple MDM Push certificate. This is required for Intune to
manage iOS devices. You will start this process in the Azure Portal, under Device
Enrollment > Apple Enrollment > Apple MDM Push Certificate.
You will need to have users install the Intune Company Portal application on their
iOS devices. After you complete the prerequisites and assign user licenses, they can
download the app from the App Store and follow the instructions.

You do not need to create a CSV file with a list of devices to add. This action would
be a part of using Windows Autopilot to enroll company devices in Intune, but is not
relevant here.
You do not need to have users install the Lookout for Work application on their iOS
devices. Lookout for Work is one of several MDM Mobile Threat Defense
applications that you may choose to implement, but they are not part of enrollment.

You do not need to add a device enrollment manager account to Intune. Adding a
user as a device enrollment manager account would allow the user to enroll up to
1000 devices. The scenario is about self-enrollment.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

What is device enrollment | Microsoft Learn

iOS/iPadOS device enrollment guide for Microsoft Intune | Microsoft Learn

Question 23:
Skipped
The Sales department at Nutex is planning for a deployment of the newest
Microsoft 365 Apps release. They currently use Excel workbooks and Word
documents that have some fairly intense macros built into them for their day-to-
day work. You decide to use the Readiness Toolkit for Microsoft 365 Apps add-ins
and VBA utility to prepare for this deployment. On a specific user’s computer, you
execute the following command:

ReadinessReportCreator.exe -mru -output \\NutexServ\finance -silent

What will this command accomplish? (Choose all that apply. Each option is part of
the complete answer.)

A) This will fix deprecated/broken macro code or add-ins for compatibility


in the scanned files

B) This will scan the specified files for macros and make recommendations
to fix their compatibility

(Correct)

C) This will scan files in the folder \\NutexServ\finance

D) This will scan the specified files for add-ins and report on their possible
readiness status

E) This will scan files in the user’s Most Recently Used list

(Correct)

Explanation
When you execute the command ReadinessReportCreator.exe -mru -output
\\NutexServ\finance -silent, the Readiness Toolkit will scan files in the user's Most
Recently Used list and generate an Excel workbook as output, stored in
the \\NutexServ\finance folder, without sending any output back to the screen. The
benefit of allowing the Readiness Report Creator to only scan Office documents that
are in the user's most recently used files list is that it allows you to narrow the focus
of the scan to documents that the user accesses on a regular basis.

The command will only scan the specified files for MACROS and make
recommendations to fix their compatibility. It does not fix or repair code in VBA
macros. This command does not include the -addinscan option, which would be
required to scan and report on add-ins.

The command contains the parameter -output \\NutexServ\finance. The value of this
parameter is the output destination for the Excel workbook output. This command
will NOT scan the files in the folder \\NutexServ\finance but will use the folder as the
output destination.

This command will NOT fix deprecated/broken macro code or add-ins for
compatibility in the scanned files. It only recommends possible fixes and
compatibility statuses.

This command will NOT scan the specified files for add-ins and report on their
possible readiness status. You would need to add the -addinscan option to
accomplish this.
Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Use the Readiness Toolkit to assess application compatibility for Microsoft 365
Apps - Deploy Office | Microsoft Learn

Question 24:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
environment and has procured a Microsoft Intune subscription. All the devices are
enrolled in Microsoft Intune. You want to understand the following metrics:
• Average device startup time in seconds.
• Average sign-in time to the device in seconds.
• Top apps that have been reducing your score in the past 14 days.

Which of the following Adoption Score features should you use to analyze the
metrics?

A) Teamwork

B) Microsoft 365 Apps health

C) Endpoint analytics

(Correct)


D) Content collaboration
Explanation
In the given scenario, you would use Endpoint analytics to analyze the metrics. The
Adoption Score is your organization’s overall score on how they are using Microsoft
365 and provides metrics, insights, and recommended actions. It reflects people and
technology experience measurements, which can be compared against the
organization’s benchmarks.

The Endpoint analytics score averages the Startup performance score, Application
reliability score, and Work from anywhere score.

The Startup performance score is an average of the following parameters:

• Average device startup time in seconds.


• Average sign-in time in seconds.

The Application reliability score provides information on the top apps that are
reducing your score over the past 14 days. The information includes app name,
mean time to failure in hours, and active devices.

The Work from anywhere score represents a weighted average of the percent of
devices that have deployed insights for allowing users to work remotely or non-
remotely.

Microsoft provides metrics, insights, and recommended actions in two areas:

• People experiences – This shows metrics and insights on categories related


to people experiences, mostly in Microsoft 365 categories such as mobility,
communication, meetings, teamwork, and content collaboration.
• Technology experiences – Endpoint analytics and Microsoft 365 Apps Health
give you insight into the performance and health issues of your hardware and
software. Network connectivity gives you insight into the performance of
Exchange, SharePoint, and Microsoft Teams.

The Adoption Score can be enabled from the Microsoft 365 admin center after
logging in with a Global Administrator role.

You can view your organization’s total score and primary insights for each category
from the Adoption Score home page (refer to the exhibit).

• Content collaboration – people experiences


• Communication – people experiences
• Meetings – people experiences
• Mobility – people experiences
• Teamwork – people experiences
• Microsoft 365 Apps health – technology experiences
• Endpoint analytics – technology experiences
• Network connectivity – technology experiences
Objective:
Manage, maintain, and protect devices

Sub-Objective:
Monitor devices

References:

Endpoint analytics page in Microsoft Adoption Score - Microsoft Intune | Microsoft


Learn

Microsoft Adoption Score - Microsoft 365 admin | Microsoft Learn


Question 25:
Skipped
You are the administrator of the nutex.com domain. You want to set up a Windows
10 Pro computer in a workgroup to run as a single-app kiosk.
The NutexUser account is assigned to the kiosk. You want to ensure that
when NutexUser logs in, a single application is automatically launched.

Because this kiosk will reside in the building lobby, you must also ensure that a
person using the kiosk cannot do anything on the device except use the kiosk app.
Also, if the computer restarts due to a power problem, the NutexUser should log in
automatically and the device should launch the kiosk application.

What should you configure? (Choose all that apply.)

A) Go to Start > Settings > Accounts > Sign-in options and configure the
account to be used as the kiosk account.

B) Sign in as NutexUser, go to Settings > Accounts > Sign-in options, and


toggle the Use my sign-in info to automatically finish setting up my device
after an update or restart setting to ON.

(Correct)

C) Enable user account control (UAC).

(Correct)

D) Sign in as NutexUser, go to Settings > Accounts > Sign-in options, and


toggle the Use my sign-in info to automatically finish setting up my device
after an update or restart setting to OFF.


E) Disable user account control (UAC).

F) Go to Start > Settings > Accounts > Other users and configure the account
to be used as the kiosk account.

(Correct)

Explanation
For a Windows 10 computer to act as a kiosk, you must enable user account control
(UAC).

To ensure that the NutexUser account is logged in and the kiosk is automatically
launched if the Windows 10 computer is rebooted, you should configure the Use my
sign-in info to automatically finish setting up my device after an update or
restart setting to ON. If this setting is set to OFF, then the account does not
automatically sign in when the device is restarted.

You should go to Start > Settings > Accounts > Other users and configure the
account to be used as the kiosk account. From this page, you can choose to set up a
kiosk by adding a local account that will act as the kiosk account and choose the
app that will run when the kiosk account signs in to the computer.

You can use the PowerShell cmdlet Set-AssignedAccess to configure access to the
kiosk account and kiosk application.

You can use the kiosk wizard in Windows Configuration Designer to configure
access to the kiosk account and kiosk application:
You would not go to Start > Settings > Accounts > Sign-in options and configure the
account to be used as the kiosk account. The Sign-in options page allows you to
configure Windows Hello, Picture password, PIN, or Dynamic Lock for your
computer.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Set up a single-app kiosk on Windows - Configure Windows | Microsoft Learn

Question 26:
Skipped
The Nutex Corporation has multiple branches worldwide. You manage 10,000
workstations that run with a Windows 11 Pro license. You want to upgrade the
current license from Windows 11 Pro to Windows 11 Enterprise with no keys or
reboots.

Which of the following options should you choose?

A) Subscription activation

(Correct)

B) Windows Autopilot

C) In-place upgrade

D) Provisioning packages
Explanation
Windows 11 Enterprise E3 and Windows 11 Enterprise E5 are available as online
services via subscription. You can deploy Windows 11 Enterprise in your
organization with no keys or reboots. If you were running Windows 10 version 1703
or later, you could upgrade from a Windows 11 Pro license to a Windows 11
Enterprise license. Product key-based Windows 11 Enterprise licenses can be
transitioned to Windows 11 Enterprise subscriptions.

You cannot use subscription services to upgrade from Windows 10 to Windows 11.

You would not use Windows Autopilot for a Windows 11 Enterprise license upgrade.
Windows Autopilot uses various technologies to set up and preconfigure new
devices. It can be used to repurpose, recover, and reset devices. Windows Autopilot
helps IT administrators and reduces the time IT spends on deploying, managing, and
retiring devices. It also minimizes the amount of infrastructure required to maintain
the devices and maximizes ease of use for all types of end users.

You would not use provisioning packages for a Windows 11 Enterprise license
upgrade. Windows provisioning is best suited for small to medium-sized
deployments that range from ten to a few hundred. A provisioning package is a
container for a collection of configuration settings. You should use Windows
Configuration Designer to create a provisioning package. Windows Configuration
Designer is an app in the Microsoft store.
You would not use an in-place upgrade for the Windows 11 Enterprise license
upgrade in the given scenario. An in-place upgrade is used to upgrade an earlier
version of Windows to a new version. It automatically preserves all data, settings,
applications, and drivers. The in-place upgrade supports manual or automatic rolling
back to the previous OS in case you encounter issues either during or after the
deployment.

Objective:
Deploy Windows client

Sub-Objective:
Prepare for a Windows client deployment

References:

Windows subscription activation - Windows Deployment | Microsoft Learn

What's new in Windows client deployment - Windows Deployment | Microsoft Learn

Question 27:
Skipped
You have a 60 Android devices and 50 iOS devices enrolled in an Intune tenant. You
plan to add a device compliance policy to apply settings depending on the version
of the operating system of Android or iOS.

What do you need to configure first?

A) Configure Device settings in Azure Active Directory

B) Configure device categories in Intune

(Correct)


C) Configure corporate device identifiers in Device enrollment

D) Import serial numbers via a .csv file


Explanation
You need to configure a device category. You must choose a category for an iOS or
an Android device when you enroll the device. You configure the list of categories
and can create device categories according to your needs, such as the following
examples:
• Point-of-sale device
• Demonstration device
• Marketing
• Finance

You do not have to configure Device settings in Azure Active Directory. Device
settings in Azure Active Directory allows you to set whether if devices can join Azure
AD, if users can register with AD, if the device must have multi-factor authentication
(MFA), the maximum number of users that can be added per users, and if users can
sync settings and app data across devices.
You do not need to configure corporate device identifiers in Device enrollment. You
can use corporate identifiers to specify if a device is corporate or personal. You can
use the IMEI number or serial number of the device. You can add the IMEI number or
serial number of multiple devices by uploading a .csv file that specifiers the
identifiers.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

Categorize devices into groups in Intune - Microsoft Intune | Microsoft Learn

Question 28:
Skipped
You want to deploy a Windows 10 device restriction policy to only the corporate
devices in the Engineering department, while excluding personal devices. You
create a new policy and manually add the following information to the filter rule:

(device.osVersion -eq "10.0.18362")

What else should you add to the filter rule? Choose three.

A) and (device.isRooted -eq "False")

B) and (device.manufacturer -eq "Microsoft")

(Correct)


C) and (device.deviceCategory -eq "Engineering devices")

(Correct)

D) and (device.operatingSystemSKU -eq "Enterprise")

E) and (device.deviceOwnership -eq "Personal")

F) and (device.isRooted -eq "True")

G) and (device.operatingSystemSKU -contains "Enterprise")

H) and (device.deviceOwnership -ne "Personal")


Explanation
You will need to add the following to the filter rule to deploy a Windows 10 device
restriction policy to only the corporate devices in the Sales department, while
excluding personal devices:

(device.osVersion -eq "10.0.18362") and (device.manufacturer -eq "Microsoft") and


(device.deviceCategory -eq "Engineering devices") and (device.deviceOwnership -ne
"Personal").

A filter rule allows you to apply a policy to a specific group for a specific set of
devices. You can target devices based on the OS version of the operating system
whether it is Windows 10 or higher, Android, or iOS. You could use filters for the
following scenarios:

• Set restriction policies on the corporate devices that run Windows 10 for the
Engineering department while excluding their personal devices from the
policy.
• Deploy a specific app to iOS devices in the Sales group.
• Deploy a compliance policy to Samsung Galaxy S20 phones to all users in
your company.

The -eq operator in the (device.osVersion -eq "10.0.18362") code equals a particular
version of the operating system. The (device.manufacturer -eq "Microsoft")operator
ensures that the operating system of the device is Microsoft. You can also check for
Android and iOS operating systems. The (device.deviceCategory -eq "Engineering
devices") code ensures that the filter rule applies to devices that meet the Intune
device category of "Engineering devices". The (device.deviceOwnership -ne
"Personal")code is using the -ne operator to exclude devices that are in the Intune
device category of personal devices. You should not use the
(device.deviceOwnership -eq "Personal") code because this segment uses the -eq
operator which will include personal devices.

You should not use either the (device.isRooted -eq "True") or the (device.isRooted -eq
"False")code. Whether the device is rooted or not is not relevant to the scenario. You
only need to allow Microsoft devices (Windows 10) that are used by the Engineering
department and that are not their personal devices.

You should not use either the (device.operatingSystemSKU -contains "Enterprise") or


the (device.operatingSystemSKU -contains "Enterprise")code. These code segments
ensure that the operating system is using an Enterprise license SKU. You have
already added a version number of the operating system to the filter. There is no
requirement in the scenario for an Enterprise SKU of the operating system.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Supported filter device properties and operators in Microsoft Intune | Microsoft


Learn

Question 29:
Skipped
You are a system administrator for Nutex Inc. Your organization has an Azure AD
environment. Employees use Windows and Android devices. The Android devices
include both corporate-owned fully-managed devices and personally-owned work
profile devices. Users with Android devices have access to highly sensitive data. All
devices are enrolled in Microsoft Intune.
You are creating a device restriction configuration profile for the Android devices.

Which of the following security configuration frameworks are recommended for the
fully managed and personally owned work profile devices to protect the highly
sensitive data? (Choose all that apply.)

A) Fully managed enhanced security (Level 2)

(Correct)

B) Personally owned work profile basic security (Level 1)

C) Personally owned work profile high security (Level 3)

D) Fully managed high security (Level 3)

E) Personally owned work profile enhanced security (Level 2)

(Correct)

F) Fully managed basic security (Level 1)


Explanation
In the given scenario, you would choose the fully managed enhanced security (Level
2) and personally owned work profile enhanced security (Level 2) security
configuration frameworks.

There are three Microsoft-recommended security configuration frameworks for


corporate-owned, fully managed devices:

• Fully managed basic security (Level 1) – Level 1 provides the minimum


security configuration for corporate-owned mobile devices. The policies in
Level 1 provide reasonable protection for data while minimizing the users’
impact. Reasonable security is ensured by enforcing password policies,
specifying operating system versions, providing SafetyNet device attestation,
and preventing device functions such as USB file transfer.
• Fully managed enhanced security (Level 2) – Microsoft recommends a Level
2 security configuration framework for corporate-owned mobile devices
where users can access highly sensitive information. These devices are a soft
target for hackers. Level 2 includes all the security configurations included in
Level 1 but are more stringent, and users may experience a slightly higher
impact.
• Fully managed high security (Level 3) – Microsoft recommends a Level 3
security configuration for companies with sizeable, sophisticated security
where users and groups are soft targets by adversaries. The Level 3
configuration ensures the device is compliant by enforcing the most secure
Microsoft Defender for Endpoint settings, including specifying the latest
minimum operating system version, enforcing other device restrictions, and
mandating that apps are always up to date.

There are two Microsoft-recommended security configuration frameworks for


personally owned, work profile devices:

• Personally-owned work profile enhanced security (Level 2) – Microsoft


recommends a Level 2 security configuration where users access work or
school data. Level 2 provides a minimum-security configuration for personal
devices and applies to most mobile users. Some security settings in Level 2
may impact the users’ experience.
• Personally-owned work profile high security (Level 3) – Microsoft
recommends the Level 3 security configuration for devices with access to
highly sensitive information, which, if compromised, can lead to considerable
material loss. The Level 3 security configuration expands on the Level 2
settings. It includes implementing mobile threat defense, restricting data
scenarios, and enforcing stronger password policies.

Personally-owned work profile basic security (Level 1) is an invalid security


configuration framework and therefore is an incorrect option.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Corporate-owned Android Enterprise device restriction settings in Microsoft Intune |


Microsoft Learn
Android Enterprise fully managed security configurations - Microsoft Intune |
Microsoft Learn

Android Enterprise security configurations for personally-owned work profile -


Microsoft Intune | Microsoft Learn

Question 30:
Skipped
You are a system administrator for Nutex Inc. Your organization has an Azure AD
Premium P1 subscription and hosts business-critical applications in the Azure
cloud.

You have been tasked with implementing OATH hardware tokens (Preview) in
Microsoft Azure for enhanced authentication. You have procured compatible
tokens.

What should you do next?

A) Activate the tokens from Azure AD using a CSV file.

B) Check the tokens by accessing https://aka.ms/mysecurityinfo.

C) Upgrade to the Azure AD Premium P2 subscription.

D) Upload the tokens to Azure Active Directory (Azure AD) in CSV file
format.

(Correct)

Explanation
You would upload the tokens to Azure AD in CSV file format. You must include the
user principal name (UPN), serial number, secret key, time interval, manufacturer,
and model in the CSV file (as shown in the image).
You would follow the below steps to configure OATH hardware tokens with multi-
factor authentication (MFA):

1. Log in to the Azure portal.


2. Navigate to Azure Active Directory > Security > Multi-Factor
Authentication > OATH tokens, and upload the CSV file as shown in the
exhibit.

1. While the CSV file is being uploaded, you can check the status by clicking on
the File upload is in-progress text (as shown in the exhibit).

1. After the CSV file is uploaded, you would activate the OATH token (as shown
in the exhibit).
1. You would then press the button to generate an OTP/code on the token and
enter the verification code.

1. Finally, you need to verify that the token status has been changed to
activated.

Checking the token status by accessing https://aka.ms/mysecurityinfo is not the


next step in the given scenario, but the last step. This page is where OATH token
registrations can be managed and added by users.

There is no requirement for upgrading to an Azure AD Premium P2 subscription.


OATH tokens are supported by Azure AD Premium P1, P2, and any other plans that
include AADP P1 and P2 subscriptions.

Objective:
Manage identity and compliance

Sub-Objective:
Manage identity
References:

All Things Cloud > OATH TOTP Hardware tokens with Azure MFA

OATH tokens authentication method - Microsoft Entra | Microsoft Learn

Question 31:
Skipped
You manage devices that run Windows 10. You do not have an existing on-
premises Active Directory environment. You plan to use Windows Hello for
Business on the devices.

What should you do? (Choose all that apply.)

A) Implement a public key infrastructure (PKI).

B) Configure a Microsoft account on the device.

(Correct)

C) Configure Azure Active Directory Premium for the devices.

(Correct)

D) Use Microsoft Cloud App Security.


Explanation
You should configure either Azure AD Premium or a Microsoft account. Either of
these account options are required to use Windows Hello for Business (formerly
named Microsoft Passport).

You should not implement a PKI. A separate PKI is not required to implement
Windows Hello for Business, and is only necessary for smart card deployments or
other certificate-based needs.

You should not use the Microsoft Cloud App Security add-on. This is an Enterprise
Mobility + Security component for securing applications.
Objective:
Manage identity and compliance

Sub-Objective:
Manage identity

References:

Windows Hello for Business Deployment Prerequisite Overview - Windows Security |


Microsoft Learn

Windows Hello for Business Overview - Windows Security | Microsoft Learn

Microsoft Inside Track > Implementing strong user authentication with Windows
Hello for Business

Question 32:
Skipped
As a deployment administrator for the Verigon Corporation, you need to configure
100 laptops for the Austin, TX office. The laptops are off-the-shelf with Windows
10 Professional already installed.

Verigon does not have a mobile device management infrastructure (MDM) in place.
You must configure some basic desktop settings, such as AD enrollment. You need
a streamlined configuration solution that does not require an office network
connection.

What steps would be required as part of streamlining this process? (Choose all that
apply.)

A) Download the Windows Assessment and Deployment Kit (ADK) for


Windows 10

(Correct)

B) Set up Azure AD Join


C) Create an encrypted provisioning package

D) Download the Windows Imaging and Configuration Designer (ICD) Tool

E) Create a project using the desktop wizard

(Correct)

Explanation
You will want to download the Windows Assessment and Deployment Kit (ADK) for
Windows 10 to obtain the Windows Configuration Designer tool. The Windows
Configuration Designer tool is needed for this scenario and is part of the kit. You
could also download it directly from the Microsoft Store.

You will create a project using the desktop wizard option in the Windows
Configuration Designer. This will allow you to customize the basic desktop settings
as indicated in the scenario. Windows Configuration Designer also provides a mobile
wizard, a kiosk wizard, and a HoloLens wizard.

You do not need to set up Azure AD Join. The scenario does not mention this
requirement, and the desktop wizard of Windows Configuration Designer does not
allow for bulk enrollment in Azure AD.

You do not want to download the Windows Imaging and Configuration Designer
(ICD) Tool. That is a legacy tool, and support has been removed for making
customized images.

You do not need to encrypt the provisioning package. Microsoft suggests that you
do not apply security to your packages unless the package contains sensitive
security data such as credentials or certificates.

Microsoft provides several ways to apply Windows 10 provisioning packages. These


include Offline Windows Imaging (using DISM and the old ICD tool), Windows
Imaging Deployment, and Runtime Device Provisioning, which can be done with the
Windows Configuration Designer.

Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft
Deployment Toolkit (MDT)

References:

Provision PCs with common settings (Windows 10/11) - Configure Windows |


Microsoft Learn

Create a provisioning package (Windows 10/11) - Configure Windows | Microsoft


Learn

Step-By-Step: Building Windows 10 Provisioning Packages | Microsoft Learn

Question 33:
Skipped
Your company has an Active Directory domain named nutex.com. All client
computers in the domain run Windows 10. You have a computer named wks1 in your
department that is having issues with a sound card. You have ordered a new sound
card, but need to disable the existing sound card device. You create the following
script on a share on a server to temporarily fix the problem temporarily:

Get-Device | where {$_.name -like "Acme Sound*"} | Disable-Device


Get-Device | where {$_.name -like " Acme Sound*"} | Enable-Device

What should you run on your computer to resolve the issue on the other computer?

A)

On wks1. run the following:


Enable-PsRemoting -Force

On your computer, enter the following:


Enter-PSSession -ComputerName wks1.nutex.com -Credential
Nutex\CarlSpackler
Invoke-Command -ComputerName wks1.nutex.com -FilePath
\\server5\Scripts\MyScript.ps1
(Correct)

B)

On your computer, run the following:


Enable-PsRemoting -Force

On wks1, enter the following:


Enter-PSSession -ComputerName wks1.nutex.com -Credential
Nutex\CarlSpackler
Start-Process -ComputerName wks1.nutex.com -FilePath
\\server5\Scripts\MyScript.ps1

C)

On your computer, run the following:


Enable-PsRemoting -Force

On your computer, enter the following:


Enter-PSSession -ComputerName wks1.nutex.com -Credential
Nutex\CarlSpackler
Start-Process -ComputerName wks1.nutex.com -FilePath
\\server5\Scripts\MyScript.ps1

D)

On wks1. run the following:


Enable-PsRemoting -Force
Enable-PsRemoting -Force

On your computer, enter the following:


Enter-PSSession -ComputerName wks1.nutex.com -Credential
Nutex\CarlSpackler
Start-Process -ComputerName wks1.nutex.com -FilePath
\\server5\Scripts\MyScript.ps1

E)

On your computer, run the following:


Enable-PsRemoting -Force
On wks1 enter the following:
Enter-PSSession -ComputerName wks1.nutex.com -Credential
Nutex\CarlSpackler
Invoke-Command -ComputerName wks1.nutex.com -FilePath
\\server5\Scripts\MyScript.ps1

F)

On your computer, run the following:


Enable-PsRemoting -Force

On your computer, enter the following:


Enter-PSSession -ComputerName wks1.nutex.com -Credential
Nutex\CarlSpackler
Invoke-Command -ComputerName wks1.nutex.com -FilePath
\\server5\Scripts\MyScript.ps1

Explanation
You should run the following on wks1:

Enable-PsRemoting -Force

On your computer, you should enter the following:

Enter-PSSession -ComputerName wks1.nutex.com -Credential Nutex\CarlSpackler


Invoke-Command -ComputerName wks1.nutex.com -FilePath
\\server5\Scripts\MyScript.ps1

You should first ensure that Enable-PsRemoting -Force is run on the computers that
you want to remotely access so that the remote computers can receive remote
commands. The Enable-PsRemoting cmdlet starts the WinRM service and sets the
service to start automatically. It also creates a firewall rule that allows incoming
connections from remote computers. The -Force parameter ensures that there is no
user intervention.

You should not enter Enable-PsRemoting -Force on your own computer


because wks1 is the computer you are trying to access remotely.
You should use the Enter-PSSession -ComputerName wks1.nutex.com -Credential
Nutex\CarlSpackler command to start a remote PowerShell session on wks1 with
the proper credentials. To do so, run the following:

Invoke-Command -ComputerName wks1.nutex.com -FilePath


\\server5\Scripts\MyScript.ps1

The Invoke-Command cmdlet runs a script on a remote computer. You should use
the -FilePath parameter to specify the location of the script. The script will run
on wks1 and return the results to your computer.

You should not run the Start-Process cmdlet to invoke the script file on the remote
computer. This cmdlet will start a process, but not run a script.

You should not run the following on wks1 because this should be run on the local
computer, not the remote computer:

Enter-PSSession -ComputerName wks1.nutex.com -Credential Nutex\CarlSpackler

Objective:
Deploy Windows client

Sub-Objective:
Configure remote management

References:

How-To Geek > How to Run PowerShell Commands on Remote Computers

Running Remote Commands - PowerShell | Microsoft Learn

Invoke-Command (Microsoft.PowerShell.Core) - PowerShell | Microsoft Learn

Question 34:
Skipped
Nutex Corporation has chosen Intune as its MDM solution. Nutex has a few new
Windows 10 laptops that they will be deploying in a branch office. Nutex wants to
minimize costs. Nutex would like to use Intune to assign Outlook Online and Excel
Online to these devices. Nutex has Office 365 Business licenses for new laptops,
which are all registered with Intune.

What are the next steps? (Choose all that apply.)

A) Create a Windows Information Protection (WIP) policy

B) Upgrade the license subscription to Office 365 E1

C) Upgrade the license subscription to Office 365 ProPlus

(Correct)

D) Add the Windows 10 app type to Intune

(Correct)

E) In Intune, create an App Suite

(Correct)

Explanation
You will need to add the Windows 10 app type to Intune. You will be asked to choose
between Configuration Designer or Enter XML data. For the few laptops in this
scenario, Configuration Designer is the preferred choice.
You will need to upgrade the license subscription to Office 365 ProPlus. As of this
writing, Office 365 Business edition is not supported by Intune. Office 365 ProPlus is
the minimum subscription level to deploy Office 365 apps with Intune.

In Intune, you will create an App Suite. You can add Outlook and Excel so they will
appear as one app in the apps list.

You do not need to create a Windows Information Protection (WIP) policy. A WIP is
used to protect apps without device enrollment and is outside the scope of this
scenario.
You do not need to upgrade the license subscription to Office 365 E1. While this
would meet the requirements of the scenario, it is not a preferred answer as it is only
necessary to upgrade to Office 365 ProPlus, and Nutex wants to minimize costs.

Note that you can assign an app to a device whether or not the device is managed by
Intune.

Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Windows 10/11 app deployment by using Microsoft Intune | Microsoft Learn

Add Microsoft 365 Apps to Windows 10/11 devices using Microsoft Intune |
Microsoft Learn

Question 35:
Skipped
Your organization has eight Windows 10 computers and all domain controllers run
Windows Servers 2012. All group policies are managed at the enterprise level.

You purchase a Windows Store app that you use for troubleshooting, and install the
app on two devices that you will soon add to the domain. You attempt to install the
app on another domain user's computer after you log in to the computer using your
Windows account. You receive the following error message:

"Windows Store is not available on this PC. Contact your system Administrator for
more information."

You need to be able to install this app on all Windows 10 computers on your
organization's network.

What should you do?


A) Enable the Turn off the Store application group policy.

B) Enable the Allow Store to install apps on Windows To Go


workspaces group policy.

C) Disable the Turn off Automatic Download of updates group policy.

D) Enable the Turn off Automatic Download of updates group policy.

E) Disable the Allow Store to install apps on Windows To Go


workspaces group policy.

F) Disable the Turn off the Store application group policy.

(Correct)

Explanation
You should disable the Turn off the Store application group policy in the Computer
Configuration\Administrative Templates\Windows Components\Store path. When
this policy is set to Enable, it will prevent users from being able to access Windows
Store apps. This group policy controls access to the entire Windows Store. If the
policy is not configured or is set to Disable, it will allow access to the Windows Store
application.

This policy can be set at the machine level or the user level. The Turn off the Store
application group policy is shown in the following exhibit:
Note that the Store Policy folder does not appear on a Windows Server 2012 R2
computer or a Windows 10 computer. On your Windows Server 2012 R2 computer,
you have to download the Administrative Templates (.admx) for Windows 8.1 Update
and Windows Server 2012 R2 Update. You can copy the Administrative Templates
to C:\Windows\PolicyDefinitions or to your Group Policy Central Store to overwrite
the old ADMX and ADML files with the new ones. The Store policy definitions are not
included in the Windows 10 ADMX templates. However, if you enable the Turn off
the Store application in a Group Policy, it will disable the Windows Store application
on a Windows 10 computer.

When you purchase a Windows Store app, you can install that app on up to 10
devices per Microsoft account. If you want to install the app on an eleventh device,
you will be prompted to remove the app from another device. You will need to log in
with your Microsoft account and remove a device from the Windows Store device
list.

If you want to control which apps can be installed on a device, you should use the
AppLocker feature, not the Turn off the Store application group policy. AppLocker is
a set of Application Control Policies introduced with Windows Server 2008 R2.
AppLocker adds features to manage Windows apps that are downloaded from the
Windows store.

You should not configure the Allow Store to install apps on Windows To Go
workspaces group policy. This policy controls the installation properties of Windows
Store apps on Windows To Go workspaces. The scenario does not mention
Windows To Go. This group policy is shown in the following exhibit:

You should not enable the Turn off the Store application group policy. This is the
current setting for this group policy based on the error message you received. This
policy is located in the Windows Components\Store path.

You should not configure the Turn off Automatic Download of updates group policy.
This policy in the Windows Components\Store path controls the download of
Windows Store app updates. While this group policy can control the download of the
updates, update installation must still be initiated manually by the user. Windows 10
checks the Windows Store for updates on a daily basis. When an update for an
installed app is available, Windows updates the Store tile in the Start screen to
indicate that updates are available. The user can choose to update one, several, or all
of their installed apps. The Turn off Automatic Download of updates group policy is
shown in the following exhibit:

Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Configure access to Microsoft Store - Configure Windows | Microsoft Learn


Manage Client Access to the Windows Store | Microsoft Learn

Appendix B: Group Policy Settings Listed Under the Internet Communication


Management Category | Microsoft Learn

Sideload Apps with DISM | Microsoft Learn

Question 36:
Skipped
You are a system administrator for Verigon Corporation. You have procured
Microsoft Defender for Endpoint Plan 2. Your environment comprises Windows 11
devices, Windows servers, Linux servers, and macOS devices. You are onboarding
the devices to Microsoft Defender for Endpoint.

Which of the following deployment tools should you use to onboard Linux servers
to Microsoft Defender for Endpoint?

A) Puppet

(Correct)

B) JAMF Pro

C) Microsoft Intune

D) Mobile Application Management (MAM)


Explanation
You would use Puppet to onboard Linux servers to Microsoft Defender for Endpoint.
The following tasks should be completed to successfully deploy Microsoft Defender
for Endpoint on Linux using Puppet:
1. Download the onboarding package.
2. Create the Puppet manifest.
3. Deploy Puppet.
4. Check the onboarding status.

Although it was not offered as an option, you could also use Chef, a local script,
Ansible, or Saltstack to onboard a Linux server to Microsoft Defender for Endpoint.

Below is the list of deployment tools supported by respective operating system


Endpoints.
Microsoft Intune can deploy Android and iOS devices, but not Linux devices.

Mobile Application Management (MAM) can deploy iOS devices.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

Onboard to Microsoft Defender for Endpoint | Microsoft Learn

Deploy Microsoft Defender for Endpoint on Linux with Puppet | Microsoft Learn

Question 37:
Skipped
You are a system administrator for your organization. They have 15,000 Windows
10 Enterprise workstations. You have been tasked to automate a Windows 11
Enterprise deployment on all workstations.

You are planning to use the Microsoft Deployment Kit (MDT) for creating reference
images for the operating system deployment.
Which of the following MDT task sequence templates should you use to run a User
State Migration Tool (USMT) backup and the full Windows Imaging (WIN) backup
action?

A) Standard Client Replace

(Correct)

B) Lite Touch OEM

C) Sysprep and Capture

D) Standard Client

E) Standard Client Upgrade


Explanation
In the given scenario, you would use the Standard Client Replace task sequence
template to run a USMT backup and the full WIN backup action.

Task sequences are essential and play a crucial role in the deployment solution. You
have to select a template when creating a task sequence. The templates are typically
located in the MDT installation directory and determine the default actions present in
the task sequence. Task sequence is the list of actions that must be executed in a
specific order.

MDT has nine default task sequence templates, and you can create your own if
desired. You should store the custom created template in the default MDT
installation directory. The nine templates are:

• Sysprep and Capture task sequence – This template uses the System
Preparation (Sysprep) tool and makes an image of a reference computer.
• Standard Client task sequence – This template is most frequently used for
creating reference images and deploying clients in production.
• Standard Client Replace task sequence – This template runs a USMT backup
and the full WIN backup action. It can also be used to do a secure wipe of a
machine that you are planning to decommission.
• Custom task sequence – This template has only one default action.
• Standard Server task sequence – This is used to deploy operating system
images to servers. It does not contain any USMT actions because USMT is
not supported on servers.
• Lite Touch OEM task sequence – This template can be used to preload
operating system images on the computer hard drive. It is typically used by
computer original equipment manufacturers (OEMs), but some enterprise
organizations also use this feature.
• Post OS Installation task sequence – Using this template, a task sequence is
prepared to run actions after the operating system has been deployed.
• Deploy to VHD Client task sequence – This is similar to the Standard Client
task sequence template but also creates a virtual hard disk (VHD) file on the
target computer and deploys the image to the VHD file.
• Deploy to VHD Server task sequence – This template is the same as the
Deploy to VHD Client task sequence but is used for servers.
• Standard Client Upgrade task sequence – This is a simple task sequence
template used to perform an in-place upgrade from Windows 7, Windows 8, or
Windows 8.1 directly to Windows 10 or 11, automatically preserving existing
data, settings, applications, and drivers.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft
Deployment Toolkit (MDT)

References:

Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) - Windows
Deployment | Microsoft Learn

Set up the Microsoft Deployment Toolkit for client deployment - Training | Microsoft
Learn

Question 38:
Skipped
You are an enterprise admin for the Verigon Company.
You are preparing for a large-scale deployment of Windows 10 devices using
Autopilot and Intune. You have already configured Microsoft Intune for auto-
enrollment. You have also registered the devices within Intune and assigned them
to a device group.

Click on the correct page within the Microsoft Endpoint Manager admin center to
begin the next step in the enrollment process in order to complete the deployment.

A) 419,791,857,904

B) 885,652,1322,765

C) 419,652,861,763

(Correct)

D) 419,292,856,428
Explanation
The next step in the deployment process is to create a Windows Autopilot profile. To
do so, go to Devices > Device enrollment | Enroll devices > Windows
enrollment > Windows Autopilot Deployment Program | and select Deployment
Profiles.

You would not choose the Intune Connector for Active Directory. This option
configures a device to be on-premises and Active AD joined.

You would not choose Devices. This option will not complete the deployment
process, it allows you to manage devices in Windows Autopilot.

You would not choose Automatic Enrollment. This option allows Windows devices to
join or register with Azure Active Directory.

Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Demonstrate Autopilot deployment - Windows Deployment | Microsoft Learn

Question 39:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
Active Directory (Azure AD) subscription with 20,000 Windows 11 devices. All
devices are enrolled in Microsoft Intune and joined to Azure AD.

You want Microsoft Intune logs to be routed to the Azure Monitor service. You have
procured an Azure Storage account to be used for storing logs.

Which of the following Azure Monitor features should you enable to route the logs
to Azure Monitor?

A) Integrate Intune logs

B) Diagnostic settings

(Correct)

C) Endpoint Analytics

D) Log Analytics
Explanation
You would enable Diagnostic Settings to route the logs to Azure
Monitor. Diagnostics Settings in Intune sends log data to different services, a
storage account, an event hub, or to Log Analytics.
Microsoft Intune contains the following built-in logs that provide information
regarding your environment:

• Audit logs – Help you view the record of activities that generate a change in
Microsoft Intune; contain a record of activities, including create, update,
delete, assign, and remote actions.
• Operational logs – Help you view details on users and devices that
successfully enrolled or failed to enroll and details of non-compliant devices.
• Device Compliance Organizational logs – Help you view organizational
reports for device compliance in Intune and details on non-compliant devices.
• IntuneDevices logs – Help you view the device inventory and status
information for Intune enrolled and managed devices.

You can send this log information to Azure Monitor and Azure Storage. You can
specifically archive Intune logs to an Azure Storage account, stream Intune logs to
an Azure event hub for analytics using SIEM tools, integrate Intune logs with your
custom log solutions, or send Intune logs to Log Analytics to enable rick
visualizations, monitoring, and alerting on the connected data.

Enabling Log Analytics will not route the logs to an Azure Monitor service such as an
Azure Storage account. Log Analytics is a feature in the Azure portal that is used to
edit and run log queries with data in Azure Monitor Logs.

Enabling Endpoint Analytics will not route the logs to an Azure Monitor service such
as an Azure Storage account. Endpoint Analytics is part of the Microsoft Productivity
score, which provides you with a view for measuring how your organization is
working and the quality of the experience you are delivering to your users. It also
helps identify the hardware or policy issues that may impact device performance and
helps you to take proactive measurements to improve performance before the user
raises an issue ticket.

Integrating Intune logs in Azure Monitor will not route the logs to the Azure Monitor
service. You can integrate Intune logs with your custom log solutions by enabling
Diagnostic Settings.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Monitor devices

References:
Route logs to Azure Monitor using Microsoft Intune | Microsoft Learn

Overview of Log Analytics in Azure Monitor - Azure Monitor | Microsoft Learn

What is Endpoint analytics? - Microsoft Intune | Microsoft Learn

Question 40:
Skipped
Your organization has a Microsoft Intune subscription. Most of the employees are
mobile users and travel frequently for business purposes, using their personal
devices to access their corporate email.

You have applied app protection policies to the Microsoft Outlook app. You want to
add the Microsoft Outlook app to the approved list of apps that can be used while
accessing corporate email.

What should you do?

A) Configure a device-based Conditional Access policy.

B) Configure a location-based Conditional Access policy.

C) Configure an app-based Conditional Access policy.

(Correct)

D) Configure a device-based Conditional Access policy and a location-based


Conditional Access policy.
Explanation
You would configure an app-based Conditional Access policy in the given scenario.
Microsoft Intune app protection policies work with Conditional Access. Before
configuring app-based Conditional Access policies, you should have Intune app
protection policies. To create an app-based Conditional Access policy, you would
follow these steps:
1. Log in to the Microsoft Intune admin center.
2. Click Endpoint security > Conditional access > Create New policy.
3. Provide the policy Name and, under Assignments, click Users or workload
identities, and apply the policy to selected users or groups.
4. Click Conditions > Client apps to apply the policy to apps and browsers.

1. In Access controls, click Grant to apply Conditional Access based on a device


compliance status.
1. Choose On under Enable policy, and then click Create.

You would not configure a device-based Conditional Access policy in the given
scenario. Device-based Conditional Access policies can help your Azure Active
Directory (Azure AD) use the device status and grant or deny access to the
organization’s apps and services. You can create a device-based Conditional Access
policy from the Microsoft Intune admin center.

You would not configure a location-based Conditional Access policy in the given
scenario. Conditional Access policies are if/then statements and make decisions
based on signals. One of the signals is location. Organizations can use a location-
based Conditional Access policy when requiring multi-factor authentication (MFA)
for users accessing the service when not in the corporate network and blocking
access for users to the corporate network or services when trying to access
resources from specific locations or countries your organization never operates
from.
You would not configure device-based and location-based Conditional Access
policies in the given scenario.

Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

Use app-based Conditional Access policies with Intune - Microsoft Intune | Microsoft
Learn

Set up app-based Conditional Access policies with Intune - Microsoft Intune |


Microsoft Learn

Set up device-based Conditional Access policies with Intune - Microsoft Intune |


Microsoft Learn

Question 41:
Skipped
You are an enterprise admin for the Verigon Company.

You are currently deploying Windows 10 devices using Windows Autopilot in user-
driven mode. A user calls the helpdesk to report that the deployment process is
failing on their machine.

Which of the following may be reasons why the deployment is failing? (Choose
two.)

A) The device does not have a PXE-capable network interface controller.

B) The device is currently lacking network connectivity.


(Correct)

C) The device cannot find any available domain controllers due to DNS.

D) A Windows Group Policy is blocking the Azure AD enrollment process.

E) The user that logged on lacks Azure Active Directory join permissions.

(Correct)

Explanation
One reason why the deployment is failing could be that the target device must have
network connectivity to download the Windows Autopilot profile.

Another reason could be that devices must be able to join Azure AD to complete the
deployment process using Windows Autopilot in user-driven mode.

Windows Group Policy only applies to domain-joined computers and is not


applicable to Windows Autopilot. You cannot use Group Policy to deploy Windows
10 to a computer or device.

Domain controllers are not required for Azure AD-joined devices.

Windows Autopilot does not require client devices to have PXE-capable network
interface controllers.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Windows Autopilot troubleshooting overview | Microsoft Learn


Troubleshoot Windows Autopilot Azure AD join issues | Microsoft Learn

Question 42:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
Active Directory (Azure AD) environment with a number of departments, including
Sales, Finance, and HR. The departments have workstations with different
configurations, as shown in the table below.

You are planning to configure Windows 11 Enterprise on all of the workstations


assigned to these departments.

Which of the workstations can be configured using Windows Autopilot self-


deploying mode?

A) Finance workstations only

B) Finance and HR workstations

(Correct)

C) Sales, Finance, and HR workstations

D) Sales workstations only


Explanation
In the given scenario, Finance and HR workstations can be configured using
Windows Autopilot self-deploying mode. TPM 2.0 is the requirement for self-
deploying mode. TPM 2.0 is used to authenticate the device into the organization's
Azure AD tenant. Devices without TPM 2.0 cannot be used with this mode. TPM
attestation must also be supported by the devices. The TPM provider provides the
HTTPS URL for the TPM attestation process.
When attempting self-deploying mode on a device that does not have TPM 2.0, the
process will fail when verifying the device. The self-deploying mode works with
Windows 10 version 1903 or later.

You cannot configure Sales workstations using self-deploying mode because their
workstations do not have TPM 2.0, and TPM 1.2 will not work with self-deploying
mode.

With Windows Autopilot's self-deploying mode, you can deploy a device with little or
no user interaction. Self-deploying mode performs the following:

• Joins the device to Azure AD.


• Enrolls the device in Intune using Azure AD for automatic MDM enrollment.
• Makes sure that all applications, certificates, network profiles, and policies
are provisioned on the device.
• Prevents access until the device is fully provisioned.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Windows Autopilot self-deploying mode (Public Preview) | Microsoft Learn

Overview of Windows Autopilot | Microsoft Learn

What's new in Autopilot | Microsoft Learn

Question 43:
Skipped
You are a system administrator for a new startup called the Nutex Corporation. You
want to deploy Windows 11 on all of the new workstations with some customized
applications that employees will use for their daily business activities.
You are in the process of creating a reference image that will help reduce
deployment time and install a standard set of applications on all the workstations.

You have set up the Microsoft Deployment Toolkit (MDT), built a lab deployment
share, and added the setup files and required applications.

What should you do next?

A) Configure permissions for the deployment share.

B) Create the reference image task sequence.

(Correct)

C) Build the Windows 11 reference image.

D) Configure the MDT deployment share rules.


Explanation
The next step would be to create the reference image task sequence to capture your
Windows 11 reference image for deployment using the Microsoft Deployment
Toolkit (MDT). With the MDT, you must store the operating system and applications
into the MDT Build Lab deployment share to build a Windows 11 reference image.
The task sequence is executed from the virtual machine where you created it and
will reference the operating system and applications. The task sequence should be
configured to get patches from a Windows Server Update Services (WSUS) server
that has approved patches originally taken from Windows Update.

You would configure the MDT Build Lab deployment share rules after you have
created the reference image task sequence. The configuration of these rules will
reside in the bootstrap.ini and CustomSettings.ini files. These files work together.
The bootstrap.ini file is available on the boot image and executed first. Its purpose is
to provide information to MDT to find the CustomSettings.ini file, which is stored on
the server in the Deployment Share\Control folder.

You would build the Windows 11 reference image after configuring the MDT Build
Lab deployment share rules. The image is created by launching the task sequence
that you had created earlier.
You would configure permissions for the deployment share for the account that will
access the MDT Build Lab deployment share, which is already in place in this
scenario. Configuring permissions will help read files in the deployment share and
write the reference image back to it. You must also assign NTFS and SMP
permissions to the MDT Build Account for the MDTBuildLab folder that was created
while creating the MDT deployment share.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft
Deployment Toolkit (MDT)

References:

Create a Windows 10 reference image (Windows 10) - Windows Deployment |


Microsoft Learn

Windows 11 image creation for OEMs | Microsoft Learn

Question 44:
Skipped
You are the enterprise admin for Verigon. The company has recently enrolled more
than 2,000 Windows 10 laptops with Microsoft Endpoint Manager.

As security is a top priority in the company, you want to deploy best-practice


configurations to all devices and application settings as quickly as possible.

Using the Endpoint Security node, click on the tool that will achieve this objective.

A) 292,473,574,509

B) 292,633,574,665

C) 292,709,574,745

D) 292,381,574,415

E) 292,756,574,786

F) 292,339,574,370

(Correct)

Explanation
You would choose the following:
Security baselines are pre-configured groups of Windows settings that help you
apply a known group of settings and default values that the relevant security teams
recommend.

All the other answers are incorrect because they do not deploy configurations.

While Security tasks are used to remediate endpoint weaknesses identified by


Defender's vulnerability management, they deliver and enforce settings.

Device compliance is used to create policies that establish the conditions by which
devices and users can access the company’s network and resources.

Conditional access is used to create policies that enforce which devices and apps
can access your corporate resources.

Attack surface reduction is used to create policies that help reduce your attack
surfaces by integrating with Endpoint antivirus.

Antivirus, Disk encryption, firewalls, Endpoint protections, and Account protection


focus on specific aspects of device security and do not include best practices.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

Manage endpoint security in Microsoft Intune | Microsoft Learn

Question 45:
Skipped
You have recently joined the Nutex Corporation as the Microsoft 365 Administrator.
Nutex is a startup company in the IT Services sector. You are tasked with
developing a strategy to deploy and manage the Microsoft 365 apps. You plan to
use the Microsoft 365 Apps admin center to accomplish this.

Which of the following statements about the servicing profile feature in Microsoft
365 Apps admin center are TRUE? (Choose all that apply.)

A) Servicing profiles can be configured to roll out updates in different


phases.

(Correct)

B) Servicing profiles can be configured to deploy and update Microsoft 365


apps on endpoints.

C) An app configuration deployed using Microsoft Endpoint Manager takes


precedence over a servicing profile on an endpoint.

D) Devices that use Microsoft 365 apps must be part of the inventory of the
Microsoft 365 Apps admin center.

(Correct)

E) Servicing profiles cannot roll back versions.


Explanation
The following statements are true:
• Devices that use Microsoft 365 apps must be part of the Microsoft 365 Apps
admin center inventory.
• Servicing profiles can be configured to roll out updates in different phases.

Devices that use Microsoft 365 apps must be part of the inventory in the Microsoft
365 Apps admin center inventory are a prerequisite for applying a servicing profile to
a device. From the admin center Inventory page, you can also get insights into Office
builds, Office Update channels, and Office add-ins on endpoints.

Servicing profiles can include up to three rollout waves (at the time of writing), with
each wave specifying the Azure AD groups that get the updates and the duration
between the rollouts.
Servicing profiles on a device take precedence over app configurations deployed
using tools such as the Office Deployment Tool or Microsoft Endpoint Manager, not
the other way around.

The servicing profile can be configured to roll back versions. A rollback can be
triggered at the level of devices or Azure AD groups. With a rollback scheduled, the
target endpoint is automatically rolled back to the previous version when connected
to the Internet. Endpoints rolled back will stay on the previous version until the next
version of Monthly Enterprise Channel is released.

The servicing profile cannot be configured to deploy Microsoft 365 apps on


endpoints. In the Microsoft 365 Apps admin center, apps are deployed using the
Office Customization Tool and are updated using servicing profiles. The Office
Customization Tool can be configured to install the updates automatically.

Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Overview of inventory in the Microsoft 365 Apps admin center - Deploy Office |
Microsoft Learn

Overview of servicing profile in the Microsoft 365 Apps admin center - Deploy Office |
Microsoft Learn

Overview of the Microsoft 365 Apps admin center - Deploy Office | Microsoft Learn

Question 46:
Skipped
You have recently joined the Nutex Corporation as the Microsoft 365 Administrator.
Nutex is a growing company in the IT Services sector with over 100 employees.
They use Microsoft Intune to manage all employees’ endpoints.
The IT Administration team has recently discovered a shadow IT and initiated the
deployment of the licensed version of the Microsoft 365 apps on the endpoints
using Intune. Some employees cannot use the licensed version of the Microsoft
365 apps deployed from Intune.

Which of the following are probable causes of this issue? (Choose all that apply.)

A) Existing apps are running on the endpoints.

(Correct)

B) The app assignment is missing some endpoints.

(Correct)

C) The Remove MSI feature was used to remove existing apps.

D) There are multiple app assignments with different sets of apps in the
suites.

(Correct)

E) The endpoints are not enrolled in Intune.


Explanation
The following are reasons why some employees cannot use the licensed version of
the Microsoft 365 apps deployed from Intune:
• There are multiple app assignments with different sets of apps in the suites.
• The app assignment is missing some endpoints.
• Existing apps are running on the endpoints.

Multiple app assignments from Intune are not additive. The last assignment will
clean up the existing assignment and install the apps. In this case, the last
assignment could be using fewer apps than in the former assignment since the later
app assignment overwrites pre-existing installed app assignments.

To remove a shadow IT from endpoints, the Intune App suite should typically be set
to remove existing apps from the endpoint. Unless the Microsoft Software Installer
(MSI) Office apps are manually removed, the app assignment will not initiate the
deployment of apps from Intune. To manually remove existing apps, you would use
the Remove MSI feature. This feature can remove all Office (MSI) apps from a
device.

A prerequisite for Intune app assignments to work is that the existing Microsoft apps
on the endpoints must not be in use. In such cases, the installation may fail.

The app assignment could be missing some endpoints. Check the app assignment
and add another assignment for the affected users.

Endpoints being enrolled in Intune is a prerequisite to deploying the Microsoft 365


Apps suite from Intune. In this scenario, it cannot be the cause of the issue as all
endpoints are managed by Intune.

Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Add Microsoft 365 Apps to Windows 10/11 devices using Microsoft Intune |
Microsoft Learn

Question 47:
Skipped
You are a system administrator for Nutex Corporation. Your organization has an on-
premises Active Directory (AD) and an Azure AD. Windows 11 is installed on all the
workstations.

You have a business-critical application hosted on the Azure cloud that users want
to access from their home workstations. Your organization’s policy states that the
user’s device should be compliant with Intune policy before accessing the
business-critical application. Below are the home workstations with their
configurations.

Which of the following should you do to ensure that users can access business-
critical applications from home? (Choose all that apply.)

A) Join HomePC2 to on-premises AD.

B) Join HomePC4 to Azure AD.

(Correct)

C) Use Windows Autopilot for HomePC1, HomePC2, HomePC3, and


HomePC4.

D) Enroll HomePC2 to Microsoft Intune.

(Correct)

E) Join HomePC3 to on-premises AD.

F) Join HomePC3 to Azure AD.

(Correct)

G) Enroll HomePC3 to Microsoft Intune.

(Correct)

Explanation
In the given scenario, you would join HomePC3 and HomePC4 to Azure AD and
enroll HomePC2 and HomePC3 to Microsoft Intune. MDM tools such as Microsoft
Intune can control the Azure AD registered devices and enforce organization-
required security policies.

The goal of Azure AD registered devices is to provide your users with Bring Your Own
Device (BYOD). Users can then access the organization’s resources using their
personal devices.
Azure AD registered devices can be managed easily through Microsoft Intune.

You can determine that an Azure AD join is the best solution for a device in a
different state. The following table shows how to change the state of a device:

Once you have registered or joined your devices to Azure AD, you can use the Azure
portal as a centralized place to manage the device identities.

You would not join HomePC2 and HomePC3 to the on-premises AD. Their device
should be compliant with organization policies before they can access the
organization’s resources. Their device should be joined to Azure AD. Joining devices
to the on-premises AD is not the requirement in the given scenario.

You would not use Windows Autopilot for HomePC1, HomePC2, HomePC3, and
HomePC4 in the given scenario. Windows Autopilot consists of technologies to set
up and pre-configure new devices. It can be used to reset, repurpose, and recover
devices. Windows Autopilot helps IT administrators and reduces the time IT spends
on deploying, managing, and retiring devices. It minimizes the infrastructure required
to maintain the devices and maximizes ease of use for all types of end users.

Objective:
Manage identity and compliance

Sub-Objective:
Manage identity

References:

Plan your Azure Active Directory device deployment - Microsoft Entra | Microsoft
Learn

What are Azure AD registered devices? - Microsoft Entra | Microsoft Learn

Overview of Windows Autopilot | Microsoft Learn


Question 48:
Skipped
You are a system administrator for Nutex, Inc. Your organization has a Microsoft
Intune subscription and a hybrid Azure Active Directory (Azure AD) environment.
You are using Windows Autopilot for configuring new devices with Windows 11.
The device assigned to User1 is unable to re-enroll using Windows Autopilot self-
deployment mode.

You tried to redeploy the device and it returned the error code 0x80180014.

Which of the following solutions can fix the issue? (Choose all that apply.)

A) Check in case too many devices are enrolled for User1.

B) Enable the MDM enrollment in case it is disabled.

(Correct)

C) Delete the device record in Microsoft Intune.

(Correct)

D) Check for missing or incorrect licenses assigned to User1.

E) Redeploy the Autopilot deployment profile.

(Correct)

Explanation
In the given scenario, you can use the following to fix the issue:
• Delete the device record in Microsoft Intune.
• Redeploy the Autopilot deployment profile.
• Enable the MDM enrollment in case it is disabled.

Sometimes devices are not re-enrolled automatically using Autopilot and it returns
the error code 0x80180014 as shown in the exhibit:
Event Tracing for Windows (ETW) logs may show the following error:

MDM Enroll: Server Returned Fault/Code/Subcode/Value=(DeviceNotSupported)


Fault/Reason/Text=(Enrollment blocked for AP device by SDM One Time Limit
Check)

To redeploy the device using Autopilot, you should:

• Delete the device record in Microsoft Intune.


• Redeploy the Autopilot deployment profile.

And in case Windows MDM (Mobile Device Management) is disabled, you should
enable the MDM enrollment.

Checking for missing or incorrect licenses assigned to User1 and checking in case
too many devices are enrolled for User1 are not the correct solutions in the given
scenario. These are some of the common issues with Intune enrollment. In such
issues, error code 0x80180018 is shown, not error code 0x80180014. Error code
0x80180014 typically returns the error page "Something went wrong”. This error
means that the MDM enrollment failed.
Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Troubleshoot Autopilot device import and enrollment | Microsoft Learn

Windows Autopilot troubleshooting overview | Microsoft Learn

Reddit > r/Intune > Update to Self-Deployment mode and Pre-Provisioning mode
experiences in Autopilot

Question 49:
Skipped
Verigon Corporation has configured Windows Intune for its Mobile Device
Management (MDM) solution. All Windows 10 devices are domain-joined and Azure
AD-registered. Verigon has Azure AD Premium. They want these corporate devices
to be automatically enrolled in Intune.

What would be a step in implementing this solution?

A) Configure an MFA (multi-factor authentication) registration policy

B) Configure Hybrid Azure AD join in Azure Active Directory Connect

C) Use the Windows Imaging and Configuration Designer (ICD) tool to


create a provisioning package

D) Configure MDM auto-discovery using an email address

E) Create a GPO to enable automatic MDM enrollment


(Correct)

Explanation
You will need to create a GPO to enable automatic MDM enrollment. This is the
Hybrid AD join method which is appropriate for this scenario. The GPO setting is a
computer policy under Administrative Templates > Windows Components > MDM.

You would not use the Windows Imaging and Configuration Designer (ICD) tool to
create a provisioning package. This tool would be used if you were doing a bulk
enrollment of computers, such as in a school setting, not automatic enrollment per
device.

You do not need to configure a multi-factor authentication (MFA) registration policy


to achieve the goals of this scenario.

You do not need to configure Hybrid Azure AD join in Azure Active Directory Connect.
The scenario indicates that the devices in question are already joined and Azure AD-
registered.

You will not need to configure MDM auto-discovery using an email address. With
Azure AD Join, the discovery URL is passed down to the device from Azure.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -
Windows Client Management | Microsoft Learn

Step 5 – Enroll devices in Microsoft Intune | Microsoft Learn

Windows 10, Azure AD and Microsoft Intune: Automatic MDM enrollment powered
by the cloud! - Microsoft Community Hub
Question 50:
Skipped
Your organization has a hybrid Active Directory (AD) environment and a Microsoft
Intune subscription. Employees in your organization use workstations that run
Windows 11 and mobile devices that run Android 9.0. The mobile devices are fully
managed, dedicated, and corporate-owned work-profile devices.

As the year's end is approaching, you want the Android devices to block all
incoming system updates and security patches.

How should you configure the device restriction policy in Microsoft Intune?

A) Set Freeze periods for system updates under General settings.

(Correct)

B) Set the System update option to Maintenance window under User and
Accounts settings.

C) Set App auto-updates (work-profile


level) to Never under Applications settings.

D) Set the System update option to Postponed under Applications settings.


Explanation
You should set Freeze periods for system updates under General settings in the
device restriction policy. You would set this option after configuring the System
update setting with either Automatic, Postponed, or Maintenance
window under General settings. You have to provide the start date and end date to
set the duration for which updates should be frozen. This setting will block all
incoming system updates and security patches. When the device is outside the
configured freeze period, the device will automatically receive updates based on
your System update setting. You can freeze updates for a maximum of 90 days.

You would not configure the device restriction policy and set the System
update option to Postponed under Applications settings for blocking all incoming
system updates and security patches. This Postponed option along
with Automatic and Maintenance window options are under General settings,
not Applications settings. The Postponed option is used under System
update settings to postpone the updates for 30 days. Once this period is completed,
Android devices will prompt users to install the updates.
You would not configure the device restriction policy and set App auto-updates
(work-profile level) to Never under Applications settings for blocking all incoming
system updates and security patches. Using this setting, the device checks for app
updates daily.

You would not configure the device restriction policy and set the System
update option to Maintenance window under User and Accounts settings for
blocking all incoming system updates and security patches. . This Maintenance
window option along with Automatic and Postponed options are
under General settings, not User and Accounts settings. The Maintenance
window option is used to install updates on devices during the maintenance window
you provided using Microsoft Intune. You would use this option for dedicated
devices such as kiosks.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device updates for all supported device platforms by using Intune

References:

Corporate-owned Android Enterprise device restriction settings in Microsoft Intune |


Microsoft Learn

Question 51:
Skipped
As a security administrator for Verigon Corporation, you are responsible for the
security of Office 365 applications. You are considering Azure AD conditional
access policies based on many factors. Some users should access only specific
cloud apps from home, and others should only have access when in the home
office, for example.

What steps should be part of your planning process? (Choose all that apply.)


A) Create a test plan

(Correct)

B) Select all cloud apps

C) Define a response

(Correct)

D) Require Multi-Factor Authentication (MFA)

E) Define users and groups access condition

(Correct)

Explanation
You will want to define a response. A response specifies the action to take when a
condition is met, such as blocking or granting access based on a certain
requirement. A response is a required component of a conditional access policy.

You will need to define users and groups access conditions. In this scenario, one
condition would be when the users are in the home office location, for example.

You should create and implement a test plan. You need to ensure that your
conditional access policies are giving the expected results before you impact the
users.

You may choose to require Multi-Factor Authentication (MFA), but it is not a


requirement for a successful conditional access policy, nor is it asked for in this
scenario.

You would not select all cloud apps because the requirement here is that some
users should only have access to specific cloud applications.
Objective:
Manage identity and compliance

Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune

References:

Plan an Azure Active Directory Conditional Access deployment - Microsoft Entra |


Microsoft Learn

Conditions in Conditional Access policy - Azure Active Directory - Microsoft Entra |


Microsoft Learn

Question 52:
Skipped
You are a system administrator for Nutex, Inc. Your organization has an on-
premises IT environment with 20,000 devices and workstations. All workstations
are running Windows 10.

You are planning to deploy Windows 11 on all the workstations. You have
completed the readiness assessment for all the workstations. You need to choose
the appropriate deployment scenario for Windows 11 deployment based on your
requirements.

Which of the following Microsoft-recommended deployment scenarios should you


choose?

A) Dynamic

B) Wipe and Load

C) Modern

(Correct)

D) Traditional
Explanation
You would choose the modern Windows deployment scenario. There are three
primary deployment scenarios, and each comes with specific tools or methods.

The modern deployment method is recommended by Microsoft for most


deployments. It supports existing tools such as the Microsoft Deployment Toolkit
(MDT) and Microsoft Endpoint Configuration Manager. Modern deployment supports
the following tools:

• Windows Autopilot – You can customize and deploy a new system with apps
and settings already configured.
• In-place upgrade – You can use Windows Setup to upgrade the existing OS
and migrate the previous apps and settings.

The dynamic deployment method enables you to configure applications and settings
for specific use cases, such as:

• Subscription Activation – You can switch from the Professional to the


Enterprise version of Windows just by signing in.
• Azure Active Directory and Mobile Device Management (MDM) – You can
automatically join a device to Azure AD and enroll it in your management
solution, such as Intune, with no additional user interaction.
• Provisioning packages – You can use the Windows Imaging and
Configuration Designer tool to create provisioning packages, the collection of
apps, and settings for customized deployment, which can be deployed to all
the devices.

The traditional deployment method uses existing tools to deploy operating system
images on devices. You can use one of the following methods in a traditional
deployment:

• Bare metal – Deploy a new device or wipe an existing device and deploy it
with a fresh image.
• Refresh – Redeploy a device by saving the user state, wiping the disk,
installing the new OS and applications, and then restoring the user state. This
method is also called wipe and load.
• Replace – Replace an existing device with a new one after migrating the user
state from the old device to the new device.

Microsoft recommends the use of the modern deployment method unless you have
a specific need to use a different procedure.
Objective:
Deploy Windows client

Sub-Objective:
Prepare for a Windows client deployment

References:

Windows 10 deployment scenarios (Windows 10) - Windows Deployment | Microsoft


Learn

Windows Upgrade and Migration Considerations (Windows 10) - Windows


Deployment | Microsoft Learn

Upgrade and migrate Windows clients - Training | Microsoft Learn

Question 53:
Skipped
The Nutex Corporation uses Windows Intune to enroll devices. Jane is the device
enrollment manager (DEM) in Intune. Joe has several devices that he needs to
enroll.

Which of the following is true? (Choose two.)

A) Joe can enroll up to 1,000 devices

B) Jane can enroll up to 1,000 devices

(Correct)

C) Jane can enroll up to 15 devices

D) Joe can enroll up to 15 devices

(Correct)

E) Jane can enroll up to 5 devices


F) Joe can enroll up to 5 devices

G) Jane can enroll up an unlimited number of devices


Explanation
A single Azure Active Directory account can enroll up to 1,000 devices using a device
enrollment (DEM) account. Since Jane is a DEM, she can enroll up to 1,000 devices.

A single Intune user can enroll up to 15 devices by using a single Intune license. Joe
can enroll up to 15 devices.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

Enroll devices using a device enrollment manager account - Microsoft Intune |


Microsoft Learn

Understand Intune and Azure AD device limit restrictions - Microsoft Intune |


Microsoft Learn

Question 54:
Skipped
You are your company's systems administrator. The network contains fifteen
Windows 11 computers in a workgroup.

A user named Tom recently left your company, and his user account was disabled.
Cathy has been hired as Tom's replacement. You need to ensure that Cathy has
access to all of the same resources that Tom accessed.

What should you do?

A) Run the User State Migration Tool (USMT) to migrate Tom's settings to
Cathy's profile.

B) Create a new user profile for Cathy, and copy the settings from Tom's
profile to Cathy's profile.

C) Change the name for Tom's user profile to Cathy, and re-enable the
profile.

(Correct)

D) Use scanstate and loadstate to migrate Tom's user profile settings to


Cathy's user profile.
Explanation
You should change the name for Tom's user profile to Cathy, and re-enable the
profile. This will ensure that Cathy has access to all of the same resources that Tom
accessed.

You should not create a new user profile for Cathy and copy the settings from Tom's
profile to Cathy's profile. Tom's profile has a unique security ID (SID). The only way to
ensure that Cathy is able to use this SID is for her to be given access to the same
account.

You should not run USMT to migrate Tom's settings to Cathy's profile. USMT is used
to migrate user settings from one computer to another, not from one profile to
another.

You should not use scanstate and loadstate to migrate Tom's user profile settings to
Cathy's user profile. This is the process you should use this process if you need to
migrate a user profile from one computer to another or from one operating system
to another.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft
Deployment Toolkit (MDT)

References:
GroovyPost > How to Change Your Account Name on Windows 10

Partition Wizard > How to Change Account Name in Windows 11 – the Top 4
Methods [Partition Magic]

Rename-LocalUser (Microsoft.PowerShell.LocalAccounts) - PowerShell | Microsoft


Learn

Question 55:
Skipped
You have been managing the Nutex Corporation’s computers and mobile devices
using Intune for quite some time. You need an overview of the Windows 10
computer devices you have in use.

How might you be able to view the most recent Intune device inventory?

A) Use the Intune Data Warehouse with the Power BI Desktop App

B) Browse the list of enrolled devices in Intune using Devices > All devices
>

(Correct)

C) Use Microsoft Endpoint Manager (MeM) to see the Device Health reports

D) Use the Azure portal and Graph APIs to provide data reports

(Correct)

E) Use the Intune Compliance Data Warehouse Power BI App Online


Explanation
To view the most recent Intune device inventory you could browse the list of enrolled
devices in Intune using Devices > All devices >. This action will provide an up-to-the-
minute listing of the devices, although there is little filtering or customizing with this
view.

You could also use the Azure portal and Graph APIs to provide data reports. This
option provides the most flexibility but comes with the most complexity.

You could also view the device inventory after a 24-hour delay using:

1. Microsoft Intune Data Warehouse with the Power BI Desktop App


2. Intune Compliance Data Warehouse Power BI App Online
3. Microsoft Endpoint Manager (MeM) to see the Device Health reports

The Microsoft Intune Data Warehouse with the Power BI Desktop App provides a
method to create reports.

The Intune Compliance Data Warehouse Power BI App Online provides a collection
of premade reports.

Using the Device Health reports will reveal enrolled devices but with little to no focus
on inventory, making it difficult to satisfy the needs of this scenario.

Because these three options delay their reporting for 24 hours, you will not be able to
report on the "most recent" inventory.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Monitor devices

References:

View device details with Microsoft Intune | Microsoft Learn

Use the Intune Data Warehouse - Microsoft Intune | Microsoft Learn

Intune Data Warehouse API - Microsoft Intune | Microsoft Learn

Connect to the Data Warehouse with Power BI - Microsoft Intune | Microsoft Learn
Question 56:
Skipped
You have recently joined the Nutex Corporation as the Microsoft 365 Administrator.
Nutex is a growing company in the e-commerce sector with over 100 employees
who use Windows 10 endpoints. The IT Administration team at Nutex has recently
deployed Microsoft 365 apps using the Microsoft 365 Apps admin center.

You are tasked with limiting the service data sent to Microsoft from the apps. You
plan to use the Cloud Policy service for Microsoft 365 to accomplish this.

Which of the following Cloud Policy settings must be tweaked?

A) In-product recommendations

B) Connected experiences

(Correct)

C) Essential services

D) Diagnostic data
Explanation
The connected experiences policy setting must be tweaked. Connected experiences
is a Microsoft 365 cloud functionality that analyzes your content and interaction with
Microsoft 365 apps to provide you with design recommendations, editing
suggestions, data insights, and similar features. The connected experiences policy
setting can be set to one of the following:
• Allow the use of connected experiences in Office that analyze the content
(Dictation, Editor, and so on)
• Allow the use of connected experiences in Office that download online
content (Insert objects, Templates, and so on)
• Allow the use of additional optional connected experiences in Office (Office
add-ins, Recent documents, and so on)
• Allow the use of connected experiences in Office (most of them available with
the other three settings).
None of the other options impact service data.

Diagnostic data is data that Microsoft collects to keep Office secure and up-to-date,
to detect, diagnose, and fix problems, and to make product improvements. Cloud
Policy settings for diagnostic data can be set to Required (minimum required data),
Optional (minimum required and some additional data), or Neither. Diagnostic
settings have no impact on service data sent by connected experiences
functionality.

In-product recommendations help users use Microsoft 365 features better. This is
not a policy setting.

Essential services is the mandatory service data related to the core functionality of
Microsoft 365 that is collected and sent to Microsoft, regardless of any other
privacy-related policy settings that you have configured. Some of the essential
services include Authentication, Licensing, and Telemetry. Essential services is not a
policy setting.

Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Required service data for Office - Deploy Office | Microsoft Learn

Use policy settings to manage privacy controls for Microsoft 365 Apps for enterprise
- Deploy Office | Microsoft Learn

Essential services and connected experiences for Windows - Windows Privacy |


Microsoft Learn

In-product recommendations in Office - Deploy Office | Microsoft Learn

Question 57:
Skipped
Verigon Corporation is transitioning from the traditional configuration manager
(SCCM) and local Active Directory (AD) to the new "modern" IT. They plan to
ultimately move to Intune and Azure AD. As a migration consultant, you have been
asked to suggest the next steps in this co-management goal. All laptops are
already running Windows 10 and Office 365.

What steps would you recommend to bridge the transition? (Choose all that apply.)

A) Enable co-management in Configuration Manager

(Correct)

B) Stop managing configuration policies through Group Policy

(Correct)

C) Deploy essential security updates using Windows Server Update


Services (WSUS)

D) Use the Windows Update for Business Service component of Windows


Analytics

(Correct)

E) Deploy corporate images using Autopilot

(Correct)

Explanation
You want to enable co-management in Configuration Manager, then you can slowly
transition workloads as needed. Co-Management allows you to attach a
Configuration Manager deployment to the Microsoft 365 cloud utilizing Microsoft
Intune, mobile device management (MDM), and Configure Management agents.

You will want to begin deploying corporate images using Autopilot. Autopilot can join
devices to Azure AD or AD via hybrid Azure AD join, can customize OOBE content,
and create as well as auto-assign device-to-configuration groups based on the
device’s profile.

You will want to use the Windows Update for Business Service component of
Windows Analytics to deploy and manage Windows updates.

You want to stop managing configuration policies through Group Policy. You will use
the policies in Intune instead. Microsoft offers a free tool called Microsoft Migration
Analysis Tool (MMAT) that can compare Group Policies for a target computer and
cross-reference them against a built-in list of MDM policies.

You do not want to deploy essential security updates using Windows Server Update
Services (WSUS). You want to move to Windows Update for Business. Windows
Update for Business can be configured using Intune and offers a peer-to-peer
distribution technology.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Co-management for Windows devices - Configuration Manager | Microsoft Learn

Modern Windows 10 management strategies, using Configuration Manager and


Microsoft Intune - YouTube

Enable co-management - Configuration Manager | Microsoft Learn

Question 58:
Skipped
The sales team at Nutex is using a new custom Line-of-Business (LOB) application.
They have found a bug that affects some very important sales issues. The software
development team has written an update to fix the bug and they want you to deploy
it using Intune.
What must the users do to receive the update?

A) The users must open the LOB app and find the update option in the
menus

B) The users should do nothing, as the update will automatically be applied

(Correct)

C) They must run Windows Update and select the LOB Update

D) They must download the update from Intune and install it manually
Explanation
The users should do nothing. Once you have deployed the fix update to Intune, it will
be available for the users and will be applied automatically. When applications are
deployed using Intune, the updates generated through Intune are automatically
applied.

You do not have to run Windows Update and select the LOB Update. Windows
Update will successfully apply operating system updates and if pressed into service
can also apply updates for other software and drivers. But Windows Update has no
place in deploying this update from Intune.

Users do not have to open the LOB app and find the update option in the menus. This
would certainly suffice if the app were written to deploy updates in this manner.
However, this is not the type of interaction that Intune uses as the question
indicates.

Users do not have to download the update from Intune and install it manually. This is
unnecessary as the update in Intune will apply automatically. As a matter of fact, the
user has NO say in whether this update applies or not. When indicated, the user WILL
receive this update automatically.

Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Windows 10/11 app deployment by using Microsoft Intune | Microsoft Learn

Question 59:
Skipped
You are an MDM administrator for the Verigon Corporation. You created several
application policies for your Azure AD-joined laptops over a month ago. You now
want to find out if users are being affected by these policies as well as the
compliance status of the machines.

Using Windows Intune app management, click on the tool that will allow you to
access this information.

A) 294,599,528,630

B) 294,301,528,327

(Correct)

C) 294,391,528,419

D) 294,645,528,671

E) 294,260,528,289
Explanation
You would choose the following:
You can use Apps > Monitor to verify the status of the app protection policies that
you have applied to users from the app protection pane in Intune.

All apps displays a list of all available apps.

Windows shows all available Windows apps.

App protection policies is where you create the policies, not monitor them.

App configuration policies is where you go to supply required settings for a


designated app.

Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

How to monitor app protection policies - Microsoft Intune | Microsoft Learn

What is app management in Microsoft Intune? | Microsoft Learn

Question 60:
Skipped
Recently, Josh's computer was the source of a malware attack inside your
company. You are concerned about threats affecting other Windows 10 computers
in your company. You have the following script run on each computer after hours:

Start-MpScan -ScanType FullScan

You need to find the threats affecting the computers. Which cmdlet will retrieve the
history of threats that Microsoft Defender detected on a computer?

A) Get-MpThreat

(Correct)


B) Get-MpThreatDetection

C) Get-MpThreatCatalog

D) Get-MpPreference
Explanation
The Get-MpThreat cmdlet retrieves the history of threats that Microsoft Defender
detected on the computer. For example, the following command will find the history
of the threat on the local computer that has the ID 1953:

Get-MpThreat -ThreatID 1953

The Get-MpThreatCatalog cmdlet gets a list of all possible known threats based on
the signatures from the Microsoft Defender definitions catalog. The definitions
catalog contains references to all known threats that Microsoft Defender can
identify. The following command will display the virus signatures that have the
greatest severity level:

Get-MpThreatCatalog | where-object {$_.SeverityID -eq "5"} | where-object


{$_.ThreatName -Match "^Virus.*"} | select ThreatName | more

The Get-MpThreatDetection cmdlet finds active and past malware threats that
Microsoft Defender detected.

The Get-MpPreference cmdlet finds preferences for the Microsoft Defender scans
and updates.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

Get-MpThreat (Defender) | Microsoft Learn

How to use PowerShell to investigate Windows Defender's malware signature


definitions database | TechRepublic
Set 2
Question 1:
Skipped
Your company has decided to transition to Office 365. You are using Microsoft
Endpoint Manager to deploy the designated applications. You must choose a
configuration settings format as indicated by the screenshot below. You want to use the
native interface of Microsoft Endpoint Manager to configure all of the required settings.

Which of the following options will achieve this objective?

A) Office Deployment Tool

B) Configuration Manager

C) XML data


D) Configuration Designer

(Correct)

Explanation
You would choose Configuration Designer, which is a configuration settings format option in
Microsoft Endpoint Manager. If you choose “Configuration Designer” for Configuration
Settings Format instead of “Enter XML data”, you will be able to modify options under the
following sections: Configure app suite, App suite information, and Properties.

You would not choose XML data because it does not use the native interface to configure the
application deployment settings. Instead it requires that you import XML data under
the Setting format dropdown box.
You would not choose Configuration Manager because it is a part of System Center
Configuration Manager and can be used to deploy applications to domain-joined computers.
It is not used within Microsoft Endpoint Manager to deploy applications.

You would not choose the Office Deployment Tool (ODT). ODT is a command-line tool that
you can use to download and deploy Microsoft 365 apps to your client computers.

Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Add Microsoft 365 Apps to Windows 10/11 devices using Microsoft Intune | Microsoft Learn

Plan your enterprise deployment of Microsoft 365 Apps - Deploy Office | Microsoft Learn

Question 2:
Skipped
You are a system administrator for your organization. They have several Windows 11
devices that are enrolled in Microsoft Intune. You have recently pushed software
changes to several devices. However, the changes are not reflected under Devices in the
Microsoft Endpoint Manager admin center.

How often is the hardware and software inventory refreshed in Intune?

A) every 12 days

B) every 7 days

(Correct)

C) every 15 days

D) every 5 days
Explanation
Hardware and software inventory in Microsoft Intune is refreshed every seven days starting
from the date of enrollment. The Devices feature displays detailed information regarding the
devices you manage, including their hardware and installed apps. To view the device details,
you would follow these steps:
1. Log in to Microsoft Endpoint Manager admin center.
2. Select Devices > All devices and choose one of your listed devices.
3. Open the device’s details:
• Overview – displays the device name and lists key properties of the device.
• Use Properties to assign a device category you have created and change ownership of
the device to a personal or corporate device.
• Hardware includes details such as device ID, operating system and version, and
storage space.
• Discovered apps shows all the apps that Intune found installed on the device and the
app versions.
• Device compliance displays all assigned compliance policies and whether the device
is compliant or not.
• Device configuration displays all device configuration policies assigned to the device
and whether the policy succeeded or failed.
• App configuration Recovery keys shows available BitLocker keys found for the
device.
• Managed apps displays all the managed apps that Intune has configured and
deployed to the device.

5, 12, and 15 days are not the correct number of days and, therefore, these answers are
incorrect.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Monitor devices

References:

View device details with Microsoft Intune | Microsoft Learn

Manage devices with Microsoft Intune | Microsoft Learn


Question 3:
Skipped
As a security administrator for Nutex Corporation, you want to implement the device
profiles of Windows Intune for greater control of your Windows 10 devices.

What Windows 10 settings can be configured with this method? (Choose all that apply.)

A) Wi-Fi

(Correct)

B) Device features

C) VPN

(Correct)

D) Certificates

(Correct)

E) Email

(Correct)

Explanation
You can use device profiles to control email. You can control ActiveSync without any setup
required by the user.

You can use device profiles to configure the startup of a VPN connection.

Certificates can be configured with device profiles, such as Simple Certificate Enrollment
Protocol (SCEP) and Public-Key Cryptography Standard (PKCS) certificates.

You can use device profiles to configure Wi-Fi network settings.

You cannot use device profiles to configure device features, as these settings are only found
on iOS and macOS devices.
Other device profile options include Administrative Templates, with various settings for
software, similar to Group Policy. Another is Device Restrictions, which would allow you to
control hardware, such as restricting the device camera.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Assign device profiles in Microsoft Intune | Microsoft Learn

Device features and settings in Microsoft Intune | Microsoft Learn

Question 4:
Skipped
You are a system administrator for Nutex Inc. Your organization has an Azure
subscription. There are 10,000 Windows 11 devices joined to Azure AD and 200 iOS
devices.

You need to do the following:

• Set a minimum password length and block simple passwords on the Windows
devices.
• Allow mobile users access to AirPrint printers on your network.

Which of the following settings should you configure in the configuration profiles?
(Choose all that apply.)

A) Device restriction profile

(Correct)

B) Microsoft Defender for Endpoint profile

C) Identity Protection (Windows) profile


D) Device features (macOS, iOS, iPadOS) profile

(Correct)

E) Endpoint Protection (macOS, Windows) profile


Explanation
You would create the device restriction profile and the device features (macOS, iOS, iPadOS)
profile to meet the requirements in the given scenario.

To create a configuration profile, you would log in to Microsoft Intune Admin Center and
choose Devices. Next, click Configuration profiles and click Create profile (as shown in
the image).

Choose the platform from the Select platform drop-down list. In the Profile section,
select Device restrictions from the drop-down list.
Alternately, you can click Templates and then Device restrictions.

Provide information in Basics and choose Next. In Configuration settings, choose the
platform for which to add detailed settings. In Assignments, specify the users or groups you
want to receive the profile. Click Review + Create, review your settings, and click Create.

In the same way that you created the device restriction, you would create a Device
features profile for iOS devices.

There is no need to create an Endpoint Protection (macOS, Windows) configuration profile.


You would create an Endpoint Protection profile when you want to allow only Mac OS users
to install apps from Mac App Store or turn on Windows SmartScreen when apps run on
Windows 11 devices.

There is no need to create a Microsoft Defender for Endpoint configuration profile. Microsoft
Defender for Endpoint can be integrated with Microsoft Intune as a Mobile Threat Defense
solution. Microsoft Defender for Endpoint works with Android, iOS/iPad, Windows 10 and
later, and Windows Server 2008 R2 and later.

You would use the Identity Protection configuration profile to manage Windows Hello for
Business on devices in Microsoft Intune.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:

Create device profiles in Microsoft Intune | Microsoft Learn

Restrict devices features using policy in Microsoft Intune | Microsoft Learn

Use Microsoft Defender for Endpoint in Microsoft Intune | Microsoft Learn

Deploy policy for Windows Hello to groups of Windows 10 and Windows 11 devices in
Microsoft Intune | Microsoft Learn

Question 5:
Skipped
You are a system administrator for Verigon Corporation. Verigon has an Azure Active
Directory environment with 500 workstations running Windows 10 Enterprise. You
have been asked to upgrade the workstations to Windows 11 Enterprise and join the
workstations to Azure AD.

You should ensure that applications and settings installed on the users’ workstations
are retained and that the upgrade process requires minimal user intervention.

Which of the following would be the best solution?

A) Use Windows Deployment Service (WDS).

B) Create a provisioning package using Windows Configuration Designer.

(Correct)

C) Use the Windows Easy Transfer feature.

D) Use Microsoft Windows Autopilot.


Explanation
For the given scenario, you should create a provisioning package using Windows
Configuration Designer to upgrade from Windows 10 Enterprise to Windows 11 Enterprise.
It becomes easy for IT administrators to configure end-user devices without imaging using
Windows provisioning. Windows provisioning is best suited for small to medium-sized
deployments that range from ten to a few hundred. A provisioning package is a container for
a collection of configuration settings. Windows Configuration Designer is an app in the
Microsoft store.

You would not use Microsoft Windows Autopilot to upgrade from Windows 10 Enterprise to
Windows 11 Enterprise in the given scenario. Windows Autopilot uses various technologies
to set up and preconfigure new devices. It can be used to repurpose, recover, and reset
devices. Windows Autopilot helps IT administrators and reduces the time IT spends on
deploying, managing, and retiring devices. It also minimizes the amount of infrastructure
required to maintain the devices and maximizes ease of use for all types of end users.

You would not use Windows Deployment Service (WDS) to upgrade from Windows 10
Enterprise to Windows 11 Enterprise in the given scenario. With WDS, you can deploy the
Windows operating system over the network, which means you do not have to install the OS
directly from CD or DVD. This approach is best suited for fresh installations on new
workstations.

You would not use the Windows Easy Transfer feature to upgrade from Windows 10
Enterprise to Windows 11 Enterprise in the given scenario. Windows Easy Transfer is best
used for transferring files from one computer to another.

Objective:
Deploy Windows client

Sub-Objective:
Prepare for a Windows client deployment

References:

Windows Upgrade and Migration Considerations (Windows 10) - Windows Deployment |


Microsoft Learn

Provisioning packages overview - Configure Windows | Microsoft Learn

Install Windows Configuration Designer - Configure Windows | Microsoft Learn

Create a provisioning package (Windows 10/11) - Configure Windows | Microsoft Learn

Prepare for Windows 11 - What's new in Windows | Microsoft Learn

Overview of Windows Autopilot | Microsoft Learn


Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) - Windows
Deployment | Microsoft Learn

Question 6:
Skipped
You plan to manage several servers running Windows Server 2019 that are running
robotic software for a manufacturing environment in a separate subnet located on the
factory floor. The servers are not connected to the on-premises domain or to Azure
Active Directory.

You are installing Windows Admin Center on a Windows 11 device to manage the
subnet. The Windows 11 device is joined to Azure Active Directory.

You choose the following settings during the install:

What must you do next? (Choose three.)


A) Modify LMHOSTS

B) Select the Windows Admin Center Client certificate when prompted on


the first launch

(Correct)

C) Create a firewall exception for the Background Intelligent Transfer


Service (BITS)

D) Select the Azure Active Directory certificate for the Windows 11


computer when prompted on the first launch

E) Modify TrustedHosts

(Correct)

F) Create a firewall exception for the WinRM service

(Correct)

G) Select the Azure Active Directory certificate for the user running
Windows Admin Center when prompted on the first launch
Explanation
You should do the following:
• Modify TrustedHosts
• Create a firewall exception for the WinRM service
• Select the Windows Admin Center Client certificate when prompted on the first
launch

In this scenario, the Windows 2019 servers that need to be managed are connected to a
workgroup since they are not connected to the on-premises domain or Azure Active
Directory. Since the Allow Windows Admin Center to modify this machine’s trusted
hosts settings option was NOT checked in the exhibit, you must modify the TrustedHosts
setting manually. TrustedHosts must be configured if you are working in a workgroup
environment or using the credentials of the local administrator in a domain.

You can modify TrustedHosts with the Set-Item cmdlet to configure the NetBIOS name, IP
address, or FQDN of the computers that you want to manage:

Set-Item WSMan:localhost\Client\TrustedHosts -Value


'192.168.100.1,server06.nutex.com,server06'

You could also use wildcards to configure all computers as computers that need to be
managed:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*'

Both the Windows 11 computer and the Windows server must be running the WinRM service
to allow management from Windows Admin Center. If it is not running, you should
run Enable-PSRemoting from the PowerShell console on the machine where the service
should be enabled.

You must create an exception on the Windows Server’s firewall for the WinRM to allow
access from the Windows 11 computer. By default, the WinRM firewall exception for public
profiles allows access to remote computers on the same subnet. In this scenario, the servers
are in a different subnet on the manufacturing floor. You can run the following command on
the Windows 11 computer to create the firewall exception:

Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -RemoteAddress Any

You can run the following command on the Windows Servers to create the firewall
exception:

Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any

You should select the Windows Admin Center Client certificate on the first launch.
If you choose another certificate, whether for the current user account or computer account,
you will get the following error message:

“You are not authorized to view this page. If you recently updated Windows Admin Center,
you may need to restart your browser, and then refresh the page."

If this error occurs, restart the browser and choose the Windows Admin Center
Client certificate.

You should not modify the LMHOSTS file. This file is used by legacy Windows operating
system to resolve IP addresses to NetBIOS names. This file is not used by Windows Admin
Center.

You should not create a firewall exception on the Windows Servers for the Background
Intelligent Transfer Service (BITS). This service uses an idle network bandwidth available to
transfer files. This service is not used by Windows Admin Center.
Objective:
Deploy Windows client

Sub-Objective:
Configure remote management

References:

Windows Admin Center common troubleshooting steps | Microsoft Learn

Install Windows Admin Center | Microsoft Learn

Question 7:
Skipped
Dreamsuites Incorporated has adopted Microsoft Intune to manage access on their
Windows 10 devices. As a security administrator, you have been asked to prevent all
devices from using JavaScript on certain sites in Microsoft Edge. You begin your setup
by creating a device profile.

What options will you configure, at a minimum? (Choose all that apply.)

A) The Scope Tag property

B) The Platform property

(Correct)

C) The Settings property

D) The Device Configuration Setup property

E) The Profile Type property

(Correct)

Explanation
You will need to configure the Platform property. You can configure the following platforms
for your devices:
• Android
• Android enterprise
• iOS
• macOS
• Windows 10 and later
• Windows 8.1 and later

For this scenario, you would choose Windows 10 and later.

You will need to configure the Profile Type property. This list changes based on the platform
chosen.

You will not need to configure the Device Configuration Setup property. This property would
allow you to add a certificate authority, which is not indicated in the scenario. To create a
new profile, you would choose the Manage option of Device Configuration.

You will not need to configure the Settings property for this scenario. These settings relate to
usage of the device itself, such as connecting to the App Store or allowing Bluetooth
connectivity.

You will not need to configure the Scope Tag property for this scenario. Scope tags assign
and filter policies to specific groups.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Create device profiles in Microsoft Intune | Microsoft Learn

Assign device profiles in Microsoft Intune | Microsoft Learn

Question 8:
Skipped
You are a system administrator for Nutex Inc. Your organization has an Azure
environment that includes 20 Windows Server 2022 servers, 500 Windows 11 devices,
and 100 macOS devices.
You have created the antivirus profile for the macOS devices and configured Microsoft
Defender for Endpoint. Microsoft Defender is configured to share information with
Microsoft for any problem it detects. You want to disable this setting.

Which of the following settings should you disable for Microsoft Defender for
Endpoint?

A) Real-time protection

B) Automatic sample submission

C) Diagnostic data collection

D) Cloud-delivered protection

(Correct)

Explanation
In the scenario, you would disable the Cloud-delivered protection setting for Microsoft
Defender for Endpoint. By default, Microsoft Defender is configured to share information
with Microsoft for any problem it detects. Microsoft uses this information for researching and
analyzing the issues faced by customers and improving their offered solutions.
In the scenario, you would not disable the Real-time protection setting for Microsoft
Defender for Endpoint. Enabling the Real-time protection setting will identify and prevent
malware from installing or running on a device. By default, this setting is not configured.

In the scenario, you would not disable the Automatic sample submission setting for
Microsoft Defender for Endpoint. By enabling this, sample files are automatically sent to
Microsoft, which helps protect device users and your organization from potential threats. By
default, this setting is not configured.

In the scenario, you would not disable the Diagnostic data collection setting for Microsoft
Defender for Endpoint. By default, this setting is not configured. This setting helps you
configure how Microsoft shares your diagnostic and usage data.
Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune | Microsoft
Learn

Question 9:
Skipped
The Nutex Sales Application needs to be deployed to the sales users’ computers using
Intune. You plan to create a group named SalesUsers to assign the app to Intune.

How should you create the group to ensure that this deployment delivers the app to the
correct users with the least administrative effort?

A) Create an Intune assigned group and choose the users to be members


manually

B) Create a dynamic device group in Intune and indicate the membership


rule - device.department -eq "Sales"

C) Create a dynamic user group in Intune and specify the membership rule
- user.department -eq "Sales"

(Correct)

D) Create an Azure Active Directory group and add the Sales users’
accounts as members
Explanation
You should create a dynamic user group in Intune and specify the membership rule -
user.department -eq "Sales". This will ensure that the Sales department users are granted
membership and thus will receive the assigned app for the installation.

You should not create an Intune assigned group and choose the users to be members
manually. Although this would suffice, it requires more administrative effort than using the
dynamic user group.

You should not create a dynamic device group in Intune and indicate the membership rule -
device.department -eq "Sales". This would not accomplish the requirement because
department is not a valid device attribute.

You should not create an Azure Active Directory group and add the Sales users’ accounts as
members. This, too, would accomplish the requirement, but will requires more work than the
dynamic user group.

Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Add groups to organize users and devices - Microsoft Intune | Microsoft Learn

Rules for dynamically populated groups membership - Azure AD - Microsoft Entra |


Microsoft Learn

Question 10:
Skipped
As a Windows 10 administrator for Verigon Corporation, you have been tasked with
configuring a few hundred laptops purchased from several resellers. You have chosen to
use Windows Autopilot and Intune to simplify configuration. The laptops have not been
registered by the resellers. All Autopilot service prerequisites have been configured.

What is the first step in deploying these laptops?


A) At an administrative command prompt, run sysprep /generalize /oobe

B) Create an Autopilot device group

C) Connect each laptop to the Internet

D) Collect the hardware ID from each laptop

(Correct)

E) Enroll the laptops in Intune


Explanation
You must first collect the hardware ID from each laptop. You can do this with a script from
the PowerShell Gallery or use System Center Configuration Manager. You can use the Get-
WindowsAutoPilotInfo.ps1 script from the PowerShell Gallery and run it on each computer:

md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv

You must not connect each laptop to the Internet. This would cause the laptop to download
an empty profile that would have to be removed. Collect the hardware ID first.

You cannot enroll the laptops in Intune until you have a CSV file containing their hardware
IDs.

You will want to create an Autopilot device group, but this can only be done after you have
added the devices.

You would not, at an administrative command prompt, run sysprep /generalize /oobe. This
process would only be relevant to Autopilot when attempting to clear a stored profile.
Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Manually register devices with Windows Autopilot | Microsoft Learn

Overview of Windows Autopilot | Microsoft Learn

Question 11:
Skipped
You manage devices that run Windows 10 with Azure Active Directory Premium. You
need to enable two-factor authentication on the devices without the use of third-party
applications. Users already enter a user ID and password to log in to their devices.

What other factor(s) should you use? (Choose all that apply.)

A) Fingerprint recognition

(Correct)

B) Facial recognition

(Correct)

C) RSA keys

D) Retinal scan
Explanation
You should use fingerprint recognition or facial recognition. Both two-factor authentication
types are supported by Windows Hello for Business using Azure AD Premium. You can use
a user ID and password as the first authentication factor and a biometric recognition as a
second authentication factor.

If your device is joined to a domain, the device itself becomes one of the two factors required
for authentication.
You should not use a retinal scan or RSA keys. These options are not supported by Windows
10 or Azure AD Premium without a third-party application.

Objective:
Manage identity and compliance

Sub-Objective:
Manage identity

References:

Windows Hello for Business Deployment Prerequisite Overview - Windows Security |


Microsoft Learn

Windows Hello for Business Overview - Windows Security | Microsoft Learn

Microsoft Inside Track > Implementing strong user authentication with Windows Hello for
Business

Question 12:
Skipped
Your company has an Active Directory domain named nutex.com. All client computers in
the domain run Windows 10. You have a computer named wks1 in your department that is
having issues with a sound card. You create the following script on a share on a server to
retrieve information about the device:

Get-Device | where {$_.name -like "Acme Sound*"}

On wks1 you run the following cmdlet:

Enable-PsRemoting -Force

You want Karen to run the script to retrieve information about the sound card from wks1. On
Karen’s computer, she will enter the following:

Enter-PSSession -ComputerName wks1.nutex.com -Credential Nutex\CarlSpackler


Invoke-Command -ComputerName wks1.nutex.com -FilePath \\server5\Scripts\MyScript.ps1

Using the principle of least privilege, which group membership on wks1 does Karen require
to run these commands?

A) Device Owners

B) Remote Management Users

(Correct)

C) Remote Desktop Users

D) Network Configuration Operators


Explanation
Karen needs to be a member of the Remote Management Users group. This group allows its
members to access WMI resources over via the Windows Remote Management service, and
allows its members to run remote PowerShell commands on the computers.

Karen does not need to be a member of Remote Desktop Users. Members of this group can
log on remotely, but group membership does not allow the users to run remote PowerShell
commands on the computers.

Karen does not need to be a member of Device Owners. Members of this group can change
system-wide settings, but group membership does not allow the users to run remote
PowerShell commands on the computers.

Karen does not need to be a member of Network Configuration Operators. Members of this
group can change network settings, but group membership does not allow the users to run
remote PowerShell commands on the computers.

Objective:
Deploy Windows client

Sub-Objective:
Configure remote management

References:

4sysops > Enable PowerShell remoting

How-To Geek > How to Run PowerShell Commands on Remote Computers

Running Remote Commands - PowerShell | Microsoft Learn

Invoke-Command (Microsoft.PowerShell.Core) - PowerShell | Microsoft Learn


Question 13:
Skipped
Nutex, Inc. has a hybrid Active Directory (AD) environment. All devices are Windows
operating system based. Microsoft Intune has been configured.

Below are the details for the devices that you want to enroll in Endpoint analytics via
Intune.

Which of the following devices can be enrolled in Endpoint analytics via Intune?
(Choose all that apply.)

A) DevicePC4

B) DevicePC3

(Correct)

C) DevicePC2

(Correct)

D) DevicePC1

E) DevicePC5
Explanation
In the given scenario, you would be able to enroll DevicePC2 and DevicePC3 in Endpoint
analytics via Intune. There are Intune, endpoint, licensing, and endpoint analytics
prerequisites for the enrollment.

Intune device requirements are:

• Running Windows 10 version 1903 or later


• Running Windows Pro, Pro Education, Enterprise, or Education editions
• Azure AD joined or hybrid Azure AD joined
• Running the Connected User Experiences and Telemetry service to send required
functional data to Microsoft public cloud

Workplace joined or Azure AD registered devices are not supported.

Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint
manager.

The Intune Service Administrator role is required to start gathering data for endpoint
analytics. After data-gathering begins, it can be viewed by read-only roles. The following
additional permissions are used for Endpoint analytics:

• The Azure AD Reports Reader role


• Read permission with the Help Desk Operator or Endpoint Security
Manager Intune roles
• Specific role permissions:
• For read-only users: Read permission under the Endpoint
Analytics, Organization, or School Administrator categories
• For Intune administrators: all permissions

You can onboard Intune-managed devices from the Endpoint analytics portal by visiting the
URL https://aka.ms/endpointanalytics.

You cannot enroll DevicePC1 and DevicePC4 devices to Endpoint analytics via Microsoft
Intune because they do not run Windows 10 version 1903 or later. You cannot enroll
DevicePC5 because it is not Azure AD joined or hybrid Azure AD joined.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Monitor devices

References:

Quickstart - Enroll Intune devices - Microsoft Intune | Microsoft Learn


What is Endpoint analytics? - Microsoft Intune | Microsoft Learn

Question 14:
Skipped
You are a system administrator for Nutex Inc. Your organization has a hybrid Active
Directory (AD) environment with legacy servers, including Windows Server 2012 R2
and Windows Server 2016 servers, as well as newer servers running Windows Server
2019 and Windows Server 2022.

You want to use Microsoft Intune and Windows Autopilot to set up hybrid Azure AD-
joined devices. You are in the process of setting up an Intune connector for your AD
that will create Autopilot-enrolled computers in the on-premises AD domain.

What is the minimum required operating system for installing the Intune connector for
Active Directory?

A) Windows Server 2018 or later

B) Windows Server 2016 or later

(Correct)

C) Windows Server 2022 or later

D) Windows Server 2012 or later


Explanation
The Intune connector for your AD must be installed on a computer running Windows Server
2016 or later. Additionally, it must have .NET Framework version 4.7.2 or later and be able
to connect to the Internet and the AD.

You should install multiple Intune connectors in your environment to increase scale and
availability. Microsoft recommends installing them on servers that do not have other Intune
connectors.

You would install multiple Intune connectors if your environment has multiple domains. You
must create a service account to create computer objects in all of the domains. This service
account should have the following permissions:

• Logon as a service
• Part of the Domains user group
• A member of the local Administrators group on the Windows server on which Intune
Connector is installed

The Intune connector requires the same endpoint as Microsoft Intune.

To install Intune Connector, you would follow these steps:

1. Turn off Internet Explorer Enhanced Security Configuration.


2. Log into the Microsoft Intune admin center.
3. Navigate to Devices > Windows > Windows enrolment > Intune Connector for
Active Directory and click Add.
4. Download the Connector by following the instructions.
5. Execute the downloaded setup file ODJConnectorBootstrapper.exe and install the
connector.
6. When the setup is complete, click Configure Now.
7. Click Sign In.
8. Enter the credentials for a user with the Intune Administrator or Global Administrator
role.
9. Navigate to Devices > Windows > Windows enrollment > Intune Connector for
Active Directory, and verify that the connection status is Active.

Objective:
Manage identity and compliance

Sub-Objective:
Manage identity

References:

Enrollment for hybrid Azure AD-joined devices - Windows Autopilot | Microsoft Learn

Question 15:
Skipped
You are a Microsoft Intune administrator for the Nutex Corporation. Nutex has its
Windows devices joined to Microsoft Azure Active Directory (Azure AD) and enrolled
in Microsoft Intune. Most Windows devices run Windows 11 Enterprise, but a few
computers run Windows 10 Pro.

You need to upgrade the Windows 10 Pro computers to Windows 11 Enterprise.


Several coworkers offer suggestions:
• Jeff suggests that you use subscription activation.
• Amy suggests that you use a device configuration profile.
• Michelle suggests upgrading the devices using the Microsoft Software Download
site.
• Stacy suggests you use a device compliance policy.

Which suggestion should you use to upgrade the Windows 10 Pro computers to
Windows 11 Enterprise with the least amount of effort?

A) Device compliance policy

B) Microsoft Software Download site

C) Subscription activation

D) Device configuration profile

(Correct)

Explanation
You should create a device configuration profile to upgrade the Windows 10 Pro computers
to Windows 11 Enterprise with the least amount of effort. A device configuration profile can
upgrade all computers that are enrolled in Microsoft Intune. You can create a device
configuration profile by selecting Devices > Configuration profiles > Create profile from the
Intune admin center. Choose Windows 10 and later as the value for the Platform
and Edition upgrade and mode switch as the name of the template, as shown in the exhibit:
You can configure the profile to upgrade many different editions and versions:
You can use the Microsoft Software Download site or create installation media from the
Microsoft Download site to upgrade from Windows 10 to Windows 11. However, you would
have to perform an upgrade manually on each computer.

You cannot use a subscription activation to upgrade from a different version of an operating
system from Windows 10 to Windows 11. You can use subscription activation to upgrade
from a different edition of the same version of an operating system. For example, you could
use subscription activation to upgrade from Windows 11 Pro edition to Windows 11
Enterprise edition or Windows 10 Pro edition to Windows 10 Enterprise edition.

You cannot use a device compliance policy to upgrade from Windows 10 Pro computers to
Windows 11 Enterprise. A device compliance policy sets the rules for a device to be
compliant based on device properties, device health, configuration, system security, and
Microsoft Defender.

Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment

References:

Upgrade Windows devices to Windows 10 or 11 Pro - Microsoft 365 Business Premium |


Microsoft Learn

Upgrade Windows 10/11 edition or switch S mode in Microsoft Intune | Microsoft Learn

Device compliance policies in Microsoft Intune | Microsoft Learn

Question 16:
Skipped
You are a desktop admin for the Nutex Corporation.

The company would like you to implement several shared guest PCs in the corporate
lobby. The PCs will host a single application for guests to check in. You will be
converting existing domain-joined machines that run the latest version of Windows 10
to do so.

Which of the following methods should you use to achieve the objective without
reimaging the machines?

A) Use Windows Server Update Services to update the machines to version


1703.

B) Use Microsoft Endpoint Manager or another MDM solution to set up the


kiosk configuration.

C) Enable kiosk mode from the Accounts Section of the Windows 10


settings.

(Correct)


D) Use Windows Deployment Services to configure the machines to Shared
PC mode.
Explanation
You would choose to enable kiosk mode from the Accounts Section of the Windows 10
settings because this mode is ideal for this situation. Any Windows 10 computer with version
1703 or higher can enable kiosk mode within the local Windows 10 settings. A single-app
kiosk runs a single app above the lock screen by using the Assigned Access feature. The app
is launched automatically when the kiosk account signs in. The user at the kiosk cannot
access anything on the computer except the kiosk app. The User account control must be
turned on to run kiosk mode.

You would not choose to use Microsoft Endpoint Manager or another MDM solution to set
up the kiosk configuration. You cannot use an MDM solution to enable kiosk mode for
domain-joined machines. Microsoft Endpoint Manager and other MDM solutions can only
manage MDM-enrolled machines.

You would not choose to use Windows Server Update Services to update the machines to
version 1703. Although kiosk mode does require Windows 10 version 1703 or higher,
updating to version 1703 will not automatically enable kiosk mode, it must be specifically
configured.

You would not choose to use Windows Deployment Services (WDS) to configure the
machines to Shared PC mode. You cannot use WDS to configure Shared PC mode on the
machines without reimaging them.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Set up a single-app kiosk on Windows - Configure Windows | Microsoft Learn

How to Deploy a Windows 10 Custom Image with MDT | Askme4Tech

Question 17:
Skipped
You want to configure a Windows 10 computer named NutexLobbyPC, which is
connected to a 60-inch screen in the main lobby of the corporate headquarters. It should
only run the NutexAnnouncements application whenever the machine is turned on, and
it should not allow any other apps to be accessible.

What option will not accomplish this?

A) Use the Windows Settings app to configure Assigned Access

B) Use Mobile Device Management to set up a kiosk configuration

C) Execute Set-AssignedAccess -AppName NutexAnnouncements -


UserName AAUser in PowerShell

D) Deploy the application to NutexLobbyPC using Group Policy

(Correct)

E) Use the kiosk wizard in Windows Configuration Designer


Explanation
Deploying the application to NutexLobbyPC using Group Policy will certainly get the app to
the correct machine, but it will not configure it to automatically run whenever the system
boots up nor keep other apps from running. Therefore, this is the correct answer. You can use
Group Policy to apply restrictions on the computer that is running one application in a kiosk.

Each of the other options will successfully be able to meet the requirements.

You can configure a single-app kiosk by using the Assigned Access feature which can run a
single application above the lockscreen. The user of the kiosk device can only access the app
but cannot do anything else on the kiosk device. To accomplish, this you would use a feature
known as Assigned Access, which sets up a user account that will be used to auto-login
whenever the PC is turned on and auto-launch a specified app in full screen mode, thereby
blocking access to run any other application.

You can also configure the Assigned Access feature via PowerShell. You can execute Set-
AssignedAccess -AppName NutexAnnouncements -UserName AAUser in PowerShell where
AAUser is the Assigned Access user account.
You can also use the kiosk wizard in Windows Configuration Designer to configure a single
application kiosk. With the Windows Configuration Designer, you can add multiple
applications to make the kiosk a multiple application kiosk if need be.

You can also use Mobile Device Management to set up a kiosk configuration.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Set up a single-app kiosk on Windows - Configure Windows | Microsoft Learn

Guidelines for choosing an app for assigned access - Configure Windows | Microsoft Learn

Prepare a device for kiosk configuration on Windows 10/11 - Configure Windows | Microsoft
Learn

By using GPO alone, can I turn a Windows machine into kiosk mode? (spiceworks.com)

Question 18:
Skipped
The Nutex Corporation has a domain environment running on Windows Server 2019.
All workstations in the organization use Windows 11. You have recently moved to a
hybrid Azure Active Directory (Azure AD) environment and procured a Microsoft
Intune subscription.

You are configuring Windows Autopilot user-driven mode to join devices to an on-
premises AD domain. What should you do after the device has been registered with
Windows Autopilot?

A) Install the Intune Connector for Active Directory on a Windows 11


computer.

B) Create an Autopilot deployment profile specifying Hybrid Azure AD


joined.

(Correct)

C) Install the Intune Connector for Active Directory on a Windows Server


2012 R2 or later computer.

D) Install the Intune Connector for Active Directory on a Ubuntu 20.04 or


later computer.

E) Create an Autopilot deployment profile specifying Azure AD joined.


Explanation
In the given scenario, you should create an Autopilot deployment profile specifying Hybrid
Azure AD joined to join the devices to Azure AD.

In the Create Profile blade for user-driven mode, there is an option under Join to Azure AD
as named Hybrid Azure AD joined. You should select this option from the drop-down list
of options as shown in the exhibit.
Once you have created the Autopilot deployment profile, you should install the Intune
Connector for Active Directory on a computer running Windows Server 2016 or higher. The
Intune Connector for Active Directory communicates with your on-premises domain
controller during the Windows Autopilot process. The Intune Connector for Active Directory
does not run on a Linux based server such as Ubuntu or Red Hat.

You would not create an Autopilot deployment profile specifying Azure AD joined as the
method by which you would like to join devices to Azure AD. This scenario talks about a
hybrid environment. You should select the Azure AD joined method when you have only the
Azure AD environment.

You would not install the Intune Connector for Active Directory on a computer running
Windows 11. You should install the Intune connection for Active Directory once you have
created an Autopilot deployment profile. However, the connector should be created on a
computer running Windows Server 2016 or later, not on Windows 11 or any other client
operating system.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Overview of Windows Autopilot | Microsoft Learn

Enrollment for hybrid Azure AD-joined devices - Windows Autopilot | Microsoft Learn

Configure Autopilot profiles | Microsoft Learn

Windows Autopilot User-Driven Mode | Microsoft Learn


Question 19:
Skipped
You want to clear a company laptop to ensure that all data and user settings from the
previous user is removed but still manage it in Microsoft Intune for the next user.

What option should you use to accomplish this?

A) Wipe the device without selecting Retain enrollment state and user
account

B) Retire the device within Intune

C) Wipe the device selecting Retain enrollment state and user account

D) Use Fresh Start without selecting Retain user data on this device

(Correct)

E) Delete the device from Intune and re-enroll


Explanation
You should use Fresh Start without selecting Retain user data on this device. This will
allow the next user to have a completely clean out-of-the-box experience with no lingering
effects from the previous user. If you choose Fresh Start and select Retain user data on this
device, then the following will occur:
• Device will remain Azure AD-joined
• When an Azure AD-enabled user signs into the device, the device is enrolled into
mobile device management again
• The contents of the device user’s Home folder are retained.

You should not delete the device from Intune and re-enroll. Deleting the device from Intune
is unnecessary in light of the other options available.

You should not wipe the device by selecting Retain enrollment state and user account.
This option will leave content and other user data on the computer and that is not what our
scenario requires.
You should not wipe the device without selecting Retain enrollment state and user
account. This option will remove most of the user content but might leave some unnecessary
applications.

The following chart displays the options of the Wipe action:

You should not retire the device within Intune. This action will remove the device from
Intune completely and that is not what our scenario requires.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

Retire or wipe devices using Microsoft Intune | Microsoft Learn

Reset Windows 10 devices with Microsoft Intune | Microsoft Learn

Question 20:
Skipped
You are an enterprise admin for the Verigon Company.

You are preparing a PC refresh for 200 computers. You are configuring your MDT
server for a Lite Touch deployment strategy due to the large number of client machines
involved.

Which of the following types of repository should you use to distribute the necessary
setup files and scripts?

A) Create a web-based share in Azure blob storage.


B) Create a bootable image using MDT offline deployment media.

C) Create a configuration profile using Microsoft Endpoint Manager.

D) Create a deployment share on the MDT server.

(Correct)

Explanation
You would choose to create a deployment share on the MDT server. A deployment share is a
folder on the server that is shared and contains all the setup files and scripts needed for the
deployment solution. It is required for Lite Touch deployments.

You would not choose to create a bootable image using MDT offline deployment media.
Offline MDT deployment media should only be used for small environments that have no
open connections to the MDT server.

You would not choose to create a configuration profile using Microsoft Endpoint Manager.
MDT does not integrate with MDM solutions such as Microsoft Endpoint Manager, so they
cannot be used to distribute the required deployment files.

You would not choose to create a web-based share in Azure blob storage because you cannot
use Azure blob storage to distribute files used in an MDT deployment.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft Deployment
Toolkit (MDT)

References:

Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) - Windows
Deployment | Microsoft Learn

Deploy a Windows 10 image using MDT (Windows 10) - Windows Deployment | Microsoft
Learn
Question 21:
Skipped
You have recently joined the Nutex Corporation as the Microsoft Intune Administrator.
The email accounts and apps on the employees’ mobile devices are managed from
Microsoft Intune. Some employees use Android Enterprise licenses. New hires do not
have their licenses yet. You are tasked with creating app configuration policies for all
employees.

Which of the following statements about implementing app configuration policies are
TRUE? (Choose all that apply.)

A) Auto-updates to apps is a setting that must be explicitly enabled in an


app configuration policy.

B) Only devices using Android 9.0 or higher are supported for management
using the Managed apps-type app configuration policy.

(Correct)

C) When new app permissions are added to an app, users are prompted to
provide consent for the permissions.

D) Configuration settings for a policy can be created using the


configuration designer or JSON.

(Correct)

Explanation
The following statements are true:
• Configuration settings for a policy can be created using the configuration designer or
JSON.
• Only devices using Android 9.0 or higher are supported for management using the
Managed apps type app configuration policy.

The configuration designer can be used to create configuration settings for a policy. Managed
Google Play apps that support configuration settings can be configured using the
configuration designer; otherwise, you must use the JSON Editor to enter the values.

You must run at least Android 9.0 to have apps managed in an app configuration policy. If
you want to manage devices that use a version prior to 9.0, you must enroll them in Intune
and use a Managed devices-type app configuration policy.

When new app permissions are added to an app, users are not prompted to provide consent
for the permissions. There are two settings for app permissions: Approval Settings at the time
of adding the app as a Managed Google Play app and Permissions at the time of setting the
app permissions in the app configuration policy. Approval Settings can be set to Keep
approved when the app requests new permissions (app usage is not disrupted) and Revoke
app approval when the app requests new permissions (app usage is disrupted). App
permissions are Prompt (ask user consent), Auto grant, and Auto deny.

You cannot enable auto-updates to apps in an app configuration policy. The Update setting of
an app depends on the type of app you add to Intune. Store apps, web apps, and built-in
Microsoft apps are updated automatically. You will need to check the update for new app
permissions and configuration settings if you want to configure them in the app configuration
policy.

Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

Add app configuration policies for managed Android Enterprise devices - Microsoft Intune |
Microsoft Learn

CodeTwo > Microsoft 365 & Exchange Admin's Blog > How to deploy and configure
Microsoft Outlook for Android via Intune: A complete guide

Add apps to Microsoft Intune | Microsoft Learn

Manage app permissions - Managed Google Play Help


Question 22:
Skipped
You have recently joined the Nutex Corporation as the Lead for their Remote Server
Administration team. Nutex uses a hybrid cloud with multiple private datacenters
across the globe and app development and management done from the Azure cloud.
You are to implement measures to remotely manage the datacenter servers, resources
on the Azure cloud, and employees’ laptops. You plan to implement Windows Admin
Center.

Which of the following statements about Windows Admin Center are TRUE? (Choose
all that apply.)

A) Microsoft recommends that you use either Microsoft Edge or Google


Chrome when using Windows Admin Center.

(Correct)

B) Windows Admin Center functionality can be extended using the


Extensions feature.

(Correct)

C) Windows Admin Center can be installed on local Windows 10 devices


and run in the Gateway mode of administering Windows devices and VMs.

D) The Windows Admin Center client must be installed on the Windows 10


devices to manage them from Windows Admin Center.
Explanation
The following statements are true:
• Microsoft recommends that you use either Microsoft Edge or Google Chrome when
using Windows Admin Center.
• Windows Admin Center functionality can be extended using the Extensions feature.

Windows Admin Center was released in late 2020 and is built for modern browsers.
Although Microsoft expects all features to work as expected on browsers such as Firefox,
they strongly recommend that you use the latest version of Microsoft Edge or Google
Chrome for Windows Admin Center operations.
Windows Admin Center is built to leverage its capabilities to integrate with selected other IT
administration products and solutions through the Extensions feature. The extensions are built
using technologies such as HTML5, CSS, Angular, TypeScript, and jQuery.

Windows Admin Center is not installed on Windows 10 devices because it is a browser-based


management tool used to manage Windows servers, Windows 10 clients, and Azure
Windows VMs from a central console. In general, you do not need to install a client package
on the devices or VMs that need to be managed from Windows Admin Center. You add the
Windows servers, clients, and VMs as “Connections” and select the type of resource (server,
client, or VM).

Windows Admin Center, when installed on local Windows 10 devices, cannot be run in the
Gateway mode of administering Windows devices and VMs. However, this is possible with
domain-joined Windows 10 devices. The Gateway mode of administration involves using
Windows Admin Center gateway (installed with Windows Admin Center) to manage
Windows devices and VMs. The gateway must be published to the DNS servers and allowed
access through the enterprise firewall.

Objective:
Deploy Windows client

Sub-Objective:
Configure remote management

References:

Get started with Windows Admin Center | Microsoft Learn

Windows Admin Center frequently asked questions | Microsoft Learn

TechTarget > How to use Windows Admin Center to manage Windows 10

Network World > 10 features of Windows Admin Center to streamline server administration

What type of installation is right for you | Microsoft Learn

Understanding Windows Admin Center Extensions | Microsoft Learn

Windows Admin Center | Microsoft

Question 23:
Skipped
You are the project manager for a large scale PC refresh migration involving up to
5,000 machines. The machines will run Windows 10 Pro as well as Office applications.
One of the objectives of the project is to migrate existing user accounts, user files, and
application settings. The project has a tight deadline so you need to streamline the
process as much as possible.

Which of the following tools will achieve the stated objective?

A) Readiness Toolkit for Office add-ins and VBA

B) PCmover Express

C) Microsoft Deployment Toolkit

D) User State Migration Tool

(Correct)

Explanation
You would choose the User State Migration Tool. This tool is used to streamline and simplify
user state migrations during large deployments of Windows operating systems.

You would not choose PCmover Express. While it can be used to migrate user states, it is
used only when migrating a few computers. PCmover Express is third-party software created
for Microsoft by Laplink.

You would not choose the Readiness Toolkit for Office add-ins and VBA. It is used to assess
application compatibility with Windows 10, not perform user state migrations.

You would not choose the Microsoft Deployment Toolkit because it is used to create task
sequences to deploy new installs of Windows 10, not perform user state migrations.

Objective:
Deploy Windows client

Sub-Objective:
Prepare for a Windows client deployment
References:

User State Migration Tool (USMT) Overview (Windows 10) - Windows Deployment |
Microsoft Learn

Question 24:
Skipped
You are a network administrator for Verigon Corporation. You have been tasked with
monitoring the security of your domain-joined Windows 10 laptops.

What Microsoft products and/or services are designed to give you security information?
(Choose all that apply.)

A) Windows Defender Security Center Security – Device Performance and


Health

B) Windows Defender Security Center Security – Device Security

(Correct)

C) Microsoft Intune – Security Baselines

(Correct)

D) Windows Analytics – Device Health

E) Mobile Threat Defense

F) Windows Autopilot
Explanation
You should choose:

Microsoft Intune – Security Baselines

Windows Defender Security Center Security – Device Security

Microsoft Intune – Security Baselines allows you to compare your devices to a security
standard based on Microsoft recommendations.

Windows Defender Security Center Security – Device Security, not Windows Defender
Security Center Security -Device performance & health, can display security information.

Windows Defender Security Center Security – Device Performance and Health is a good tool
to check for issues that might affect the device’s health, formerly known as Windows
Defender Security Center. This tool provides information on storage capacity, device drivers,
battery life, as well as apps and software.
This tool shows information if you have Secure Boot enabled or you are using core isolation.

Windows Analytics – Device Health is not a security monitoring solution. Device Health
identifies device crashes and identifies misconfigurations. Windows Analytics deprecated in
November 2022.

Mobile Threat Defense does not monitor the security of Windows 10 devices. It will,
however, protect mobile devices from selected security attacks, such as man-in-the-middle.

Windows Autopilot is used to deploy and pre-configure new devices, not monitor the security
of existing ones.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms
References:

How to check your device health on Windows 10 - Pureinfotech

Check the success or failure of security baselines in Microsoft Intune | Microsoft Learn

Learn about Windows security baselines you can deploy with Microsoft Intune | Microsoft
Learn

Question 25:
Skipped
You have recently joined the Nutex Corporation as the Microsoft Intune Administrator.
Microsoft Intune manages the email accounts and apps on the employees’ mobile
devices. Some employees use Android Enterprise licenses, while new hires do not have
these licenses. All mobile devices are managed by Intune.

After a new app was made available through a Managed Google Play account and an
app assignment, existing and new employees cannot find it on their mobile devices. You
are tasked with investigating the cause of the issue and recommending a suitable fix.

Which of the following are the probable causes of this issue? (Choose all that apply.)

A) App assignment is set to Uninstall.

(Correct)

B) App assignment is not yet configured for the new users.

(Correct)

C) App has new app permissions that are not yet configured as part of the
app configuration policy.

(Correct)


D) App assignment is set to Available for enrolled devices.

E) App assignment is set to Required.


Explanation
The following are the probable causes of this issue:
• App assignment is set to Uninstall.
• App assignment is not yet configured for the new users.
• App has new app permissions that are not yet configured as part of the app
configuration policy.

If the app has new app permissions that are not yet configured as part of the app
configuration policy, users may not be able to find it on their mobile devices. When an app is
added to Intune as a Managed Google Play app, the Approval Settings can be set to revoke
the app approval to Intune when new app permissions are added. In such cases, the app is no
longer seen in the Play Store without re-approval. You would revisit the app and review and
approve the new app permissions.

If an app assignment is not yet configured for new users, they may not be able to find the app
on their mobile devices. The app assignment can be assigned to groups of users. In this
scenario, it is possible that the wrong group was targeted in the assignment. Apps are not
installed on devices and app configuration policies do not take effect without an app
assignment. A new app assignment must be created with the Available with or without
enrollment option for new users.

If an app assignment is set to Uninstall, users will not find the app installed on their mobile
devices. When this option is selected for an existing assignment, the app is uninstalled from
the devices in the selected groups if the existing assignment was used to install the app via an
“Available for enrolled devices” or “Required” option.

If an app assignment is set to Available for enrolled devices and the app assignment is set to
the correct group of users, the app will appear on a user’s mobile device. When an app
assignment is set to Available for enrolled devices, the Android device needs to be enrolled
in Intune, which is true in this scenario. The users’ devices will need to be enrolled in Intune
using Android Enterprise licenses, and the app must be assigned to new users, or a new app
assignment must be created with the Available with or without enrollment option for new
users.

If an app assignment is set to Required, the app will be automatically installed on all
enrolled devices of the users in the groups selected for app assignment. The users’ devices
will need to be enrolled in Intune using Android Enterprise licenses, and the app must be
assigned to new users.

The following table displays options that are available to assign apps to devices and users:
Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

Assign apps to groups in Microsoft Intune | Microsoft Learn

CodeTwo > Microsoft 365 & Exchange Admin's Blog > How to deploy and configure
Microsoft Outlook for Android via Intune: A complete guide

Question 26:
Skipped
You are an enterprise admin for the Verigon Corporation. Your company promotes a
BYOD program for its employees so that they can work with their mobile device of
choice. Since these are personal devices, they cannot be enrolled in the company’s
MDM. You want to create a policy that will confirm a user’s identity when they access a
corporate app.

Which of the following options will achieve this objective?

A) Create an AppLocker policy using Group Policy and export it from the
GPO to deploy it using Microsoft Endpoint Manager.

B) Create an Intune app protection policy using Microsoft Endpoint


Manager that requires an Active Directory credential to open an app in a
work context.


C) Create an Intune app protection policy using Mobile Application
Management that requires a PIN to open an app in a work context.

(Correct)

D) Create a compliance policy using Intune that requires alphanumeric


passwords to unlock the device.
Explanation
You would choose to create an Intune app protection policy using Mobile Application
Management that requires a PIN to open an app in a work context. Because these are personal
devices that cannot be enrolled in an MDM, you must use Mobile Application Manager to
deploy an app protection policy that requires a user to provide a PIN to use an application
within a work context.

You would not choose to create an Intune app protection policy using Microsoft Endpoint
Manager that requires an Active Directory credential to open an app in a work context. You
cannot use an MDM such as Microsoft Endpoint Manager to manage devices not enrolled
with an MDM. Also, an app protection policy does not require an Active Directory
credential.

You would not choose to create a compliance policy using Intune that requires alphanumeric
passwords to unlock the device. You cannot create a compliance policy for devices not
enrolled with an MDM. You also cannot use Intune to manage devices not enrolled with an
MDM.

You would not choose to create an AppLocker policy using Group Policy and export it from
the GPO to deploy it using Microsoft Endpoint Manager. AppLocker policies only restrict
access to given applications. You cannot deploy AppLocker policies on personal devices, nor
can you use Microsoft Endpoint Manager for devices not enrolled with an MDM.

Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

App protection policies overview - Microsoft Intune | Microsoft Learn


Question 27:
Skipped
You are a system administrator for Nutex Inc. Your organization has a Microsoft
Defender for Endpoint subscription. All Windows devices in your environment are
onboarded to Microsoft Defender for Endpoint. You are configuring automated
investigation and remediation capabilities in Microsoft Defender for Endpoint.

Which of the following should you use to configure the automated investigation and
remediation capabilities?

A) Exploit protection

B) Device control

C) Device groups

(Correct)

D) Configuration policies
Explanation
You would use device groups to configure the automated investigation and remediation
(AIR) capabilities.. Microsoft Defender for Endpoint allows you to select the automation
level and assign AIR to a device group.

To set up a device group, you would follow these steps:

1. Log in to the Microsoft 365 Defender portal.


2. On the Settings page, navigate to Device groups under Permissions.
3. Create at least one device group, add the name and description, and set the automation
level in the Automation level list.

Note that Defender for Business sets the AIR level to full automation by default.

App configuration policies help organizations eliminate app setup problems by auto-
configuring apps when the users install them on their devices. For apps with app
configuration policies, users do not need to take action. App configuration policies also
reduce help desk calls from users for issues related to app settings.
Device control is a profile type that can be used when configuring an attack surface reduction
(ASR) policy. Using this profile, you can control several settings, including:

• Allow hardware device installation by device identifiers


• Block hardware device installation by device identifiers
• Block write access to removable storage
• Scan removable drives during a full scan

Exploit protection is a profile type that can be used when configuring an ASR policy. Using
this profile, you can control the following settings:

• Upload XML
• Block users from editing the Exploit Guard protection interface

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

Configure automated investigation and remediation capabilities | Microsoft Learn

Configure remediation for Microsoft Defender Antivirus detections | Microsoft Learn

Intune endpoint security Attack surface reduction settings | Microsoft Learn

Question 28:
Skipped
50 computers that run Windows 10 will be deployed to Azure Active Directory. These
computers will be joined to the Microsoft Azure Active Directory (Azure AD) domain
and enrolled in Microsoft Intune.

You must configure a device restriction policy for the 50 deployed computers in Azure
Active Directory. Which three settings should you configure in Device restrictions?
Click the exhibit to select the correct setting.

A) 3,96,341,137

B) 5,358,343,402

C) 4,403,345,445


D) 3,579,344,623

(Correct)

E) 1,139,343,180

F) 3,449,342,488

G) 4,184,342,224

H) 4,52,341,94

I) 1,533,344,580

J) 6,228,344,268

K) 4,316,343,359

L) 2,272,344,312

(Correct)

M) 6,491,340,530

(Correct)

Explanation
The configuration of Intune device policy is similar to the following graphic:
However, in this scenario, you should choose the following device restrictions:

• Microsoft Defender Antivirus settings


• Microsoft Defender Smart Screen settings
• Locked Screen experience settings

Microsoft Defender Antivirus settings allows you to scan all scripts loaded into Microsoft
Edge and enable real-time monitoring for malware, spyware, or other unwanted software and
scripts.

Microsoft Defender Smart Screen allows you to enable SmartScreen which protects users
from potential phishing scams. It also can prevent users from going to known malicious sites,
and preventing users from downloading unverified files.

Locked Screen experience settings will allow you prevent a user from interacting with
Cortana after the active user has stepped away from the device and the locked screen appears.

All other settings are incorrect:

App store settings allow you allow apps from the Microsoft store that are installed to be
automatically updated.

Cloud and storage settings allow you to prevent end users from using a Microsoft account the
device.
Cloud printer settings allow you to configure the printer discovery URL, the printer access
authority URL, and other settings.

Display settings allow you to enable GDI DPI scaling for applications that are not DPI aware.

Microsoft Edge Browser settings allow you to configure the browser such as running the
browser in kiosk mode, configuring the start experience, configuring the favorites,
configuring the default search engine, allowing InPrivate browsing, or configuring browser
history settings.

Windows Spotlight settings will disable Windows Spotlight on Windows Tips, Microsoft
consumer features, or on the locked screen.

Start settings allow you to override the Start menu layout.

Personalization settings allow you to configure a background picture URL for the desktop.

Password settings allow you to specify the minimum password length, number of sign-in
failures before wiping the device, and other password settings.

Network proxy settings allow you detect proxy settings or use a manual proxy server.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Device restriction settings for Windows 10/11 in Microsoft Intune | Microsoft Learn

Question 29:
Skipped
You are a security administrator for Verigon Inc. Your organization has a Microsoft
Intune subscription. You plan to implement an app configuration policy for a business-
critical app that employees use. The policy must enforce the following:
• Require a minimum password length of 8 characters.
• Enable data encryption.
• Restrict the app from accessing the device camera.

Which of the following are NOT methods used to implement an app configuration
policy in Microsoft Intune? (Choose all that apply.)


A) Configuration designer

B) JAMF Pro

(Correct)

C) JSON file

D) XML file

E) Mobile Application Management (MAM)

(Correct)

Explanation
Mobile Application Management (MAM) and JAMF Pro are not configuration methods used
to implement an app configuration policy in Microsoft Intune. JAMF Pro and Mobile
Application Management are deployment tools used to onboard macOS devices to Microsoft
Defender for Endpoint.

When configuring an app configuration policy using the Microsoft Intune admin center, you
would choose a configuration settings format and select one of the following methods to add
the configuration information:

• Configuration designer – Configuration designer is used for managed Google Play


apps when the apps are designed to support the configuration settings. You can
configure specific values for the settings exposed by the app. These settings are
applied to devices enrolled in Microsoft Intune.
• XML file – You can mention the XML property list that includes the app
configuration settings for the devices enrolled in Microsoft Intune.
• JSON file – There may be some configuration settings on the apps that cannot be
configured using a configuration designer. You would use a JSON editor for those
configuration values. Settings are automatically applied to apps when they are
installed.
• For Configuration settings format, select Enter JSON editor.
• Define JSON values for configuration settings in the editor. Click Download
JSON template to retrieve a file with sample code you can customize.
• Click OK, and then Add.
Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

Add app configuration policies for managed iOS/iPadOS devices - Microsoft Intune |
Microsoft Learn

Add app configuration policies for managed Android Enterprise devices - Microsoft Intune |
Microsoft Learn

Question 30:
Skipped
You have an Azure Active Directory (Azure AD) tenant named Nutex.com.

Nutex has purchased another company named Verigon Inc. Nutex plans to integrate the
assets of Verigon Inc into Nutex.com. Verigon Inc has an on-premises domain that uses
group policy object (GPO) settings to configure Office, Microsoft Edge, Firefox, and
Visual Studio for users and Windows 10 and 11 clients.

You must migrate the settings from Verigon’s GPOs into Intune and ensure they only
apply to specific IT groups.

Which three actions in the Microsoft Intune admin center should you perform in
sequence?

A) Create a conditional access policy

B) Assign a tag to filter by specific IT groups

(Correct)


C) Import the ADMX and ADML files

(Correct)

D) Create a compliance policy

E) Create a device configuration profile

(Correct)

F) Import the NTCONFIG.POL file


Explanation
You should do the following:
1. Import the ADMX and ADML files
2. Create a configuration profile
3. Assign a tag to filter by specific IT groups

ADMX and ADML files contain settings for Office, Microsoft Edge, and Visual Studio, as
well as third-party apps and browsers, such as Firefox. You can download these files from the
central store of Verigon’s Active Directory domain. The central store is a share on a domain
controller in the domain with the following path:

\\verigon.com\SYSVOL\\verigon.com\policies\PolicyDefinitions

You would first add the ADMX files by importing them into the Microsoft Intune admin
center.
You should then specify your ADML file's language and the ADMX file's version.
You should create a device configuration profile using the imported files in the Microsoft
Intune admin center. You should choose Windows 10 and later as the platform and
choose Imported Administrative templates as the profile type.

You can use optional Scope tags to assign a tag to filter the configuration profile to a specific
IT group or a specific person in an IT group, such as Canada-IT-Department or JohnRonin_
Canada-IT-Department.

You would not import the NTCONFIG.POL file. This file is used by Windows XP-based,
Microsoft Windows 2000-based, and Microsoft Windows Server 2003-based client
computers to configure system policies in a non-Active Directory environment. GPOs
configure system policies in an Active Directory environment. You cannot import .POL files
in the Microsoft Intune admin center.
You would not create a compliance policy. Compliance policies allow you to ensure that
users and devices meet certain health specifications. Compliance policies are based on
platforms such as Windows, iOS, and Android. You cannot import ADMX or ADML files
into a compliance policy.

You would not create a conditional access policy. Conditional access policies allow you to
enforce policies to users and devices by allowing access, blocking access, or requiring multi-
factor authentication. You cannot import ADMX or ADML files into a conditional access
policy.

Objective:
Manage applications

Sub-Objective:
Deploy and update apps for all supported device platforms

References:

Import custom and third party partner ADMX templates in Microsoft Intune | Microsoft
Learn

Question 31:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
environment that includes 20 Windows Server 2022 and 1,000 Windows 11 devices.

You plan to configure an attack surface reduction (ASR) policy for the following
requirements:

• Block users from ignoring Windows SmartScreen warnings.


• Block credential-stealing from the Windows local security authority subsystem
(Isass.exe).

To meet the above requirements, which profile types should you use while configuring
the ASR policy? (Choose all that apply.)

A) App and browser isolation


B) Attack surface reduction rules

(Correct)

C) Application control

(Correct)

D) Exploit protection

E) Device control

F) Web protection
Explanation
In the given scenario, you would use application control and attack surface reduction rules
when configuring an ASR policy. The attack surface reduction rules profile can block
credential-stealing from the Windows local security authority subsystem (Isass.exe). The
application control profile can block users from ignoring Windows SmartScreen warnings.
The attack surface reduction rules profile also blocks users from ignoring Windows
SmartScreen warnings.
The following profile types are supported in Windows 10 and later:

|~EndpointSecurityAttkSurfaceRedWin10+.png~|

• App and browser isolation – Using this profile, you can control the following settings:
• Turn on Microsoft Defender Application Guard, which allows Application
Guard access to:
• print to PDF, XPS, and local or network printers
• text or image copy
• cameras and microphones
• use of Root Certificate Authorities from the user's device
• Windows network isolation policy
• Application control – Using this profile, you can configure the following Microsoft
Defender Application control settings:
• App locker application control
• Block users from ignoring SmartScreen warnings
• Turn on Windows SmartScreen
• Device control – Using this profile, you can control several settings, including:
• Allow hardware device installation by device identifiers
• Block hardware device installation by device identifiers
• Block write access to removable storage
• Scan removable drives during full scan
• Exploit protection – Using this profile, you can control the following settings:
• Upload XML
• Block users from editing the Exploit Guard protection interface
• Web protection (Microsoft Edge Legacy) – Using this profile, you can control the
following settings:
• Enable network protection
• Require SmartScreen for Microsoft Edge
• Block malicious site access
• Block unverified file download

The following profile types are supported in Windows 10 and later (ConfigMgr):

• Exploit protection
• Web protection

The following profile types are supported in Windows 10, Windows 11, and Windows
Server.

• Attack surface reduction rules – Using this profile, you can control several settings,
including:
• Block persistence through Windows Management Instrumentation (WMI)
event subscription
• Block credential-stealing from the Windows local security authority
subsystem (lsass.exe)
• Block Adobe Reader from creating child processes
• Block Office applications from injecting code into other processes

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

Intune endpoint security Attack surface reduction settings | Microsoft Learn

Question 32:
Skipped
A recent audit of the help desk showed that 40% of help desk personnel time was spent
dealing with password issues from employees. After implementing smart card readers
with employee computers that run Windows 7, your company has decided to replace all
the old computers with new computers that run Windows 10. Your company has
decided to implement Windows Hello on all the company's Windows 10 computers. All
the new computers are equipped with a 3D camera.
One of the computers used by an employee, Jack Smith, was stolen by his twin brother
who works for a rival company. Jack's twin brother was able to easily access all files on
the computer.

You must implement a plan to ensure a data theft like this will not happen again. The
solution should cost as little money as possible since the budget has already been
exhausted. You also must ensure that users do not have to memorize any passwords or
keys. What should you recommend?

A) Add HD audio microphones to all Windows 10 computers or use the


existing microphone on all Windows 10 computers to create a voiceprint.

B) Add a smart card reader to all Windows 10 computers, and configure


Group Policy to ensure that employees must use the smart card to login.

C) Require the employees to set up Windows Hello again and configure the
options under Improve recognition.

(Correct)

D) Add a chemical biometric device to all Windows 10 computers, and


require the employees to set up Windows Hello again with a DNA print.

E) Use the existing microphones on all Windows 10 computers and require


the employees to set up Windows Hello again with a voiceprint.

F) Add fingerprint scanners to all Windows 10 computers, and require the


employees to set up Windows Hello again with a fingerprint.
Explanation
The most cost-effective option is to require the employees to set up Windows Hello again and
configure the options under Improve recognition. Microsoft introduced a facial recognition
feature named Windows Hello in Windows 10. The facial-recognition feature has been
proven to distinguish between identical twins in field tests. To ensure an identical twin cannot
use the facial scan of the other twin, it is recommended that you configure the options under
the Improve recognition setting:
You should not add fingerprint scanners to all Windows 10 computers, and require the
employees to set up Windows Hello again with a fingerprint. Windows Hello supports
fingerprint authentication, facial recognition, and iris recognition, but one of the requirements
in this scenario was that you should not make additional purchases because of the budget.

You cannot add a chemical biometric device to a Windows 10 computer. Although these
biometric devices can provide a DNA print that would be unique to a user, the devices are not
currently supported by Windows 10 and would require an extra expense.

You should not add HD audio microphones to all Windows 10 computers or use the existing
microphone on all Windows 10 computers to create a voiceprint. Windows Hello does not
support voiceprints as an authentication method.

You should not add a smart card reader to all Windows 10 computers, and configure Group
Policy to ensure that employees must use the smart card to log in. Although you do not have
to purchase smart card readers because you used them with the old Windows 7 computers,
the use of smart cards will require the user to know a PIN to log on. One of the requirements
was that you would not require users to remember a password or possess a key.

Objective:
Manage identity and compliance

Sub-Objective:
Manage identity

References:
Windows Hello for Business Overview - Windows Security | Microsoft Learn

How To: Configure Windows Hello in Windows 10

Windows Security: Defender, Antivirus & More for Windows 11 | Microsoft

Windows sign-in options and account protection - Microsoft Support

Question 33:
Skipped
You have computers that run Windows 10 Cloud. The computers are joined to
Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune. You
need to perform the following:
• Upgrade the computers to Windows 10 Enterprise
• Create a WiFi profile
• Block JavaScript on certain sites in Microsoft Edge

What should you configure in Intune?

A) A device cleanup rule

B) A device compliance policy

C) A device enrollment policy

D) A device configuration profile

(Correct)

Explanation
You should set a device configuration profile. A device configuration profile allows you to
do the following:
• Perform edition upgrades, such as going from the Cloud edition to the Enterprise
Edition or going from the Pro Edition to the Enterprise edition
• Manage software updates, even when the updates are installed
• Allow or prevent access to Bluetooth on the device
• Set up a VPN or WiFi profile
• Use a profile template that blocks JavaScript on certain sites in Microsoft Edge.
You should not configure a device enrollment policy. A device enrollment policy specifies
how a device can be enrolled. You can use a device enrollment policy to restrict the devices
from enrolling by platform such as Android, Windows or iOS. You can also specify settings
on enrollment such as if reset is required, whether user affinity is used, or device is locked.

You should not use a device cleanup rule. A clean up rule can be used to specify what to do
with a device when it is no longer needed such as wiping the device or retiring the device.

A device compliance policy allows devices to meet compliance requirements. With a device
compliance policy, you can define rules and settings for compliance for security settings,
such as:

• The device has not been rooted.


• The device has minimum version of the operating system.
• The device to be under or at a specific threat level.
• Users must use a password to access company data on mobile device.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

Device features and settings in Microsoft Intune | Microsoft Learn

Question 34:
Skipped
Verigon Corporation will be using Microsoft Intune to control access to Office 365
applications for all their locations. You need to ensure that all Finance group members
can access Excel Online from their Windows 10 laptops only via Multi-Factor
Authentication (MFA).

Which required settings in your access policy must you configure? (Choose all that
apply.)

A) 25,469,417,534

(Correct)

B) 21,174,414,219

(Correct)

C) 26,623,418,691

(Correct)

D) 25,382,414,450

(Correct)

E) 413,363,27,302

(Correct)

F) 26,824,413,896

(Correct)

Explanation
You will have to give the policy a name.
You will want to configure Users and Groups in the Assignment section. Here you can
choose the Finance group.

You will want to configure the Cloud Apps section to include the desired Office 365
applications. This is where you would choose Excel Online.

You will want to configure Conditions in the Assignment section. This is where you can add
the desired device platform.
You will want to configure the Grant portion of the Access Control section. This is where
you require MFA.

Note that you will also want to configure the Session section of Access controls.

Finally, you need to enable the policy.


Objective:
Manage identity and compliance

Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune

References:

What is Conditional Access in Azure Active Directory? - Microsoft Entra | Microsoft Learn

How to configure Microsoft Intune / Azure AD Conditional Access to Microsoft Office 365
Exchange Online

Question 35:
Skipped
You are a system administrator for your organization, Nutex, Inc. They have several
Windows 10 Enterprise devices that are enrolled with Microsoft Intune. You are
planning to upgrade the Windows 10 devices to Windows 11 Enterprise.

To achieve the objective, you have created feature updates policies in Microsoft Intune
and assigned feature updates for the Windows 10 devices.

Some users report issues after the feature update policy is applied and the Windows 10
devices are upgraded to Windows 11. You want to roll back the feature updates for
these devices.

How many days after upgrade does Microsoft allow you to roll back feature updates?

A) 30

B) 20

C) 40


D) 10

(Correct)

Explanation
Microsoft provides a 10-day grace period to roll back feature updates to Windows 10. If you
pass this grace period, you have to back up your data and perform a clean installation of the
Windows 10 operating system. To roll back feature updates to Windows 10, you have to
navigate to Settings > System > Recovery > Go back and select the build of Windows 10
you want to restore.

If the Go back option under the Recovery page is grayed out (as shown in the exhibit), this
means that the 10-day grace period is over, and you will have to re-install Windows 10
manually.

Rolling back to Windows 10 will keep your files intact without requiring additional steps.
Microsoft used to allow 30 days to roll back but has shortened the rollback grace period to 10
days.

20, 30, and 40 days are invalid options and therefore are incorrect answers.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:

Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft
Learn

Sweetwater > Windows 11: How to Roll Back Windows 11

PC Mag > Upgrade to Windows 11, and You'll Get 10 Days to Roll Back to Win 10

Question 36:
Skipped
Your network contains an Active Directory domain named nutex.com. The domain
contains computers that run Windows 10 and are enrolled in Microsoft Intune. Updates
are deployed by using Windows Update for Business and use the Semi-Annual Channel.

Users in a group named MarketingGroup must meet the following requirements:

• Computers must receive updates for all Microsoft applications


• The IT support team must test new Windows features for at least a week before
allowing clients to use them
• Updates for fixes and improvements to existing Windows functionality must not
be delayed
• Updates download and are installed automatically during Automatic
Maintenance when the device is NOT in use or running on battery power
• If a restart is required, the device restarts when not being used.

You need to configure the Windows 10 Update Rings in Intune to meet the
requirements. Which two settings should you change? (Click the image to select the
settings.)

A) 12,329,280,348

B) 11,188,281,208

(Correct)

C) 12,368,280,386

D) 12,228,281,248

E) 12,108,280,126

F) 13,69,281,85

G) 9,288,279,307

(Correct)

H) 12,148,282,168
Explanation
You should change the Feature update deferral period (days) setting. This setting
configures the number of days for which Feature Updates, such as Windows features, are
deferred. In this scenario, the IT support team must test new Windows features for at least a
week before allowing clients to use them.

You should change the value of the Automatic update behavior setting from Notify
Download to Auto install and restart at maintenance time. The Auto install and restart
at maintenance time setting allows the device to download and install during automatic
maintenance when the device is not in use or running on battery power. The Notify
Download setting notifies the user before downloading updates.

You can configure the Automatic update behavior setting with the following values:

• Notify download – Users are notified before downloading the update. Users can
choose to download and install updates.
• Auto install at maintenance time – Updates are downloaded automatically and then
installed during Automatic Maintenance only when the device is not in use or running
on battery power. Users are prompted to restart when a restart is required. The restart
can be delayed for up to seven days and then restart is forced.
• Auto install and restart at maintenance time – Updates are downloaded
automatically and then installed during Automatic Maintenance only when the device
is not in use or running on battery power. The device restarts when not being used if a
restart is required.
• Auto install and restart at scheduled time – Sets an installation day and time for
updates. Runs at 3 AM daily followed by a 15-minute countdown to a restart if no
time is specified. Users currently logged on can delay the restart of the device.
• Auto install and reboot without end-user control – Sets the end user’s control
panel to read-only when updates are downloaded automatically and then installed
during Automatic Maintenance, only when the device is not in use or running on
battery power.
• Reset to default – Resets Windows 10 machines that have the October 2018 Update
or later to the original auto-update settings.

You should not change the Microsoft product updates setting from Allow. This setting
allows a scan for Microsoft product updates. You want to ensure that updates are installed on
the computers.

You should not change the Windows drivers setting. This setting includes Windows Updates
for drivers during updates.
You should not change the Set feature update uninstall period (days) setting. This setting
sets the time after which feature updates cannot be uninstalled.

You should not change the Restart checks setting. This setting allows checks such as
checking for active users, battery levels, running games, and more.

You should not change the Quality update deferral period (days) setting from 0. This
setting is for updates that are typically fixes and improvements to existing Windows
functionality. Leaving the setting at 0 will not cause the deferral period to be 0 days, thus not
delaying the updates.

You should not change the Windows Update notification level setting. This setting controls
the level of Windows Update notifications that users see. This setting does not configure
when or how updates are downloaded and installed.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device updates for all supported device platforms by using Intune

References:

Windows Update settings you can manage with Intune Update Ring policies for Windows
10/11 devices. | Microsoft Learn

Question 37:
Skipped
You have been implementing security baselines in Intune for a few weeks. You need to
see a report of which computers running Windows 10 are currently not meeting the
security baselines being enforced.

How long does it take to get baseline-related information into the Security Baseline
monitoring reports?


A) 2 hours

B) 48 hours

C) 6 hours

(Correct)

D) 24 hours
Explanation
When implementing Security Baseline Monitoring, Intune changes take six hours to appear in
the reports. When first implementing the system, it will take 24 hours for the data to appear,
but in this question the system has been in place for a few weeks and the existing data will
already show there.

Two2 hours is not enough time for baseline data to be shown in the overview reports.

The changes to Security Baseline data will show up way before a 48-hour time period has
elapsed.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

Check the success or failure of security baselines in Microsoft Intune | Microsoft Learn

Question 38:
Skipped
You have several Windows 11 computers that are deployed with Microsoft Intune. You finish
troubleshooting an issue with a computer in the Sales department using the
Troubleshooting+Support option of Microsoft Endpoint Manager admin center. You notice
that a Windows 11 computer in the Marketing department shows that the Azure AD
compliant status is No.

Which of the following should you do to resolve the problem with the Marketing department
computer?

A) Turn the device on.

(Correct)

B) Run Windows Update on the computer.

C) Unenroll and then re-enroll the device.

D) Remove all app protection policies.


Explanation
A device can have its Intune compliant or Azure AD compliant status set to No if it is not
connecting to the network. The device will become non-compliant after 30 days. The issue in
this scenario could be caused by an employee on an extended holiday or maternity leave.
Simply rebooting or turning on the computer could reset the Intune compliant or Azure AD
compliant status.

You do not have to unenroll and then re-enroll the device. You would have to take this action
if the Azure AD Join Type displayed Not Registered as its status. Typically, re-enrolling the
device will fix this issue.

You do not remove all app protection policies. App protection policies safeguard data,
applications, and devices by using the user’s identity to protect company data by separating
personal data from work data. App protection policies can control the share of data between
apps and prevent saving work data to personal storage. They would not affect the Azure AD
compliant status.

You do not have to run Windows Update on the computer. It is essential to stay current with
any security patches or fixes. However, running Windows Update would not change
the Azure AD compliant status.
Objective:
Manage identity and compliance

Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune

References:

App protection policies overview - Microsoft Intune | Microsoft Learn

Question 39:
Skipped
All users in the Engineering department use Windows 10. A MAM policy was created to
protect corporate data when using Excel Online, PowerPoint Online, and Word Online.
The policy is causing problems when Engineering users try to use Excel Online on
mobile devices.

What could prevent the MAM policy from working for the Engineering department?

A) The policy is not configured for Excel Online.

(Correct)

B) The users do not have an Office 365 license.

C) The users do not have an Intune license.

D) The users are on Android devices.

E) The users are not on a managed device.


Explanation
It is most likely that the policy is not configured for Excel Online. You must select the apps
to be protected as part of the policy. In this scenario, you would probably apply this policy to
a Sales group.
It is unlikely that the problem is that the users do not have an Intune license. Excel Online is
the only application with an issue.

It is unlikely that the problem is that the users do not have an Office 365 license. The other
Office 365 applications are working properly with the policy.

It is unlikely that the problem is the users are not on a managed device. Mobile Device
Management (MDM) can work with MAM via Intune, but it is not required. MAM can work
with other third-party MDM solutions, or even none at all for mobile devices.

It is unlikely that the problem is the users are on Android devices. MAM works with both
Android and iOS.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

Validate your app protection policy setup - Microsoft Intune | Microsoft Learn

What is app management in Microsoft Intune? | Microsoft Learn

App protection policies overview - Microsoft Intune | Microsoft Learn

Question 40:
Skipped
You are a system administrator for the Nutex Corporation. Nutex has an Azure Active
Directory (Azure AD) environment. All client devices in your organization run the
Windows 11 Enterprise operating system.

You have deployed updates to all the Windows 11 devices using Microsoft Intune. You
need to ensure the following update compliance requirements are met:

• Deployment monitoring of Windows client feature updates


• Deployment monitoring of Windows quality updates
• Reports when devices have issues related to deployment
• Bandwidth usage and savings for devices displayed through Delivery
Optimization

Which feature should you use to monitor Windows update rollouts?


A) Windows 10 and later update rings report in Intune

B) Windows Update for Business Reports

(Correct)

C) Feature update failure report

D) Windows 10 and later feature updates report in Intune


Explanation
You would use Windows Update for Business Reports to monitor Windows update rollouts.
Windows Update for Business Reports is a free service built on Azure Monitor and Log
Analytics. You can use Windows Update for Business Reports to ensure the following:
• Deployment monitoring of Windows client feature updates
• Deployment monitoring of Windows quality updates
• Reports when devices have issues related to deployment
• Bandwidth usage and savings for devices displayed through Delivery Optimization

None of the other options can provide all of the update compliance features.

The Windows 10 and later update rings report in Intune, the Windows 10 and later feature
updates report, and the Feature update failure report will not display information about
bandwidth usage and savings for devices displayed through Delivery Optimization.

Using Microsoft Intune, you can deploy updates to Windows 11 devices by using policies for
update rings for Windows 10 or later and feature updates for Windows 10 or later. To
monitor and troubleshoot update deployments, Microsoft Intune provides the following
reporting options:

• Windows 10 and later update rings – This is a built-in report that is ready by default
when you deploy update rings to your devices.
• Windows 10 and later feature updates – This option uses two built-in reports that
work together to gain a better understanding of the update’s status and issues found.

The Feature update failure report is not used to monitor Windows update rollouts. The data in
the Microsoft Intune reports for feature updates for Windows 10 and later policy is used for
the below reports:

• Windows 10 and later feature updates (Organizational) – This report provides an


overall view of compliance for devices on a per-policy basis.
• Feature update failures report (Operational) – This report provides details on Alerts –
errors, warnings, information, and recommendations – on a per-policy basis to help
troubleshoot and optimize your devices.
Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device updates for all supported device platforms by using Intune

References:

Windows Update for Business reports overview - Windows Deployment | Microsoft Learn

Microsoft Intune reports - Microsoft Intune | Microsoft Learn

Windows Update for Business reports overview - Windows Deployment | Microsoft Learn

Question 41:
Skipped
You are a security administrator for Verigon Inc. Your organization has a Microsoft
Intune subscription. You have implemented an app configuration policy for the
productivity app used by the employees.

A user has reported that the app configuration policy has yet to be enforced. You want
to validate the app configuration policy on the user’s device.

Which of the following is NOT a method that can be used to validate the app
configuration policy?

A) Verify via Diagnostic Logs.

B) Verify the app configuration policy visibly on the user’s device.

C) Verify in the Microsoft Intune admin center by clicking Apps > All Apps
and selecting the productivity app.

D) Verify in the Microsoft Intune admin center by clicking Apps > Monitor >
App protection status and then selecting the productivity app.

(Correct)

Explanation
An app configuration policy cannot be validated by navigating to Apps > Monitor > App
protection status and selecting the productivity app. If you observe that the app configuration
policy is not functioning as expected on the user’s device, you would check whether the user
is licensed for Microsoft 365.

You can validate the app configuration policy using any of the following three methods:

• Verify the app configuration policy visibly on the user’s device. Check and confirm
whether the app configuration policy is functioning and how it is expected to perform.
• Verify via Diagnostic Logs.
• Verify in the Microsoft Intune admin center, click Apps > All Apps, and select the
productivity app. Under the Monitor section, click either Device install status or User
install status (as shown in the exhibit).

• You can also check for assigned app configuration policies from the Microsoft Intune
admin center by navigating to Devices > All Devices and selecting the device
under App configuration.

To check the user app protection status, log in to the Microsoft Intune admin center, navigate
to Apps > Monitor > App protection status, and click the Assigned user's tile. On the App
reporting page, click Select User, and select the user from the search list. Here you can check
whether the user is licensed for app protection and has a Microsoft 365 license.
Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

App configuration policies for Microsoft Intune | Microsoft Learn

Validate your app protection policy setup - Microsoft Intune | Microsoft Learn

Question 42:
Skipped
You have recently joined the Nutex Corporation as the Microsoft Intune administrator.
Microsoft Intune is used to manage the office email accounts and apps on the
employees’ mobile devices. Some employees use Android Enterprise licenses, but new
hires do not have these licenses. You are asked to develop a plan to implement app
configuration policies for all employees.

Which of the following statements about app configuration policies available with
Microsoft Intune are TRUE? (Choose all that apply.)

A) App configuration policies can only be applied to mobile devices


enrolled in Intune.

B) Configuration settings in an app configuration policy can be overridden


by users.

(Correct)

C) App configuration policies allow organizations to adopt apps easily and


quickly.

(Correct)

D) An app configuration policy must always complement an equivalent app


protection policy.
Explanation
The following statements are true:
• App configuration policies allow organizations to adopt apps easily and quickly.
• Configuration settings in an app configuration policy can be overridden by users,
especially when the setting is related to a user preference.

App configuration policies help organizations eliminate app setup problems by auto-
configuring apps when the users install them on their devices. For apps with app
configuration policies, users do not need to take action. App configuration policies also
reduce help desk calls from users for issues related to app settings.

If a configuration setting in an app configuration policy is related to a user preference, then


the user can override the preference. This may depend on the app and the related
configuration setting. For example, with Outlook for iOS and Android, users can override the
Focused Inbox app configuration setting. Depending on the app, configuration settings can
also be set to be overridden by users.

App configuration policies can be applied to mobile devices whether they are enrolled in
Intune or not. The configuration in an app configuration policy can be delivered through the
Mobile Device Management (MDM) OS channel on enrolled devices ( which includes
the Managed App Configuration channel for iOS or the Android in the Enterprise channel for
Android) or through the Mobile Application Management (MAM) channel. To create and
apply an app configuration policy to enrolled devices, select Managed devices as the Device
enrollment type for the policy. To create and apply an app configuration policy to other
devices, select Managed apps as the Device enrollment type for the policy and use an Intune
app protection policy to protect app data.

An app configuration policy does not have to be complemented by an equivalent app


protection policy. App configuration policies are defined and applied at the level of an app.
App protection policies can be defined and applied to all apps on all devices, apps on devices
of selected OSes, public apps, and custom apps. App configuration and app protection
policies can be applied at different stages of the app lifecycle in Intune.

Objective:
Manage applications

Sub-Objective:
Plan and implement app protection and app configuration policies

References:

App configuration policies for Microsoft Intune | Microsoft Learn


Create and deploy app protection policies - Microsoft Intune | Microsoft Learn

Overview of the app lifecycle for Microsoft Intune | Microsoft Learn

Question 43:
Skipped
Users in the PC Support group in the IT department enroll devices for employees in the
Nutex Corporation. When the PC Support group accesses the Microsoft Intune
company portal, that text appears at the bottom of the sign-in page. You want to ensure
that when the PC Support group visits the sign-in page they view the new legal
statement that the HR department has released.

Which menu option should you choose to configure this? (Click the image to select the
correct option.)

A) 34,210,214,238

(Correct)

B) 34,92,215,125

C) 38,284,211,313

D) 34,170,217,200

E) 38,247,215,275

F) 33,133,216,162

G) 38,322,212,351
Explanation
You should choose the Company branding option. The Company branding option is
typically used for adding the company name and logo that appears during the Out-of-Box
Experience (OOBE) in Windows Autopilot. With the Company branding option, you can
configure the following:
• A background image for the page. The image is limited to 1920x1080 pixels.
• A banner logo, which can be the company or department logo.
• A Username hint to help users who may have forgotten their username.
• Sign-in page text. This text can contain additional information such as a legal
statement or a phone number or email address for the help desk.
All other options are incorrect because you cannot specify the sign-in text on the Company
Portal.
Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Add branding to your organization's sign-in page - Azure AD - Microsoft Entra | Microsoft
Learn

INTUNE - Intune and Autopilot Part 3 - Preparing your environment | Microsoft Learn

Question 44:
Skipped
You are an enterprise admin for the Verigon Company. You want to upgrade your fleet
of company devices to Windows 10 Enterprise using the Subscription Activation
feature.

Which of the following is a requirement to complete this objective?

A) The provisioning packages must be created using Windows


Configuration Designer.

B) Devices to be upgraded must be Azure AD-joined or hybrid Azure AD-


joined.

(Correct)

C) Devices to be upgraded must have Windows 10 Home version 1703 or


later installed.

D) Configuration Manager and the Microsoft Deployment Toolkit must first


be integrated.
Explanation
Devices to be upgraded to Windows 10 Enterprise using the Subscription Activation feature
must be Azure AD-joined or hybrid Azure AD-joined. Also, the devices must already use
version 1703 or higher of Windows 10 Pro or Windows 10 Enterprise.

Windows Home edition does not support an upgrade to Windows 10 Enterprise.

Provisioning packages are not used to upgrade to Windows 10 Enterprise using the
Subscription Activation feature. With Windows 10 version 1507 and earlier, you can use a
provisioning package to change the SKU.

The Subscription Activation feature does not require Configuration Manager or the Microsoft
Deployment Toolkit, so integration of the two is not required. Configuration Manager allows
you to keep track of company owned hardware and software. The Microsoft Deployment
Toolkit automates Windows client and server deployment.

Objective:
Deploy Windows client

Sub-Objective:
Prepare for a Windows client deployment

References:

Windows subscription activation - Windows Deployment | Microsoft Learn

Question 45:
Skipped
You are a domain admin for the Verigon Company. Your company currently uses two
Windows Server 2019 virtual machines to host its on-premises Active Directory
environment. You need to deploy Windows 10 Pro to eight existing machines and join
them to your domain. The company does not utilize Configuration Manager.
Which of the following includes the steps necessary to achieve this objective?

A) Use the Windows Configuration Designer tool to create a provisioning


package and deploy it using one or more USB drives.

(Correct)

B) Create a task sequence using the Microsoft Deployment Toolkit and


upload it to Microsoft Endpoint Manager to deploy it.

C) Create a provisioning package and wrap it up using the Win32 App


Packaging Tool. Then upload it to an MDM for deployment.

D) Create a deployment package along with an


AutopilotConfigurationFile.json file and deploy it using Windows Autopilot.
Explanation
The option to use a USB drive to deploy a provisioning package created using the Windows
Configuration Designer tool is the only workable solution for a domain-joined environment.
A provisioning package can be:
• Attached to an email
• Installed from an attached external drive, SD card, or USB flash drive
• Downloaded from a network share
• Deployed in NFC tags or barcodes

You would not choose to create a deployment package along with an


AutopilotConfigurationFile.json file and deploy it using Windows Autopilot. Autopilot
cannot be used to deploy Windows 10 to machines that are domain-joined.

You would not choose to create a provisioning package and wrap it up using the Win32 App
Packaging Tool, then upload it to an MDM for deployment. MDM solutions can only deploy
Windows 10 to MDM-enrolled devices, not domain-joined machines.

You would not choose to create a task sequence using the Microsoft Deployment Toolkit and
upload it to Microsoft Endpoint Manager to deploy it. Microsoft Endpoint Manager is an
MDM solution; thus, it can only deploy Windows 10 to MDM-enrolled devices, not domain-
joined machines.
Objective:
Deploy Windows client

Sub-Objective:
Prepare for a Windows client deployment

References:

Provisioning packages overview - Configure Windows | Microsoft Learn

Question 46:
Skipped
You are a security administrator for Nutex Inc. Your organization has a Microsoft Intune
subscription. Employees use both company-owned and personally owned Windows 11
devices for work purposes. The company-owned devices are enrolled in Microsoft Intune.

You want Intune to collect event data and provide recommendations to improve performance
on the Windows devices.

To achieve the above requirement, you are creating a Windows Health Monitoring device
configuration profile using the Microsoft Intune admin center. You have performed the
following steps:

1. Logged in to the Microsoft Intune admin center.


2. Clicked Devices > Configuration profiles > Create profile.
3. Selected Windows 10 and later under Platform.
4. Clicked Templates > Windows Health Monitoring.
5. Clicked Create.
6. Entered information in Basics, Name, and Description.
7. Clicked Next.

What should be your next step in this scenario?

A) In Configuration settings, set Health Monitoring to Enable.

(Correct)


B) Configure Applicability Rules.

C) Enroll the personal Windows 11 devices in Microsoft Intune.

D) In Assignments, select the users or user groups that will receive the
created profile.
Explanation
The next step in the given scenario would be to configure Health
Monitoring under Configuration settings and select Enable.

Below are the steps to create a Windows Health Monitoring device configuration profile:

1. Log in to Microsoft Intune admin center.


2. Click Devices > Configuration profiles > Create profile.
3. Select Windows 10 and later under Platform.
4. Click Templates > Windows health monitoring (as shown in the exhibit).
1. Click Create.
2. Enter information in Basics, Name, and Description.
3. Click Next.
4. In Configuration settings, configure Health Monitoring and select Enable.
5. In Configuration settings, set Scope to Windows updates and/or Endpoint
analytics (as shown in the exhibit).

1. Click Next.
2. In Assignments, select the users or user groups that will receive the created profile
(as shown in the exhibit).
1. Click Next.
2. Configure Applicability Rules (if required) and click Next.
3. Check the configuration and click Create.

Enrolling personal Windows 11 devices in Microsoft Intune is not the next step in the given
scenario. However, if you want personal devices to use the Windows Health Monitoring
feature, you should enroll the personal devices in Microsoft Intune.

You would select the users or user groups that will receive the created profile after enabling
Health Monitoring.

You would configure Applicability Rules after enabling Health Monitoring.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Monitor devices

References:

Create a Windows Health Monitoring profile in Microsoft Intune | Microsoft Learn


Intune Admin > Enable Windows Health Monitoring for Windows Updates and Feature
Updates

See device profiles with Microsoft Intune | Microsoft Learn

View device details with Microsoft Intune | Microsoft Learn

Question 47:
Skipped
You are the remote desktop administrator for the nutex.com domain. You need to copy
the list of RemoteApp programs and deployment settings from one Remote Desktop
Session Host (RD Session Host) server to another RD Session Host server. This server is
not part of a server farm.

What must you do to ensure that all users can use the RemoteApp programs on the new
server? (Choose all that apply.)

A) Manually update the RemoteApp Programs list on the new RD Session


Host server.

B) Create Windows Installer packages for the new RD Session Host server.

(Correct)

C) Create new .rdp files for the new RD Session Host server.

(Correct)

D) Manually update the deployment settings on the new RD Session Host


server.

E) Disable WMI access to target RD Session Host server.


Explanation
After you export the RemoteApp programs and deployment settings from one RD Session
Host server to another, you will have to create new .rdp files or Windows Installer packages
on each RD Session Host server. This step is not necessary if the server is a member of an
RD Session Host server farm. If this is the case, then the files would be created, but you
would need to manually copy the files to the new RD Session Host server farms.

You do not need to manually update the RemoteApp Programs list on the new RD Session
Host server. The RemoteApp Program list is included in the configuration settings that are
exported from the RemoteApp Manager.

You do need to manually update the deployment settings on the new RD Session Host server.
The deployment settings are included in the configuration settings that are exported from the
RemoteApp Manager.

Objective:
Deploy Windows client

Sub-Objective:
Configure remote management

References:

Export or Import Configuration | Microsoft Learn

Use the winget tool to install and manage applications | Microsoft Learn

Importing one or more Remote Desktop Files (.rdp Files)

Question 48:
Skipped
You are a system administrator for Nutex Corporation. They have 15,000 Windows 11
devices that are managed by Microsoft Intune. You have configured Windows updates
for all devices. However, you have observed a higher bandwidth consumption when
devices download Windows updates.

You are in the process of configuring Delivery Optimization for the devices.

What should you do?

A) Configure Delivery Optimization as part of device configuration profiles


using Microsoft Intune.
(Correct)

B) Configure Delivery Optimization as part of a device compliance policy


using Microsoft Intune.

C) Configure Delivery Optimization as part of a Windows Autopilot


deployment profile using Microsoft Intune.

D) Configure Delivery Optimization as part of Windows Server Update


Service (WSUS).
Explanation
You would configure Delivery Optimization as part of device configuration profiles using
Microsoft Intune. Using Microsoft Intune, you can configure Delivery Optimization settings
to reduce bandwidth consumption when devices download Windows updates. To create a
configuration profile, you would log in to the Microsoft Endpoint Manager admin center and
navigate to Devices, then Configuration profiles.

Once you have created the configuration profile, you can assign or deploy that profile to your
Windows devices.

You would not configure Delivery Optimization as part of a device compliance policy using
Microsoft Intune. You would configure a compliance policy to protect your organization’s
resources from devices that are non-compliant with your organization’s security policies.
Using a compliance policy, you can define the rules and settings that users and devices must
meet to be compliant and include those rules that apply to devices that are non-compliant.
You can also combine a compliance policy with Conditional Access, which can block users
and devices that do not meet compliance rules and settings.

You would not configure Delivery Optimization as part of Windows Server Update Service
(WSUS). WSUS provides good control over operating system updates and is natively
available in the Windows Server operating system. You can defer the updates and have the
ability to approve the updates. You can also choose to deploy updates on specific computers
or groups of computers whenever ready. You can utilize Delivery Optimization with
Windows Update, Windows Update for Business, WSUS, or Microsoft Endpoint Manager.
However, it is easier to manage delivery optimization of many Windows devices via a device
configuration profile using Microsoft Intune than using a WSUS server.

You would not configure Optimization as part of a Windows Autopilot deployment profile
using Microsoft Intune. Windows Autopilot uses various technologies to set up and pre-
configure new devices. It can be used to repurpose, recover, and reset devices. Windows
Autopilot helps IT administrators and reduces the time IT spends on deploying, managing,
and retiring devices. It also minimizes the amount of infrastructure required to maintain the
devices and maximizes ease of use for all types of end users. Autopilot deployment profiles
are used to configure Autopilot devices.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device updates for all supported device platforms by using Intune

References:

Delivery Optimization settings for Windows devices in Microsoft Intune | Microsoft Learn

Set up Delivery Optimization - Windows Deployment | Microsoft Learn

What is Delivery Optimization? - Windows Deployment | Microsoft Learn

Question 49:
Skipped
You are an enterprise admin for the Verigon Corporation. You are currently deploying
Windows 10 for all your desktops using Lite Touch Installation. You are having
problems during the deployment process.

You decide to review the logs to aid in identifying the problem. Which of the following
options represent MDT deployment logs? (Choose two.)

A) The Task Scheduler History logs

B) The User State Migration Toolkit Capture log

C) The Remote Installation Services log

D) The aggregated MDT log

(Correct)

E) The Task Sequencer transactions log

(Correct)

Explanation
You would choose the aggregated MDT log, BDD.log, and the Task Sequencer transactions
log, SMSTS.log, because both are MDT deployment log files.

BDD.log is the aggregated MDT Deployment log file that is copied to a network location at
the end of the deployment and can be used to troubleshoot Lite Touch installations.

SMSTS.log is created by the Task Sequencer and describes all Task Sequencer transactions.

You would not choose the User State Migration Toolkit Capture log. The log
file, USMTCapture.log, is used to troubleshoot user state migrations, not Lite Touch
installations.

You would not choose the Task Scheduler History log because these files are used to
troubleshoot scheduled background tasks on any Windows machine and are not associated
with Lite Touch Installation deployments.

You would not choose the Remote Installation Services log. Remote Installation Services is a
legacy Microsoft deployment tool that has been replaced by Windows Deployment Services
and did not support Lite Touch Installation deployments.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft Deployment
Toolkit (MDT)

References:

Troubleshoot MDT - Configuration Manager | Microsoft Learn

Troubleshoot MDT Deployments with log files - Tech Thoughts


Question 50:
Skipped
Your organization, Nutex Corporation, has 10,000 Windows 11 devices and an Azure
Active Directory (Azure AD) environment. You have enrolled all the devices to
Microsoft Intune.

You have created a configuration profile for the devices. From the Microsoft Endpoint
Manager admin center, you are viewing the status of the configuration profile and
whether it has been successfully assigned to the devices. You observe that the
configuration profile is not assigned to a few devices.

Which profile assignment status helps you understand if the device has not checked in
to receive the configuration policy?

A) Succeeded

B) Conflict

C) Error

D) Pending

(Correct)

E) Not applicable
Explanation
The Pending profile assignment status shows you that the device has not checked in to
receive the configuration policy.

Once you have created your device profile, Microsoft Intune provides graphical charts that
display the status of the profile, which shows whether the profile has been successfully
assigned to the devices or if the profile shows a conflict.

To view the details on a profile, you would follow these steps:

1. Sign in to Microsoft Endpoint Manager admin center.


2. In Devices > Configuration profiles, select an existing profile.
3. Select the Overview tab. In this view, the Profile assignment status includes the
following statuses:
• Succeeded: The policy has been successfully applied.
• Error: The policy has failed to be applied. You will be able to view the error code that
links to an explanation.
• Conflict: This status shows that two settings have been applied to the same device and
Microsoft Intune is unable to sort out the conflict. Administrators should review such
scenarios.
• Pending: This status shows that the device has not checked in with Microsoft Intune
to receive the policy yet.
• Not Applicable: This status shows that the device cannot receive the policy. For
example, the policy updates a setting specific to iOS 11.1, but the device is using iOS
10.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device configuration for all supported device platforms by using Intune

References:

See device profiles with Microsoft Intune | Microsoft Learn

Troubleshoot policies and configuration profiles in Microsoft Intune - Intune | Microsoft


Learn

Question 51:
Skipped
You plan to use Windows Autopilot to add several Windows 10 devices to Azure AD.
These devices will be joined automatically to Azure AD.

What information is required from the device?

A) Device serial number and hardware hash


(Correct)

B) Computer name and license key

C) Computer name and IP address

D) IP address and MAC address

E) Computer name and MAC address


Explanation
In the Azure Portal or the Azure Active Directory administrative center, you can
choose Device Enrollment and import a CSV file that contains a list of devices that you want
to add. The file should contain serial numbers, hardware hashes, Windows Product IDs, and
optional order IDs. You can only have a maximum of 175 rows in the CSV file.

All other answers are incorrect. Computer name, MAC address, and IP address are not
needed in the CSV file.
Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

Create device groups for Windows Autopilot - Microsoft Intune - Microsoft Intune |
Microsoft Learn

Question 52:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure Active
Directory (Azure AD) configuration with a Microsoft Intune subscription, and all Windows
11 devices are joined to Azure AD. You have a business-critical application
named BusinessApp1 hosted in the Azure cloud.

You are configuring a Conditional Access policy for the following requirements:

• All users must use multi-factor authentication (MFA) when they


access BusinessApp1.
• Any user with an Android or iOS device who has a potentially compromised user
account must be blocked.

Which options on the image should you choose while configuring a Conditional Access
policy? (Choose all that apply.)

A) Below Access controls, select controls under Grant

(Correct)

B) Below Access controls, select controls under Session.


C) Below Assignments, select No Cloud apps, actions, or authentication


contexts under Cloud apps or actions

(Correct)

D) Below Assignments, select conditions under Conditions

(Correct)

E) Below Assignments, select Users and groups under Users


Explanation
To ensure that all users use MFA when they access BusinessApp1, you would choose No
Cloud apps, actions, or authentication contexts and Conditions under
the Assignments section, and select controls under Grant below the Access Control section
when creating a new Conditional Access policy.

When configuring the Conditional Access policy, you would make these configurations:

• Under Assignments, choose Users to select the identities to whom you want the
policy applied. Click on Users and Groups.
• Under Assignments, configure Cloud apps or actions and select the app for which
you want to apply the Conditional Access policy (in this scenario,
select BusinessApp1).
Under the Access controls section, click Grant and select Require multi-factor
authentication.

You will need to create a separate Conditional Access policy to meet the requirement that any
potentially compromised user account must be blocked. To do so, select the devices for
which you want the policy to be enforced. Click on Conditions under
the Assignments section, and configure Device platforms (as shown in the image):
You would not configure Session configuration under the Access Controls section in the
given scenario. Session configuration enables you to control user access based on session
controls to enable restricted experiences within the specific cloud applications.

Objective:
Manage identity and compliance

Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune

References:

Set up device-based Conditional Access policies with Intune - Microsoft Intune | Microsoft
Learn

4sysops > Conditional Access: Create policies to secure cloud resources using AAD
authentication
Github > Azure-Docs > howto-conditional-access-policy-block-access.md

Question 53:
Skipped
You are a desktop administrator for Verigon Corporation based in Orlando, FL. You
are responsible for deploying Windows 11 to all desktops and laptops in the London
branch office. There are no servers in London, but over 500 computers have been
deployed in waves. You need to confirm that all of these devices have the latest
Windows security updates.

What would be the best way to monitor these updates?

A) Use Windows Autopilot

B) Use the Windows Update for Business reports

(Correct)

C) Use System Center Configuration Manager (SCCM)

D) Use the Upgrade Readiness component of Windows Analytics

E) Use Windows Update for Business


Explanation
You will the Windows Update for Business reports. This component can monitor Windows
11 security, quality, and feature updates. This component performs the following:
• Monitors devices running the Windows 11 Professional, Education, and Enterprise
editions for security, quality, and feature updates
• Creates a report of compliance issues relating to devices and updates that need
attention
• Shows status of Microsoft Defender Antivirus signatures, as well as threats
• Displays bandwidth savings used by Delivery Optimization across multiple content
types.

You would not use the Upgrade Readiness component of Windows Analytics. That
component determines if a computer is ready to upgrade to Windows 11. Windows Analytics
deprecated in November 2022.

You would not use Windows Autopilot. Autopilot would be useful for deploying the OS to
new devices, but it is not used to monitor the status of update delivery.

You could use Windows Update for Business to collect diagnostic information, but by itself it
is not a complete monitoring solution. It only gathers data that is used by the Update
Compliance component of Windows Analytics.

You would not use System Center Configuration Manager (SCCM) in this scenario. There is
no server in the branch location. This would not be the best scenario to deliver and monitor
these updates. The Windows Update for Business component is a better way to deliver
updates as it offers a peer-to-peer delivery option that is monitored by the Windows Update
for Business reports.

Objective:
Manage identity and compliance

Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune

References:

Windows Update for Business reports overview - Windows Deployment | Microsoft Learn

Monitor Windows Updates and Microsoft Defender AV with Update Compliance - Windows
Deployment | Microsoft Learn

Windows Update for Business - Windows Deployment | Microsoft Learn

Question 54:
Skipped
Dreamsuites Incorporated wants to ensure that the corporate data stored in Office 365
remains secure when Office 365 is accessed from mobile devices. Not all devices that
access Office 365 are company owned.
What action could be taken to offer this protection?

A) Create an iOS email profile

B) Run Mpcmdrun.exe

C) Implement Intune MDM

D) Use Intune to create a Mobile Application Management policy

(Correct)

E) Create a device compliance policy


Explanation
You should use Intune to create a Mobile Application Management policy. To do so,
choose Client apps > App protection policies > Create Policy in the Intune portal. This
allows you to deploy security policies to the apps themselves, as opposed to the device. These
policies only work for Office 365 applications that connect to Office 365 services. Note that
devices do not have to be managed by any MDM solution to implement Mobile Application
Management (MAM) via Intune.

You do not need to implement Intune MDM. Intune provides both mobile device
management (MDM) and mobile application management (MAM). In this scenario, not all
devices are company owned. You are required to protect the Office 365 apps.

You do not need to create an iOS email profile. The scenario does not indicate the type of
mobile OS being used by the devices, and you need to protect Office 365 applications.

You would not run Mpcmdrun.exe. This is a command-line tool used to manage Windows
Defender Antivirus.

You do not need to create a device compliance policy. The scenario is focused on Office 365
applications, not device management.

Windows Information Protection (WIP) is another technology that can protect laptops, but is
more directly focused on the data. It uses other Microsoft Information protection technologies
to protect files that a sensitivity label.
Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

Create and deploy app protection policies - Microsoft Intune | Microsoft Learn

Enabling Intune: Part 1 – Intune Mobile Application Management Only | Microsoft Learn

Manage BYOD with Intune MAM Without Enrollment - (allthingscloud.blog)

Question 55:
Skipped
You work for Nutex Inc as a system administrator with a global administrator role.
Your organization has Microsoft Intune and Azure AD subscriptions.

You have hired a user named User1 to manage device compliance and Conditional
Access policies in Microsoft Intune.

Which built-in role should you assign to User1 for managing these features in Microsoft
Intune?

A) Endpoint Security Manager

(Correct)

B) Endpoint Privilege Manager

C) Cloud PC Administrator

D) Application Manager
Explanation
In the given scenario, you would assign the Endpoint Security Manager built-in role
to User1 to allow them to manage device compliance and Conditional Access policies in
Microsoft Intune.

You can assign built-in roles to groups or users without making any changes to the role
configuration. You cannot delete or edit the name, description, types, or permissions of the
Intune built-in roles.

Endpoint Privilege Manager, Application Manager, and Cloud PC Administrator roles will
not enable the user to manage device compliance and Conditional Access policies in Intune.

The other built-in roles that you can assign to users and groups are:

• Application Manager – granting this role will enable users to manage mobile and
managed applications, read device information, and view device configuration
profiles.
• Endpoint Privilege Manager – granting this role will enable users to manage Endpoint
Privilege Management policies.
• Endpoint Privilege Reader – granting this role will enable users to view Endpoint
Privilege Management policies.
• Help Desk Operator – granting this role will enable users to perform tasks remotely
on users and devices and assign policies or applications to devices or users.
• Intune Role Administrator – granting this role will enable users to manage custom
Intune roles and add assignments for built-in roles. This is the only role that can
assign permissions to administrators.
• Policy and Profile Administrator – granting this role will enable users to manage
configuration profiles, compliance policies, corporate device identifiers, security
baselines, and Apple enrolments.
• Organizational Messages Manager – granting this role will enable users to manage
organizational messages in the Microsoft Intune console.
• Read-Only Operator – granting this role will enable the user to view user, device,
enrolment, configuration, and application information. However, the user cannot
make changes.
• School Administrator – granting this role will enable users to manage Windows 10/11
devices in Intune for Education.
• Cloud PC Administrator – granting this role will enable the user to view and update
all Cloud PC features located within the Cloud PC blade.
• Cloud PC Reader – granting this role will enable the user to view all Cloud PC
features located within the Cloud PC blade.

Objective:
Manage identity and compliance
Sub-Objective:
Manage identity

References:

Role-based access control (RBAC) with Microsoft Intune | Microsoft Learn

Question 56:
Skipped
Dreamsuites Corporation has been using Configuration Manager for their devices, but
has now implemented Windows Intune for their mobile device management solution.
All devices are joined to the Drearmsuites.com domain. Dreamsuites has an Azure AD
Premium subscription. You have been asked to provide a solution to enroll existing
Windows 10 devices in Intune that does not require any end-user interaction.

What methods might meet the Dreamsuites requirement? (Choose all that apply.)

A) Using Hybrid Azure AD Join

(Correct)

B) Using a device enrollment manager (DEM) account

(Correct)

C) Windows Autopilot

D) Configuration Manager Co-Management

(Correct)

E) Bulk enrollment
(Correct)

Explanation
You could use bulk enrollment as an enrollment method. This method requires the creation of
a provisioning package using Windows Configuration Designer (WCD).

You could use a device enrollment manager (DEM) account as an enrollment method. A
DEM account lets a single user account enroll up to 1000 devices.

You could use Hybrid Azure AD Join as an enrollment method. You can set up a GPO for
this purpose to trigger auto-enrollment for domain-joined devices.

You could use Configuration Manager Co-Management as an enrollment method, as long as


the Windows 10 devices have the Configuration Manager client. When you manage devices
with both Configuration Manager and Intune, Microsoft refers to this as co-management.

Windows Autopilot would a useful method for the deployment and pre-configuration of new
devices in the future, but the scenario applies to existing devices.

Note that some of these methods require an Azure AD Premium subscription.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage the device lifecycle in Intune

References:

Step 5 – Enroll devices in Microsoft Intune | Microsoft Learn

Windows device enrollment guide for Microsoft Intune | Microsoft Learn

Question 57:
Skipped
You have recently joined the Nutex Corporation as the Microsoft 365 Security
Administrator. The employees at Nutex use Windows 11 endpoints, and Microsoft 365
apps are available to all employees. The endpoints and apps are secured using Microsoft
Defender.
The Security team at Nutex has recently implemented Attack Surface Reduction (ASR)
rules in Microsoft Defender. The team is seeing a high number of false positives and
false negatives after enforcing the rules. You are tasked with investigating the cause and
coming up with fixes.

Which of the following can help you fix the false positives and false negatives? (Choose
all that apply.)

A) Add Exclusions to the relevant rules.

(Correct)

B) Report false negatives to Microsoft Support.

(Correct)

C) Check if a third-party antivirus solution is running on the relevant


endpoints.

D) Enable Real-time Protection in Microsoft Defender Antivirus installed


on the endpoints.

(Correct)

E) Set the relevant rules to Warn mode.


Explanation
The following can help you fix the false positives and false negatives:
• Enable Real-time Protection in Microsoft Defender Antivirus installed on the
endpoints.
• Add Exclusions to the relevant rules.
• Report false negatives to Microsoft Support.

Installing and enabling real-time protection in Microsoft Defender Antivirus on the endpoints
is a prerequisite in order to benefit from enabling the ASR rules for endpoints. Real-time
protection policies provide behavior monitoring and heuristics to identify malware based on
known suspicious and malicious activities. Disabling any of the Real-time Protection rules
can result in false negatives. Real-time Protection rules can be enabled on all endpoints by
setting them in the Microsoft Defender Antivirus details > Real-time Protection area in the
Group Policy Editor.

You can add exclusions to the relevant rules to avoid false positives. An Exclusion is a list of
files, folder paths, or FQDNs that will be excluded from being processed by the ASR rules.
The exclusion applies to all rules that support exclusions. It cannot be set at the level of a
rule. With apt files, folders, and FQDNs excluded such that the ASR goals are met,
exclusions can help you reduce and even fix false positives.

You should report false negatives to Microsoft Support. False negatives are alerts that result
when one or more rules do not work as expected. Ensure that you include adequate diagnostic
data.

Setting the relevant rules to Warn mode does not help fix the issue. The four states of ASR
rules are Disabled, Audit, Warn, and Block. For rules set to Warn mode, users see a dialog
box that indicates the content is blocked. Users can unblock the content. The related
operation is available to the user for 24 hours, and then the block resumes. Warn mode can
help users temporarily unblock false positives, but does not fix the issue with false negatives.

A third-party antivirus solution running on the relevant endpoints is not a reason for false
positives. A prerequisite to benefitting from enabling the ASR rules for endpoints is to use
only Microsoft Defender Antivirus on the endpoints. With a third-party antivirus solution
enabled, Microsoft Defender Antivirus disables itself. So, no alerts will be generated from the
relevant endpoints.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Implement endpoint protection for all supported device platforms

References:

Assign apps to groups in Microsoft Intune | Microsoft Learn

Enable and configure Microsoft Defender Antivirus always-on protection | Microsoft Learn

Attack surface reduction rules reference | Microsoft Learn

Enable attack surface reduction (ASR) rules | Microsoft Learn

Microsoft Defender Antivirus compatibility with other security products | Microsoft Learn
Question 58:
Skipped
You are an enterprise admin for the Verigon Corporation.

You want to deploy security and critical updates for your MDM-enrolled Windows 10
laptops that are being used by company employees.

Which of the following options will best achieve this objective?

A) Create a Windows 10 update rings profile in Microsoft Endpoint


Manager.

(Correct)

B) Create and populate a Windows 10 update ring using Windows Server


Update Services.

C) Create a Windows 10 feature updates policy in Microsoft Endpoint


Manager.

D) Enroll the laptops in the Windows Insider Program for Business


Channel.
Explanation
You would choose to create a Windows 10 update rings profile in Microsoft Endpoint
Manager. A Windows 10 update ring profile is configured in Microsoft Endpoint Manager to
deploy quality updates and includes both security and critical updates. It is a policy of update
settings that configures when the updates get installed. Update rings are supported for
operating systems that run Windows 10 version 1607 or later.

You would not choose to create a Windows 10 feature updates policy in Microsoft Endpoint
Manager. Windows 10 feature updates introduce new features and functionality to Windows
10 and do not involve security or critical updates.

You would not choose to create and populate a Windows 10 update ring using Windows
Server Update Services (WSUS). WSUS is not used to update MDM-enrolled machines. It is
used in conjunction with Group Policy to update domain-joined machines.
You would not choose to enroll the laptops in the Windows Insider Program for Business
Channel because this is not used to deploy security and critical updates. It is used to validate
feature updates in advance of their release.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device updates for all supported device platforms by using Intune

References:

Learn about using Windows Update for Business in Microsoft Intune | Microsoft Learn

Windows client updates, channels, and tools - Windows Deployment | Microsoft Learn

Question 59:
Skipped
You are a system administrator for your organization. They have several Windows 11
devices and iOS 10.3 supervised devices. You use Microsoft Intune device configuration
profiles to manage software updates for the iOS supervised devices.

While configuring the policy for the iOS updates, you chose to deploy an older version
of the software update. What must you do to prevent users from updating the OS
manually?

A) Configure the iOS update policy to update the devices during a


scheduled time.

B) Deploy a device restriction profile to restrict the visibility of software


updates.

(Correct)


C) Deploy a device restriction profile to allow visibility of software updates.

D) Unenroll the device using Apple Business Manager.


Explanation
To prevent users from updating the OS manually, you should deploy a device restriction
profile to restrict the visibility of software updates.

When using update policies for iOS devices, you may have to delay the visibility of iOS
updates. You can delay the visibility of the software updates to prevent users from updating
the OS manually, or deploy an older update while preventing users from installing a more
recent one.

To delay visibility, you should deploy a device restriction template with the following
configuration settings:

• Defer Software updates = Yes


• Delay default visibility of software updates = From 1 to 90 days. The maximum delay
supported by Apple is 90 days.

Deploying a device restriction profile to allow visibility of software updates is not the correct
answer in the given scenario. By default, users have visibility of software updates, and update
profiles do not prevent users from updating the OS manually.

You should not unenroll the device using Apple Business Manager. The device will not be a
supervised device once unenrolled by Apple Business Manager. You can use Microsoft
Intune device configuration profiles to manage software updates for iOS / iPad devices
enrolled as supervised devices.

Configuring the iOS update policy to update the devices during a scheduled time is not the
correct answer in the given scenario. While configuring the iOS update policy, you can
configure a schedule during which the update will be installed.

Objective:
Manage, maintain, and protect devices

Sub-Objective:
Manage device updates for all supported device platforms by using Intune

References:

Use Microsoft Intune policies to manage iOS/iPadOS software updates | Microsoft Learn
Question 60:
Skipped
You are a laptop administrator for the Nutex Corporation. You are currently taking
advantage of Group Policy to control configuration of your Windows 10 devices. Nutex
is moving to Intune to manage these devices. All laptops are running the latest version
of Windows 10. You are concerned about the precedence of possible conflicting policies
between Group Policy and Intune MDM. For now, you want Group Policy to "win" if
there is a conflict.

What steps could assist you in this process? (Choose all that apply.)

A) Configure the ControlPolicy Conflict Group Policy setting

(Correct)

B) Execute a Windows Autopilot Reset using Intune

C) Compare baselines with the Security Compliance Toolkit (SCT)

D) Use the MDM Migration Analysis tool

(Correct)

E) Use the Update Compliance component of Windows Analytics


Explanation
You could use the MDM Migration Analysis tool (MMAT). This free tool from Microsoft
will compare Group Policies for a target computer and cross-reference them against a built-in
list of MDM policies. MMAT does the following:
1. In the first stage, it determines which GPOs have been applied by
using RSoP (Resultant Set of Policy). Then MMAT filters out GPOs that are not
enabled or with access denied.
2. In the second stage, it retrieves the XML from each GPO in the first stage and stores
that information in GPOReport-{GPOGuid}.txt file.
3. In the third stage, it uses MdmMigrationAnalysisTool.exe to look at the
GPOReport-{GPOGuid}.txt file and compares it against
the MDMPolicyMapping.xml file. It will generate a final HTML report and XML
report.

You will want to configure the ControlPolicy Conflict Group Policy setting. This will allow
you to control which policy will be used when both an MDM policy and an equivalent Group
Policy are set on a device. When the ControlPolicy Conflict policy is set to 1, then MDM
policy is used and the GP policy is blocked. You would configure the ControlPolicy
Conflict policy setting to ensure that the MDM policy overrides Group Policy.

You would not use the Update Compliance component of Windows Analytics to meet the
goal of the scenario. Update Compliance has been replaced by Windows Update for Business
reports. Windows Update for Business reports will not meet the goal of the scenario, although
it is a useful option for reporting after updates have been deployed.

You would not execute a Windows Autopilot Reset using Intune. This would remove all
applications, settings, and files from the devices.

You would not compare baselines with the Security Compliance Toolkit (SCT). This would
compare the current GPOs with Microsoft-recommended baselines, which does not meet the
goal of this scenario.

Objective:
Deploy Windows client

Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot

References:

MDM Migration Analysis Tool – All about Microsoft Intune (petervanderwoude.nl)

Windows 10 Group Policy vs. Intune MDM Policy who wins? | Microsoft Learn

ControlPolicyConflict Policy CSP - Windows Client Management | Microsoft Learn


SET 3
Question 1:
Skipped
To use the Microsoft Remote Desktop client to connect to a remote Windows 11
device, which of the following settings need to be configured?

You must enable a LAN network connection to the remote device.

You must enable a Remote Desktop connection on the remote device.

(Correct)

You must turn on the remote device and make sure it is not in
sleep/hibernate mode.

(Correct)

The firewall must allow Remote Desktop connections.

(Correct)

You must set permissions to connect to the remote device.

(Correct)

Explanation
You need to manage several configuration settings to allow the use of the Microsoft
Remote Desktop client app. You must switch the remote device on; enable the
Remote Desktop connection feature; ensure that, if a firewall is being used, it allows
Remote Desktop connections; and set permissions to connect to the device. (The
user needs to be on the list of users for the device and know the username and
password.)
A LAN (local area network) connection to the device is required because the
Microsoft Remote Desktop client app can be used over a LAN, a WAN, Wi-Fi, and the
internet.

Question 2:
Skipped
On a Windows 11 PC, you can use the Settings app to pause both feature updates
and quality updates. What is the maximum pause time period that you can select?

15 days

20 days

7 days

35 days

(Correct)

Explanation
Windows 11 update options include a Pause Updates feature to pause both feature
updates and quality updates. You can set the pause period to a maximum of 35
days, although you can select other time periods.
Question 3:
Skipped
Windows 11 comes in several versions. Which business-oriented version supports
high-end hardware devices for enhanced performance?

Windows 11 Enterprise

Windows 11 Pro for Workstations

(Correct)


Windows 11 Pro

Windows 11 Education
Explanation
Windows 11 Pro for Workstations is designed for businesses that have advanced
data needs and that are using high-performance workstations. It provides speed,
corruption repair, and increased processing power to cope with heavy data
processing demands.

The other answers are incorrect because:

• Windows 11 Enterprise is designed for larger organizations that need


enhanced security protection and management functionality. Windows 11
Enterprise is not specifically designed for high-performance workstations.
• Windows 11 Pro is intended for smaller businesses that need less
functionality than Windows 11 Enterprise offers. Windows 11 Pro is not
specifically designed for high-performance workstations.
• Windows 11 Education is based on Windows 11 Enterprise and is not
designed for high-performance workstations.
Question 4:
Skipped
When troubleshooting boot issues on a Windows 11 PC, you need to understand the
operation of the boot loader. Which of the following are the main components of
the Windows 11 boot loader architecture?

Boot configuration data

Windows Boot Manager

(Correct)

Windows Configuration Manager

Windows Resume Loader

(Correct)

Windows operating system loader

(Correct)

Explanation
The Windows 11 boot loader is made up of three main components: the Windows
Boot Manager (Bootmgr.exe), the Windows Resume Loader (Winload.exe), and the
Windows Operating System Loader (Winresume.exe).

When you start a Windows 11 device, the Windows Boot Manager is loaded first.
Then it reads the boot configuration data, which is part of the boot process but is not
considered one of the main components of the boot loader architecture.

The Windows Boot Manager then invokes the Windows operating system loader. If
the boot configuration data indicates that the device was in a hibernation state when
it was shut down, the Windows Resume Loader is initiated instead.

Question 5:
Skipped
You are upgrading a PC to Windows 11. Your installation media contains an old
Windows 11 system image. How should you ensure that your PC will apply all
missing Windows 11 updates?

Download all missing updates sequentially.

Download the most recent feature update and the most recent quality
update.

(Correct)

Download only the major creator updates.

Download the update that has been released most recently.


Explanation
Windows 11 updates are either feature updates (with new feature releases and
updates for existing features) or quality updates (to manage security fixes). Each
update is cumulative, containing information included in all previous updates.
Therefore, to bring an older Windows 11 image up to date, you need to apply only the
last feature update and the last quality update.

All the other answers are incorrect because you do not need to install multiple
previous releases or the creator updates. Also, you cannot just install the last
update. Because two different update types are available, you need to install both the
latest feature update and the latest quality update for the device to be fully up to
date.

Question 6:
Skipped
The Microsoft Remote Desktop client allows a Windows device to connect to
another Windows device remotely by using a WAN, a LAN, Wi-Fi, or the internet.
You attempt to connect to a remote computer on your local network by using
Remote Desktop Connection, but the connection fails. You successfully ping the
device. Which of the following are possible causes of the connection failure?

The remote PC is turned off.

The remote PC has disabled Remote Desktop.

(Correct)

The remote PC is hibernating.

The remote PC is in sleep mode.

A user rights assignment policy is restricting access.

(Correct)

Explanation
The Microsoft Remote Desktop client app manages and facilities a remote session
from one Windows device to another. However, if the device to which a connection is
trying to be made is in sleep mode or hibernating, the connection attempt does not
work.
The question indicates that ping has been used to successfully connect to the
remote PC, and you know that if the operating system responded to the ping request,
the device is turned on.

To ensure that a connection is possible, you should troubleshoot to ensure that the
remote PC has not disabled Remote Desktop and that the Deny Logon Through
Remote Desktop Services user rights assignment policy has not been configured to
restrict access.

Question 7:
Skipped
During an in-place upgrade, a backup of the existing Windows version will be
automatically made before Windows 11 is installed. The backup is stored in a folder
called Windows.old and can be used to restore the computer to the previous
version of Windows. You may want to copy the Windows.old folder to an external
hard drive before deleting it to free up space. Where can you find the Windows.old
folder?

C:\Recovery\Windows.old

C:\Windows.old

(Correct)

C:\Windows\Windows.old

C:\Program Files\Windows.old
Explanation
The Windows.old folder contains the old Windows system that Windows 11 has
replaced.

During an in-place upgrade, Windows Setup creates the folder and saves files and
data from the existing Windows installation so that you can use this data to perform
a rollback if you have an issue with the Windows 11 upgrade.

The folder is automatically created on the main hard drive partition of the computer
(usually the C drive) in the root folder. Therefore, C:\Windows.old is the location for
the folder. All the other answers are incorrect.

Question 8:
Skipped
Your organization needs to ensure that certain devices do not receive Windows 11
feature updates. Which of the following is the most appropriate servicing channel
for these devices?

Semi-Annual Channel

Windows Insider Program

Long-Term Servicing Channel

(Correct)

None of the above


Explanation
Windows 11 uses the Windows-as-a-service model to regularly push updates to
Windows 11 devices. If an organization has IT equipment such as medical
monitoring devices that an update could adversely affect, there needs to be a way to
block certain updates.

The only way to block feature updates is to have these devices installed with the
Long-Term Servicing Channel image. They will, however, still receive quality updates.

The Semi-Annual Channel and the Windows Insider Program do not allow updates to
be blocked, only deferred, so these answers are incorrect.

Question 9:
Skipped
What configuration information does the Microsoft Remote Desktop client need to
connect to a remote Windows 11 device on the same network?

IP address

(Correct)

Computer name

(Correct)

Network location

MAC address
Explanation
When using the Microsoft Remote Desktop client app, during the setup connection
phase the user is promoted to enter the name or IP address of the device to which to
connect.

All the other answers are incorrect. Although they refer to location identifiers that
can be used to locate the remote device, the Microsoft Remote Desktop client app
does not use them.

Question 10:
Skipped
Windows 11 uses the Windows-as-a-service model to regularly push updates to
Windows 11 devices. In an enterprise environment, administrators can use
Windows Server Update Services (WSUS) to manage updates. What can WSUS do?

Defer updates

(Correct)

Add an approval layer

(Correct)

Block updates

Set up deployment rings


(Correct)

Explanation
Administrators can use Windows Server Update Services (WSUS) to manage
Windows 11 updates. You can set up a WSUS server to centrally manage and deploy
updates to Windows 11 devices. WSUS allows administrators to defer updates, add
an approval layer for updates, and create deployment rings. You cannot use WSUS to
block Windows 11 feature or quality updates.
Question 11:
Skipped
What is the quickest way to check whether the latest Windows 11 feature update
has been successfully installed?

Run the Update Troubleshooter.

View the Microsoft Update Catalog page.

Use the guided walkthrough on Microsoft’s Fix Windows Update Errors


web page.

Use the Windows Update History feature.

(Correct)

Explanation
The Update History feature in the Settings app displays a list of updates that have
been applied to a Windows 11 device. Update History shows whether an update has
installed correctly and provides detailed information about each update. Viewing this
information is a quick and easy way to check that all updates have installed
correctly.
Question 12:
Skipped
You plan to use the Windows Fresh Start tool to perform a clean installation of
Windows 11. Your colleague asks you how the tool works. Which of the following
statements are correct?

The tool removes only third-party apps; any Microsoft apps are retained.

The tool may remove digital licenses.

(Correct)

The tool removes all apps, including Microsoft apps that are not included
with Windows 11.

(Correct)

The tool removes all personal files, so you must back them up before using
the tool.

The Microsoft Edge app is not removed when using this tool.

(Correct)

Any customized hardware settings are preserved; the tool does not change
them to Microsoft defaults.
Explanation
The RefreshWindowsTool.exe tool can install a clean version of Windows 11 Home
or Windows 11 Pro.

The Windows Fresh Start tool removes all nonstandard Windows 11 apps, including
Microsoft apps such as Office. However, apps that are included as standard with
Windows 11, such as Microsoft Edge, are unaffected. Using the tool may also
remove digital licenses for third-party apps, which can cause problems when
accessing these purchased apps in the future.

The following statements are incorrect:

• The tool removes only third-party apps; any Microsoft apps are retained. This
is incorrect because the tool also removes any nonstandard Windows 11
apps, including Microsoft apps.
• The tool removes all personal files, so you must back them up before using
the tool. This is incorrect because you have an option when using the tool to
retain personal files. However, it is a good idea to perform a backup before
using the tool.
• Any customized hardware settings are preserved; the tool does not change
them to Microsoft defaults. This is incorrect because hardware settings (for
example, Power and Sleep settings) may be changed back to the Microsoft
default settings.
Question 13:
Skipped
You can use the Microsoft Remote Desktop client to access or control a Windows
11 computer remotely. Which of the following allows you to connect to the remote
device?

WAN

(Correct)

LAN

(Correct)

Wi-Fi

(Correct)

Internet

(Correct)

VPN

(Correct)

Explanation
The Microsoft Remote Desktop client is designed as remote-control software. The
client app is used by both the computer that is connecting to a remote device and
the remote device. The Microsoft Remote Desktop client app manages and
facilitates the remote access session. You may want to connect to a remote device
so that you can use the device for work, to perform administrative tasks, or to
provide support and assistance for an end user.

You can connect to a remote device by using a local area network (LAN), a wide area
network (WAN), Wi-Fi, a VPN, or an internet connection.

Question 14:
Skipped
Which of the following methods can you use to change the language of a Windows
11 device from English to German?

Install the relevant language pack by using the Settings app.

(Correct)

Change the keyboard language settings for the device by using the Settings
app.

Install a local experience pack you can download from the Microsoft Store.

(Correct)

Deploy a provisioning package, which includes a local experience pack.

(Correct)

Explanation
To change the current language of Windows 11, you can use the Time & Language
area of the Settings app to download and install a language pack. Once you have
installed the language pack, you can use the Settings app to set the new language as
the default.

In addition, you can download and use a local experience pack from the Microsoft
Store. When using a local experience pack, you can deploy new languages to a
Windows 11 device. You can also use local experience packs when creating a
Windows 11 image to add specific languages as part of a deployment.

Finally, you can use a provisioning package to change the language of Windows 11.
Provisioning packages configure a device so you do not need to re-image it. You can
use provisioning packages to manage settings such as language and Wi-Fi, to
configure shared usage, and to enroll a device in Azure Active Directory.

Changing the keyboard language settings is an incorrect answer. Changing the


keyboard language settings does not start the process of installing a new language.
However, once a new language has been installed, you can change the keyboard
language settings so that a user can type using the newly installed language.

Question 15:
Skipped
Microsoft uses NTFS for Windows 11. You can set NTFS permissions to control and
manage access to the files and folders stored on data drives formatted using NTFS.
Select the two missing permissions that complete the following statement:

Permissions include Full Control, _______, Read & Execute, List Content Folders,
________ and Write.

Traverse

Partial Control

Read Only

Read

(Correct)

Modify

(Correct)

Delegate
Explanation
The full list of NTFS permissions is Full Control, Modify, Read and Execute, List
Content Folders, Read, and Write. Therefore, the two permissions missing in the
question are Modify and Read.
Question 16:
Skipped
Windows 11 needs to be deployed on 1,000 bare-metal devices. You need to
recommend the most suitable installation method that also reduces the
administrative effort involved in completing the deployment. Which of the following
do you choose?

Device Refresh

Media Install

Device Migration

System Image

(Correct)

Explanation
A bare-metal device is a computer that has been supplied with no operating system
installed. You cannot use Device Refresh on a computer that does not have an
operating system installed.

You may need to use Device Migration to move files and settings from an older
device to the new bare-metal device after Windows 11 has been installed. However,
this does not perform the Windows 11 installation itself, so you cannot use this
option for the deployment.

You could use the Install Media option, but because this requires someone to sit at
each device and manually perform each upgrade, it is not an efficient method of
deployment for 1,000 computers.

From the options available, the most suitable and efficient method to deploy
Windows 11 to 1,000 bare-metal devices is to use the System Image method.

Question 17:
Skipped
User data from a Windows 7 device has been copied to an external hard drive. You
will perform a clean install of Windows 11 to the Windows 7 device. Next, the user
data will be copied back to the upgraded machine. What is the name for this type of
user data migration?

Side-by-side migration

In-place upgrade

Dynamic provisioning

Wipe-and-load migration

(Correct)

Explanation
Wipe-and-load migration is the name for the process of copying user data and
settings from a device that is already running a version of Windows. The device is
then upgraded to Windows 11, and the user data and settings are copied back to the
upgraded device. With this type of migration, the source and destination devices are
the same.

All other answers are incorrect because:

• A side-by-side migration is performed using two different devices (where data


is copied from an older source device and migrated to a newer destination
device).
• An in-place upgrade is the recommended method of upgrading devices. User
data does not need to be copied off the machine because all user data,
settings, and files are retained during the upgrade process.

Dynamic provisioning is the process of configuring device settings by using


provisioning packages; it also occurs when settings configuration is triggered by a
user signing into a device. For example, upon user sign-in, a device may by
automatically upgraded or automatically joined to Azure Active Directory and
enrolled into a mobile device management system, such as Microsoft Intune.

Question 18:
Skipped
You can use the Settings app to manage updates for Windows 11 devices, including
pausing updates. If the Pause Updates option is used with the default setting,
which type of updates will be paused, and for how long will they be paused?

Feature updates will be paused for 5 days.

Feature updates and quality updates will be paused for 7 days.

(Correct)

Quality updates will be paused for 7 days.

Feature updates and quality updates will be paused for 5 days.


Explanation
Windows 11 update options include the ability to pause both feature updates and
quality updates. The pause period can be a maximum of 35 days; the default pause
period is 7 days.
Question 19:
Skipped
You can use several recovery tools to resolve issues with Windows 11. Which
recovery tools allow the operating system to be fully reinstalled/restored and allow
you to retain personal data files?

Diagnostics and Recovery Toolset (DaRT)

Reset This PC

(Correct)

System Image Recovery

(Correct)

System Restore Point

Windows 11 Installation Media


Explanation
You can use the Reset This PC tool in Windows 11 to fully reinstall Windows 11 while
keeping any personal data files that exist. However, this tool does include an option
to remove all files during the reinstall. By booting to the Advanced Options menu in
Windows 11, you can use System Image Recovery to reinstall Windows 11. A system
image backup includes Windows 11 system files and personal data files, apps, and
settings.

The other answers are incorrect for the following reasons:

• Diagnostics and Recovery Toolset (DaRT): You use this to identify and fix
operating system problems. It does not include an option to reinstall Windows
11.
• System Restore Point: You use this to roll back the device to a previous state
after updates. It does not include the option to fully restore Windows 11.
However, when you use the System Restore Point feature, personal files are
not affected.
• Windows 11 Installation Media: You can use installation media to complete a
full reinstall of Windows 11, but this does not allow you to retain personal
data files. You would need to back up these files first and then copy them
back to the computer after Windows 11 is running again.
Question 20:
Skipped
The Activation Troubleshooter tool is provided in the Settings app to help resolve
Windows 11 activation issues. Where can you locate the troubleshooting tool within
the Windows 11 Settings app?

Update & Security

(Correct)

Accounts

System

Devices
Explanation
The Activation Troubleshooter tool is in the Update & Security area of the Settings
app. This area is dedicated to managing licensing, updates, and Windows 11
security.

All other answers are incorrect because:

• The Accounts area is for managing sign-in options and user accounts.
• The System area is used to manage device hardware settings.
• The Devices area is used to manage input device settings such as touchpad,
mouse, and keyboard settings.
Question 21:
Skipped
When managing multiple Windows 11 devices in a corporate environment, you
might want to block the use of the local Windows 11 administrator account on
devices. What methods prevent the administrator account from being used?

Disable the account.

(Correct)

Delete the account.

Remove all privileges from the account.

Rename the account.

(Correct)

Change the role allocated to the account.


Explanation
In Windows 11 you cannot delete, remove privileges from, or change the role
allocated to the administrator account. The only two ways you can block the
Windows 11 administrator account from being used are to disable the administrator
account and to rename it.
Question 22:
Skipped
Which of the following methods allow you to unlock a Windows 11 PC configured to
use Window Hello?

Fingerprint

(Correct)

PIN

(Correct)

Picture password

Facial scan

(Correct)

Explanation
Windows Hello provides system support for biometric authentication, including
fingerprints, facial scans, and a PIN. After Windows Hello is configured with a
biometrics-based authentication method, you can link a password or PIN to unlock a
device.
Question 23:
Skipped
User Account Control (UAC) ensures that all standard tasks and apps run using a
non-administrator account. A standard user is logged in to a device and needs to
make a system change. How should the user complete this task?

When the UAC prompt appears, switch to using an administrator profile.


When the UAC prompt appears, sign out and then sign back in using an
administrator account.

When the UAC prompt appears, ask for permissions on the standard user
account to be temporarily changed.

When the UAC prompt appears, enter the username and password for an
administrator account.

(Correct)

Explanation
User Account Control (UAC) is a core security feature of Windows 11. UAC ensures
that everyday standard tasks and apps are run using a non-administrator account.

If a standard user needs to complete a task that requires administrator-level access,


UAC opens a prompt and asks for the username and password of an administrator.
Once the user enters this information and is authenticated, the user can perform this
task.

Standard users do not need to log out and back in again using a different account,
and they do not need to switch profiles or ask for the permissions for the standard
user account to be temporarily changed. These answers are incorrect.

Question 24:
Skipped
Windows 11 includes User Account Control (UAC). Which of the following
statements describe the benefits of UAC?

UAC can block access to a user account if a password has been


compromised.

UAC can prevent malware damage by ensuring that a non-administrator


account runs standard apps and tasks.

(Correct)

UAC can block the installation of unauthorized apps.


(Correct)

UAC can manage and reset passwords for users.

UAC can block system settings from being changed.

(Correct)

Explanation
User Account Control (UAC) is a core security feature of Windows 11. UAC ensures
that everyday standard tasks and apps run using a non-administrator account. This
means that if a device is infected, there will be no access to administrator-level
permissions, so damage caused by malware can be stopped or restricted.

Restricting administrator access also ensures that unauthorized apps can be


blocked from being installed, and system settings cannot be changed.

User Account Control is not an administrative interface that can manage passwords
for users or block access to user accounts; therefore, these answers are incorrect.

Question 25:
Skipped
With Windows 11 you can use share and NTFS permissions on files and folders.
When you use share and NTFS permissions together, which of the following
statements is true when a permission conflict occurs?

The most restrictive permission (from either share permissions or NTFS


permissions) is used.

(Correct)

NTFS permissions always have precedence over share permissions.

Permissions granted on higher, root-level folders take precedence over


lower-level folder permissions.


Share permissions always have precedence over NTFS permissions.
Explanation
When you are using only NFTS permissions, all files and folders adhere to the NTFS
permission rules that have been set. When you are using only share permissions, all
files and folders adhere to the share permissions that have been set. However, when
you are using the two systems together, you need a way to deal with permissions
conflicts. You resolve conflicts by applying the most restrictive permission
(regardless of whether it is an NTFS permission or a share permission).

This means the answers NTFS permissions always have precedence over share
permissions, Permissions granted on higher, root-level folders take precedence over
lower-level folder permissions, and Share permissions always have precedence over
NTFS permissions are all incorrect.

Question 26:
Skipped
When using Windows 11 local accounts, you can manage permissions by using
local groups so that any user assigned to a group inherits the permissions of that
group. Which of the following, by default, are members of the Users group?

Power users

The administrator account

The guest account

Domain users

(Correct)

Authenticated users

(Correct)

Interactive groups
(Correct)

Explanation
In Windows 11, some user accounts are preassigned to groups. For example, the
administrator user account is a default member of the Administrators group.

Domain users, authenticated users, and interactive groups are members of the Users
group by default.

However, guest accounts and power users do not belong to the Users group. Guests
accounts belong to the Guests group, and Power Users is a legacy group from
previous versions of Windows. However, you can use this group type in Windows 11
by applying a security template.

Question 27:
Skipped
When using the Windows 11 Settings app to create a Wi-Fi profile, you need to
include the network name, the security type, and the __________.

Security key/password

(Correct)

SHA security password

Encryption key

Windows Hello

Timestamp
Explanation
Using a Wi-Fi profile allows you to preconfigure a Windows 11 device so that it can
automatically connect to a specific Wi-Fi network at some point in the future.
Settings that you need to configure for the Wi-Fi profile include the network name, a
security type to be used for the connection, and a security key/password.
Question 28:
Skipped
You need to deploy a customized Windows 11 Start screen layout to several
Windows 11 devices. Which of the following methods allow you to deploy a
customized Windows 11 Start screen layout to several Windows 11 devices?

Group Policy

(Correct)

PowerShell

Mobile device management (MDM)

(Correct)

Provisioning package

(Correct)

Explanation
In a corporate environment, you can control the Start screen layout by creating a
customized Start screen on a test computer. You can then export this layout to other
devices. The Start screen layout is exported as an .xml file.

You can deploy this .xml file to devices either by using Group Policy, as a Windows
Configuration Designer provisioning package, or by deploying the .xml file using a
mobile device management (MDM) service, such as Microsoft Intune.

However, although you will use the PowerShell cmdlet Export-StartLayout to create
the .xml file, you cannot use PowerShell to deploy a customized Start screen layout.

Question 29:
Skipped
On a Windows 11 device, PowerShell has been launched via the Command Prompt,
using a standard user account. The remoting features of PowerShell are not
available, but you need to access these features.

How should you proceed?


Launch PowerShell by using the Start menu and not the Command Prompt.

Launch PowerShell on the remote device after making a remote


connection.

Use the Command Prompt to launch PowerShell as an administrator.

(Correct)

Launch PowerShell by using Run and not the Command Prompt.


Explanation
You can start PowerShell in several ways, including via Run, via the Start menu, via a
search, or from the Command Prompt. However, to access the remoting features of
PowerShell, you need to launch PowerShell as an administrator. This means you
need to start the Command Prompt session as an administrator.
Question 30:
Skipped
Windows 11 includes BitLocker, which offers two main security protections. With a
Trusted Platform Model (TPM) chip, BitLocker ensures that unauthorized changes
cannot be made to the trusted boot path. BitLocker also provides which of the
following for Windows 11 devices?

Disk encryption

Encryption

Full disk encryption

(Correct)

Device encryption

Data encryption

Data volume encryption

System and file encryption


Explanation
With the exception of the Home edition, all editions of Windows 11 include BitLocker.
This security feature stops changes from being made to the trusted boot path (for
example, the BIOS and the boot sector). However, it is best known for offering full
disk encryption.

BitLocker can encrypt and protect files (including Windows 11 system files), as well
as applications and data held within applications. It protects against unauthorized
access and hacking attempts. If a device is hacked, BitLocker also protects data
from being copied or stolen because the data is encrypted.

Question 31:
Skipped
Review the following scenario:

A Windows 11 laptop is used in a corporate office location (automatically obtaining a


dynamic IP address) and at a home location (using a static IP address). The laptop
owner isn’t required to manage network settings.

Select the most appropriate statement regarding the scenario.

In the office location, DCHPv4 is used to assign an IPv4 address, and in the
home location, an IPv4 address is entered manually for the static IP
address.

In the office location, Automatic Private IP Addressing is used to assign a


dynamic IPv4 address, and in the home location, DCHPv4 is used to support
the static IP address.


In the office location, DCHPv4 is used to assign an IPv4 address, and in the
home location, an alternate configuration is used to support the static IP
address.

(Correct)

In the office location, an IPv4 address is entered manually, and in the home
location, Automatic Private IP Addressing is used to support the static IP
address.
Explanation
You can configure a Windows 11 device to use an alternate IP addressing
configuration when a DCHP server is unavailable. This means you can use DCHPv4
in a corporate office environment to dynamically obtain IPv4 addresses from a
DHCP server. However, when no DCHP server is available, you can use the setting in
the alternative configuration. The alternative configuration can specify an APIPA
address or a static IP address. This is done automatically without input from the end
user. This means that the correct answer is c.

The scenario provided in the question requires a static IP address, whereas in some
scenarios, a home router may also provide DHCP services, which would allow the
laptop to obtain a dynamic IP address at home as well.

Question 32:
Skipped
Which of the following tunneling protocols does the built-in VPN client use in
Windows 11 Enterprise?

IKEv2

(Correct)

STTP

(Correct)

L2TP

(Correct)

PPTP

(Correct)

Open VPN
Explanation
Windows 11 Enterprise includes a built-in VPN client that can use several tunneling
protocols, including Internet Key Exchange version 2 (IKEv2), L2TP, STTP, and PPTP.

The built-in VPN client does not use the Open VPN tunneling protocol.

Question 33:
Skipped
You can set up Windows 11 devices to use a virtual private network (VPN). A VPN
allows secure connections to be made to a corporate network when an end user is
connecting from an external location. Which of the following is a mandatory
requirement when using the Windows 11 VPN feature?

A VPN provider

An app from a VPN provider

A third-party Win32 app

A VPN profile

(Correct)

Explanation
Before you can connect a Windows 11 device to a virtual private network (VPN), you
need to create a VPN profile. The VPN profile includes information such as the
server name, VPN type, and sign-in type.

A VPN provider is not required because one is built in to Windows 11. Some service
providers may use a VPN app, but this is not always the case, and it is not a
requirement. Also, a third-party Win32 app is not required because Windows 11
provides a fully working VPN platform.

Question 34:
Skipped
You are troubleshooting a device running Windows 11 Pro. The user reports that it
is slow to boot. You log on to the device as an administrator. Task Manager shows
many programs on the Startup tab. You decide to remove some of the apps from
the startup process. Which of the following startup apps can you not remove or
disable?

Sound device apps

(Correct)

Microsoft Office apps

Video device apps

(Correct)

Network device apps

(Correct)

Third-party antivirus apps


Explanation
When using Task Manager, you can use the Startup tab to manage which apps are
automatically started when a Windows 11 device boots. You can also use the
Settings app to specifically manage which apps are included in the startup process.

When many apps are automatically started on bootup, a device may run slowly.
Removing some of the apps from startup can speed up the boot process. You
cannot disable or remove apps from the startup process that are associated with
sound, network, and video devices.

Question 35:
Skipped
Which of the following management tools can you use to manage update settings
for Microsoft Edge in conjunction with Microsoft Intune?

System Center Configuration Manager

Group Policy

Windows Update for Business

(Correct)

Windows Server Update Services


Explanation
You can use several tools to manage Windows 11 updates, including updates for
Microsoft Edge. These include System Center Configuration Manager, Group Policy,
Windows Update for Business (and Windows Update), and Windows Server Update
Services. However, the only one of these that you can manage with Microsoft Intune
is Windows Update for Business.
Question 36:
Skipped
Automatic IP address assignment allows Windows 11 devices to automatically find
network information and IP addresses when a device is moved from location to
location. Which of the following is a requirement when using automatic IP address
assignment?

An ISP (internet service provider)

Automatic Private IP Addressing (APIPA)

A Dynamic Host Configuration Protocol (DHCP) server

(Correct)

A Domain Name System (DNS) server


Explanation
Automatic IP address assignment works with a Dynamic Host Configuration
Protocol (DHCP) server. The DHCP server can be a dedicated server on a network, or
it can be configured on a router. A Windows 11 device can be set up to find an IP
address and other network information automatically from the DHCP server or
router.

All the other answers are incorrect because an internet service provider is required
only when connecting to the internet, Automatic Private IP Addressing is used when
a DCHP server is unavailable, and a Domain Name System server is a database of
public IP addresses and is not used to configure automatic IP address assignment.

Question 37:
Skipped
Group Policy is being used to manage security settings for users. However, one
policy is not being applied as expected. Upon evaluation, you notice that no user
security settings are being applied. You need to troubleshoot the issue. Which of
the following is a possible cause of the problem?

Other user-related Group Policy settings have been implemented with


different security settings.

User-related security settings cannot be implemented using Group Policy.

Computer-related Group Policy settings have been implemented with


different security settings.

(Correct)

A conflict has occurred between computer-related and user-related


security settings, so the user-related Group Policy settings have not been
implemented.
Explanation
Group Policy settings are either computer-related settings or user-related settings.
Computer-related settings always take precedence over user-related settings.
Therefore, given the scenario in the question, the most likely explanation for the
problem is that a computer-related setting has taken precedence and is being
applied instead.

The issue is not being caused by other user-related security settings because the
question explains that no user-related security settings are being applied. Also, user-
related security settings can, in fact, be implemented using Group Policy.

Also, there would not be a conflict between user-related and computer-related


settings that would stop the user-related setting from being implemented. They
could still be implemented, but settings would be overridden.

Question 38:
Skipped
You can use the Microsoft Azure Backup tool with Windows 11 client devices to
back up data to the cloud. What is the name for the storage area that you need to
create first in Microsoft Azure?

Backup partition

Backup directory

Backup container

Recovery Services vault

(Correct)

Explanation
Before using Azure Backup to back up either a Windows server or Windows 11 client
devices, you need to create an area to store files and folders. This area is known as a
Recovery Services vault.

The vault acts as a container for data, but container is not the correct name for the
storage area. The answers directory and partition are also incorrect because these
are not the storage types that need to be created to use the Azure Backup tool.

Question 39:
Skipped
When a user’s Windows 11 laptop is being used in the office, DCHPv4 dynamically
allocates IPv4 addresses. An alternate configuration using a static IP address is
used when the device is at home. The user reports not being able to access the
internet while at work. You troubleshoot the device. The following information is
available:
• The laptop is currently in the office location.
• The current IP address is 169.254.12.4.

What is the problem with the laptop?

The laptop has been configured to use only APIPA.

The laptop has not been properly configured to be used in the home
location.

The laptop has been configured to use only DCHPv4.

The laptop cannot connect to the office DCHP server.

(Correct)

Explanation
The Windows 11 feature Automatic Private IP Addressing (APIPA) is used to
manage IP addresses when a DCHP server is not available. This means that DCHPv4
can be used in a corporate office environment to dynamically obtain IPv4 addresses
from a DHCP server. However, when no DCHP sever is available, APIPA assigns a
static IP address in the range 169.254.X.X.

If the laptop is in the office environment and receives an APIPA-allocated IP address,


the laptop cannot communicate with the DCHP server.

Question 40:
Skipped
With a 64-bit edition of Windows 11, how are registry entries stored?

In 32-bit keys


In 32-bit keys and 64-bit keys

(Correct)

In 64-bit keys

In 18-bit keys, 32-bit keys, and 64-bit keys


Explanation
With a 64-bit edition of Windows 11, some registry keys are stored as 64-bit keys,
and others are stored as 32-bit keys. This allows 32-bit applications to be able to use
the registry.

Some registry keys are shared by both 32-bit and 64-bit applications. Shared keys
use a physical copy of a key stored in both the 32-bit location and the 64-bit location.

An edition of 64-bit Windows 11 does not store all keys as 32-bit, all keys as 64-bit,
or a mixture of 18-bit, 32-bit, and 64 bits; therefore, all these answers are incorrect.

Question 41:
Skipped
The Windows 11 Performance Monitor tool allows you to view system performance
information. You need to add counters to measure specific performance aspects.
Which subcomponent of the Performance Monitor tool should you select?

Data Collector Sets

Reports

Event Logs

Performance Monitor

(Correct)

Explanation
The Performance Monitor tool includes the Performance Monitor, Data Collector
Sets, and Reports subcomponents. It does not include Event Logs, so this answer is
incorrect.

You use Performance Monitor to add counters to instruct the tool to collect specific
performance data. This is the correct answer.

Data Collector Sets is a saved set of performance counters that combines data into
a single collection. The Reports feature is used to generate reports from Data
Collector Sets. Therefore, neither of these two answers is correct.

Question 42:
Skipped
You manage a small network, and Windows 11 devices are configured to share
resources in a workgroup environment. You have implemented several Windows 11
configuration changes by using a local group policy. What is the scope of these
changes?

Settings will be changed on all devices that are in the same on-premises
domain.

Settings will be changed on a single managed device.

(Correct)

Settings will be changed on all specifically targeted on-premises managed


devices.

Settings will be changed on one specifically targeted device, regardless of


whether it is cloud managed or on-premises managed.
Explanation
Local group policies affect only the individual device on which the change has been
implemented. You cannot use local group policies to manage changes for multiple
devices.

To manage multiple on-premises devices, you need to use Group Policy in an Active
Directory domain environment.

To make changes to cloud-managed devices, you need to use a mobile device


management service, such as Microsoft Intune.
Question 43:
Skipped
Several Windows 11 devices are hybrid Azure Active Directory joined devices. What
type of access to corporate resources are these devices most likely to have?

Access to on-premises services only

Access to on-premises and cloud services

(Correct)

Access to cloud services only

Access to either cloud services or on-premises services but not both


Explanation
Whereas Active Directory is an authentication and authorization service for on-
premises services, Azure Active Directory (Azure AD) is an authentication and
authorization service for Microsoft cloud services.

If you want to allow users to use just one username and password to access both
cloud and on-premises services, you can join Windows 11 devices as hybrid Azure
AD joined devices to use functionality of both Azure AD and Active Directory.

Azure AD hybrid joined devices do not have access to only on-premises services or
only cloud services; such devices exist in both the cloud and on-premises at the
same time.

Question 44:
Skipped
Windows 11 allows you to use Wi-Fi profiles to preconfigure Wi-Fi network
connection settings. Say that you need to deploy 2,000 devices with Wi-Fi profiles.
Which of the following are possible solutions?

Use Azure VPN Profiles.


Use a mobile device management service.

(Correct)

Use Windows PowerShell.

(Correct)

Use Group Policy.

(Correct)

Explanation
Depending on your IT system setup, you have a few available options when
deploying Wi-Fi profiles to multiple Windows 11 devices. For on-premises systems,
you can use Windows PowerShell or Group Policy. For cloud-based systems, you can
use a mobile device management service through Intune or Windows PowerShell.
Question 45:
Skipped
You need to manually configure a static IPv4 address on a Windows 11 device.
Which of the following settings need to be configured?

IPv4 address

(Correct)

Automatic Private IP Addressing

Subnet mask

(Correct)

Default gateway
(Correct)

DHCPv4

DNS server

(Correct)

Explanation
When you are manually managing IPv4 settings, you must configure all of the
following: the IPv4 address, the subnet mask, a default gateway, and a DNS server.
Because you need to configure static IPv4 addresses manually, automatic settings
are not configured. Therefore, settings for both DNCPv4 and Automatic Private IP
Addressing are not required.
Question 46:
Skipped
You need to manage the real-time performance of your Windows 11 PC. Which
tools can you use to view real-time CPU usage information?

Task Manager

(Correct)

Event Viewer

Resource Monitor

(Correct)

Performance Monitor

(Correct)

Explanation
Windows 11 includes several built-in tools to manage the Windows 11 environment.
You can use the Task Manager tool, Resource Monitor tool, and Performance
Monitor tool to view system performance and the resources that are being used,
such as the CPU.

The other answer is incorrect because you use the Event Viewer to view Windows 11
event logs.

Question 47:
Skipped
You need to manage the real-time performance of your Windows 11 PC. Which
tools can you use to view real-time CPU usage information?

Task Manager

(Correct)

Event Viewer

Resource Monitor

(Correct)

Performance Monitor

(Correct)

Explanation
Windows 11 includes several built-in tools to manage the Windows 11 environment.
You can use the Task Manager tool, Resource Monitor tool, and Performance
Monitor tool to view system performance and the resources that are being used,
such as the CPU.

The other answer is incorrect because you use the Event Viewer to view Windows 11
event logs.

Question 48:
Skipped
You manage 500 Windows 11 devices in your organization. All devices are
connected to your on-premises domain. Which management tool should you use to
modify registry settings if you want to minimize administrative effort and not incur
additional costs?

Microsoft Intune

The Settings app

Group Policy

(Correct)

The Control Panel


Explanation
You can use the Windows 11 registry to configure computer settings. These settings
may not be available within the Settings app or the Control Panel. Also, because you
need to make changes to 500 different devices in this case, you want to avoid
making each change manually and instead use a management tool. Therefore, you
should use Group Policy to manage and control Windows 11 on-premises
computers.

You cannot use Microsoft Intune to make the changes because it works only for
cloud-based devices and not for on-premises devices. In addition, purchasing
Microsoft Intune would incur additional costs.

Question 49:
Skipped
Users store data in OneDrive for Business. The following process occurs:

1. A user stores files in OneDrive.

2. The user deletes a file from OneDrive.

3. OneDrive syncs the file deletion to the linked Windows 11 device.

4. The deleted file is moved to the Recycle Bin on the Windows 11 device.

5. The user empties the Recycle Bin on the Windows 11 device.


Can the user ever recover the deleted file?

Yes. A copy will still be in the Recycle Bin on OneDrive.

(Correct)

No. The file has been deleted permanently.

Yes, but only if another backup system is also in place.

No. The Empty Recycle Bin action is synced back to OneDrive.


Explanation
You can sync a Windows 11 computer to a OneDrive account. Configuration settings
allow all files and folders to be synchronized automatically between the device and
cloud storage. Therefore, whenever you delete a file from OneDrive storage, the file
is also deleted from the Windows 11 device. On the computer, the deleted file is sent
to the Recycle Bin. However, even if the user empties the Recycle Bin on the
computer, the user can still restore the file because another copy remains in the
Recycle Bin in OneDrive. This means that all the “no” answers are incorrect because
the file can be restored. In addition, the answer that says that it can be restored only
if another backup system is also in place is also incorrect because the file can be
restored from the OneDrive Recycle Bin.
Question 50:
Skipped
Your administrator has asked you to monitor the performance of Windows 11
devices. You need to view and save CPU usage information. Which of the following
tools can provide historical as well as real-time information for CPU data usage?

Resource Monitor

Reliability Monitor

(Correct)


Task Manager

Performance Monitor

(Correct)

Explanation
Windows 11 includes several built-in tools to manage the Windows 11 environment,
and Reliability Monitor and Performance Monitor can provide historical data,
including reports and graphs. Although Task Manager does include some historical
data, it is only for app data and does not include historical CPU usage data or allow
you to save the data.
Question 51:
Skipped
Windows 11 is available in several editions. Which edition does not include the
Microsoft Edge browser?

Windows 11 Pro for Workstations

Windows 11 Home

Windows 11 Enterprise

Windows 11 Enterprise Long-Term Servicing Channel

(Correct)

Explanation
The Microsoft Edge browser is included in all versions of Windows 11 except for the
Windows 11 Enterprise Long-Term Servicing Channel edition. This edition is a
special edition of Windows 11 that does not include feature updates and is missing
some of the other features normally included within Windows 11 Enterprise, such as
Microsoft Edge, Cortana, and the Windows Store client. This version of Windows 11
is designed for computers that need to be secure and stable, such as computers that
control medical devices.
Question 52:
Skipped
Windows Remote Management is included on all Windows operating systems.
However, it is not enabled by default in Windows 11. To use remote management
features for Windows 11 client devices, what must you enable?

Win32

Winrmsrv

Winmail.dat

WinRM

(Correct)

Explanation
You can enable WinRM on the Windows Server operating system but not on the
Windows 11 client. WinRM allows services such as PowerShell remoting and
Remote Desktop to be used. You can enable WinRM for all Windows 11 clients by
using Microsoft Intune or Group Policy Objects.

All the other answers are incorrect because Win32 is a set of APIs used to develop
applications, Winrmsrv is a virus executable that aims to open remote access to a
device maliciously, and Winmail.dat is a file that supports rich text in email
messages.

Question 53:
Skipped
All copies of Windows 11 require activation. What is the activation process?

Activation is the process of completing a clean install of Windows 11 on a


device.


Activation links a software product key to a particular installation of
Windows 11.

(Correct)

Activation links a specific computer to a company using the hardware


device ID number for support purposes.

Activation is the process of taking out a volume licensing agreement with


Microsoft for Windows 11 devices.
Explanation
Every copy of Windows 11, no matter how the copy was purchased, requires
activation. You can use the same source files to image many computers with
Windows 11, but each installation requires a unique software product key to validate
the software and allow it to be used. Activation confirms the licensing status, and
validation confirms that the product can be used.
Question 54:
Skipped
On a Windows 11 PC, a user has created a new folder using File Explorer. The folder
needs to be shared with another person. How can sharing permissions be granted?

Use the Share With option on the ribbon.

(Correct)

Create a new local user account on the PC.

Use the Sharing tab in the Properties dialog box.

(Correct)

Select Advanced Security from the Share tab on the ribbon.

(Correct)

Use the Give Access To context menu by right-clicking the folder to be


shared.

(Correct)

Explanation
You can share a folder using File Explorer in several ways. Methods include:
• Use the Share With option on the Share tab on the ribbon (also called Network
File and Folder Sharing).
• Select Advanced Security from the Share tab on the ribbon.
• Use the Sharing tab in the Properties dialog box.
• Use the Give Access To context menu by right-clicking a folder to be shared.

However, you would not create a new local user account on the device. Although
such an account would offer access to the PC, it would not necessarily offer access
to the folder.

Question 55:
Skipped
All copies of Windows 11 must be activated and then validated. What is the
difference between activation and validation?

Activation is the process of installing Windows 11. Validation is the process


of providing the license product key for Windows 11.

Activation is the process of providing the license product key for Windows
11. Validation is the process of authenticating the product key.

(Correct)

Activation is the process of providing the license product key for Windows
11. Validation is the process of ensuring that the product key has not been
used for too many devices.

Activation is the process of proving the license product key for Windows
11. Validation is the process of using a key management service to
automate the activation process.
Explanation
Every copy of Windows 11 needs to be activated as part of the installation process.

Activation can happen in many ways, depending on how Windows 11 was installed—
for example, activation by using a product key, OEM (original equipment
manufacturer) activation by associating a device to a Windows 11 license, and
activation by using a key management service to manage Microsoft Volume
Licensing.

Activation is the process of linking a software product key to a particular installation


of Windows 11. Validation is the process of authenticating the product key to ensure
that it is valid and available for use. With Windows 11, activation and validation occur
at the same time.

The other answers are incorrect because:

• Activation is the process of installing Windows 11. Validation is the process of


providing the license product key for Windows 11. Activation is not the process
of installing Windows 11, and validation is not the process of providing the
product key. (That is actually activation.)
• Activation is the process of providing the license product key for Windows 11.
Validation is the process of ensuring that the product key has not been used for
too many devices. Validation does not check whether the product key has
been used for too many devices; that occurs during the activation phase.
• Activation is the process of proving the license product key for Windows 11.
Validation is the process of using a key management service to automate the
activation process. Validation is not the process of using a key management
service; a key management service is used to manage activation.
Question 56:
Skipped
You can use the Windows Activation Troubleshooting tool to resolve activation
issues on Windows 11 computers. Which of the following errors can the tool not
help fix?

A mismatch between the Windows Home edition and Pro license

Issues caused due to making major changes to computer hardware

A mismatch between the Windows Pro edition and Home license


Locating the correct product key for a Windows 11 device

(Correct)

Explanation
Activation confirms that each copy of Windows 11 is genuine. Activation confirms
the licensing status, and validation confirms that the product can be used. You can
encounter issues due to a mismatch in the Windows 11 edition that is installed or
due to making major hardware changes to a device. The Windows Activation
Troubleshooter tool can resolve these types of issues. However, you cannot use the
tool to locate a correct product key for Windows 11.
Question 57:
Skipped
Your company has purchased 100 new Windows 11 computers. All user settings,
apps, and data files must be migrated from the old Windows 8.1 devices to the new
Windows 11 devices. Which of the following tools/methods allows you to automate
the migration process?

User State Migration Tool (USMT)

(Correct)

Back up to external hard drive storage

Back up to OneDrive cloud storage

Copy to a networked storage drive


Explanation
You can use all the methods listed to migrate user data when moving to a new
Windows 11 PC. However, most of the methods require manual intervention, so they
are not suitable when migrating many users at scale.

The User State Migration Tool (USMT) automates the migration process. You can
create a migration rule to control which files and settings are migrated. You can then
use this rule with the USMT tool’s ScanState and LoadState options to collect and
restore user files and settings.

Question 58:
Skipped
You can use PowerShell remoting to create sessions and run commands on remote
computers.

Authorization is required to create remote sessions. Which forms of authorization


can you use to ensure a remote session will work?

The user connecting to the remote computer needs to be a member of the


Domain Admins group on the remote computer.

(Correct)

The user connecting to the remote computer needs to be a member of the


Administrators group on the remote computer.

(Correct)

The user connecting to the remote computer needs to provide the


credentials of an administrator for the remote computer.

(Correct)

The user connecting to the remote computer needs to be using an


administrator account and needs to be a member of the Standard Users
group on the source computer.
Explanation
If a user does not have the correct authorization for the remote computer to which
she wishes to connect, the remote session fails.

To use PowerShell remoting, the connecting user needs to be a member of the


Administrators group on the remote computer. A connecting user who is a member
of the Domain Admins group is also a member of the Administrators group. Another
option is to provide the correct administrator credentials for the remote computer.

Question 59:
Skipped
You need to enable automatic start for PowerShell remoting on a Windows 11
device. Which command do you use?

winrm quickconfig

get -service winrm

Enable -PSRemoting -Force

(Correct)

Restart -service WinRM


Explanation
To switch PowerShell remoting from manual to automatic startup, use the command
Enable -PSRemoting -Force. This command also starts the WinRM service, which
manages the sending of remote commands.

The other commands listed here are also PowerShell remoting commands, but you
use them for other purposes:

• winrm quickconfig can verify whether the PowerShell remoting service is


running on a remote destination computer.
• get -service winrm can verify whether the WinRM service is running.
• Restart -service WinRM can restart WinRM after settings have been changed
so that the changes take effect.
Question 60:
Skipped
You can use the RefreshWindowsTool.exe tool to perform a clean installation of
Windows 11. Which Windows editions does this tool support?

Windows 11 Enterprise

Windows 11 Home
(Correct)

Windows 11 Pro

(Correct)

Windows 11 Education
Explanation
The RefreshWindowsTool.exe supports both Windows 11 Home and Windows 11
Pro editions. It does not support other editions.

You might also like