MD102
MD102
MD102
Skipped
You need to ensure that the Microsoft Office application used on iOS mobile
devices by Nutex employees is restricting Save-As and Cut, Copy, Paste to protect
sensitive corporate documents from being compromised. You decide to implement
an Application Protection Policy in Microsoft Intune.
After defining the required data protection settings in the policy for the specific
apps you wish to protect, what else must you do to implement this policy?
A) On the Assignments pane select the Azure AD groups to apply this policy
to
(Correct)
You cannot click Activate in the Overview pane for your policy. This option is not
available for Application Protection policies.
You do not have to ensure that all devices are protected by Intune Mobile Device
Management. While Application Protection policies can be applied to devices
protected by Intune Mobile Device Management, it is not a requirement for
implementing these policies.
You do not have to configure the IntuneMAMUPN setting in your policy. This is only
required when you are implementing these policies for devices protected by Intune
Mobile Device Management and is therefore not necessary for the specified
scenario.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Create and deploy app protection policies - Microsoft Intune | Microsoft Learn
Question 2:
Skipped
Verigon Corporation plans to put a large touchscreen in their reception area to
assist visitors in finding the correct department. A Windows 10 laptop will run an
application created for this purpose. For security purposes, only the touchscreen
and keyboard will be accessible. The laptop is not domain-joined.
What should you do to ensure that visitors cannot perform any action that is not
part of the reception application? (Choose all that apply.)
(Correct)
•
(Correct)
Explanation
You must enable User Account Control on the laptop. This action is required to
enable Kiosk Mode. There are several ways to choose Kiosk mode, including via
Group Policy and configuring a single-app within XML in a provisioning package by
using a kiosk profile. The easiest method, however, is to select Set up a Kiosk
in Settings.
You will need to create a kiosk account. This account is extremely limited and
restricted. In addition, you will probably want to implement device restrictions, such
as disabling the camera and disabling the power button.
There is no reason to join the laptop to the Verigon.com domain. This action would
decrease security.
You do not need to change the default sign-in options. By default, on a standalone
device, the last-signed-in user will be signed in automatically and the special app will
be launched automatically upon restart. (The kiosk account will need to be the last
signed-in user.)
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
You need to decide which feature of Windows 10 can be used on the computers
without a PIN. Which of the following is TRUE? (Choose all that apply.)
(Correct)
•
G) WKS13 can support BitLocker and Miracast.
Virtual smart cards (VSCs) are similar to physical smart cards in that they use two-
factor authentication. Virtual smart cards are created in the Trusted Platform
Module (TPM) chip, version 1.2 or greater, that is inside a computer. The keys used
by the virtual smart card for authentication are stored in cryptographically secured
hardware within the TPM. Only WKS10 and WKS13 support virtual smart cards
because they are the only computers that have a TPM chip.
Miracast allows you to project your screen to a TV or to another device that has a
wireless display (WiDi) receiver. Your computer must have WiDi support to use
Miracast. Only WKS11 and WKS12 support Miracast.
Hello is a feature of Windows 10 that allows a user to authenticate with her face, iris,
or fingerprint. You will need a fingerprint reader to authenticate using a fingerprint.
You will need an infrared (IR) camera to support facial or iris recognition. You can
also use a PIN with Hello. Only WKS11 supports Hello because it has an infrared
camera.
BitLocker is a drive encryption technology that comes with Windows 8 and higher.
You can enable BitLocker on the operating system drive in a Windows 10 computer if
the computer does not have a TPM chip. You can use a USB flash drive so it can
contain the BitLocker startup key for the computer. A computer with a TPM chip
version 1.2 or greater can use the system integrity verification that BitLocker can
also provide, while a computer without a TPM chip will not. All of the computers in
this scenario can support BitLocker.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
Question 4:
Skipped
You plan to implement Microsoft Defender for Endpoint to detect and investigate
threats. You want to be able to use the following features of Microsoft Defender for
Endpoint:
• Attack surface reduction
• Identify attacker tools, techniques, and procedures
• Generate alerts when attackers are observed.
Which of the following licensing, hardware, and software requirements are required
to onboard devices to Microsoft Defender for Endpoint? Choose all that apply.
(Correct)
•
D) Access to Defender for Endpoint is supported through the Microsoft
Edge browser
(Correct)
(Correct)
(Correct)
(Correct)
Explanation
Microsoft Defender for Endpoint is supported on a Windows 10 Enterprise E5 and
Windows 10 Enterprise A5 license. It is also supported on the following licenses:
• Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
• Microsoft 365 A5 (M365 A5)
• Microsoft 365 E5 Security
• Microsoft 365 A5 Security
• Microsoft Defender for Endpoint
Any licensed user can use Microsoft Defender for Endpoint on up to five concurrent
devices, not 10 concurrent devices.
Access to Defender for Endpoint is supported through the Google Chrome browser
and Microsoft Edge browser. Access to Defender for Endpoint is not supported
through the Safari browser or Internet Explorer. Microsoft will no longer support
Internet Explorer after 6/15/2022.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Question 5:
Skipped
You are a system administrator for Nutex, Inc. They have an Active Directory
domain called nutex.com and an Azure AD subscription. There are 10,000 devices,
and all devices are enrolled in Microsoft Intune.
The following devices have been returned by employees. You need to wipe the
devices. However, you want to retain the enrollment state and user account data
while wiping the devices.
Which of the following devices can be wiped while also retaining the enrollment
state and user account data? (Choose all that apply.)
A) DevicePC3
(Correct)
B) DevicePC2
C) DevicePC1
•
D) DevicePC4
(Correct)
Explanation
In the given scenario, you can retain the enrollment state and user account data for
devices DevicePC3 and DevicePC4. The Retain enrollment state and user
account option is only available for devices with Windows 10 version 1709 or later.
DevicePC1 and DevicePC2 will not be able to retain the enrollment state and user
account data because the Windows operating system is earlier than Windows 10
version 1709.
The wipe feature restores the device to default factory settings. You can choose to
keep user data if you select the Retain enrollment state and user account checkbox
and the device’s operating system supports the option. If you do, all data, apps, and
settings will be removed from the device. If Retain enrollment state and user
account is unchecked, the wipe action will remove the device from Intune
management and remove all account information, data, MDM policies, and settings.
This will reset the operating system to the default state and settings.
When Retain enrollment state and user account is checked, the wipe action will
remove all MDM policies while retaining user accounts and data. User settings will
be reset to the default, and the operating system will be reset to the default state and
settings.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Question 6:
Skipped
Your company's network consists of Windows 10, Windows 11, Windows Server
2019, and Windows Server 2022 computers. Several of the Windows 10 computers
are used as kiosks by guests and are connected to an isolated network segment,
which is the only network that these computers can access. The network segment is
named Network2 and is configured as a public network.
Recently you have noticed that users are changing the network location type on
these computers to Private network. You must ensure that this network is always
configured as a public network and prevent users from changing the location type.
You decide to implement a Group Policy. On one of the kiosk computers, you open
the Computer Configuration / Policies / Windows Settings / Security Settings /
Network List Manager Policies section in the local security policy.
What should you configure? Click the image to select the correct option. (More than
one option can be selected.)
•
A) 134,199,29,179
B) 188,319,28,302
(Correct)
C) 135,221,20,203
(Correct)
D) 133,176,31,155
•
E) 142,274,27,257
F) 186,297,30,278
Explanation
You should open the Network1 policy. On the Network Location tab, select
the Public location type setting and the User cannot change location setting, and
click Apply. This will ensure that Network1 is always configured as a public network
and that users cannot change the location type. An example of the Network
Location tab is shown in the following exhibit:
You can also configure the network name and prevent users from changing the
name on the Network Name tab, as shown in the following exhibit:
Finally, you can configure the icon settings on the Network Icon tab, as shown in the
following exhibit:
You should not open the Unidentified Networks policy, select the Public Location
Type setting and the User cannot change location setting, and click Apply. This
would configure the default settings for any unidentified networks on the Windows
10 computer. The Unidentified Networks policy is shown in the following exhibit:
You should not open the Identifying Networks policy, select the Public Location
Type setting, and click Apply. This will configure the temporary settings for any
networks that are identified on the Windows 10 computer. The Identifying
Networks policy is shown in the following exhibit:
You should not open the All Networks policy, select the User cannot change
location setting, and click Apply. The All Networks policy is shown in the following
exhibit:
This can be used to allow users to change the network name, network location, and
network icon for all currently configured networks on a Windows 10 computer. This
policy affects all the networks on the computer.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
You plan to configure Microsoft Tunnel for Intune. You have installed Red Hat
(RHEL) 8.4 on the on-premises server and have reviewed and configured the
prerequisites for Microsoft Tunnel.
(Correct)
After running the Microsoft Tunnel readiness tool, you would create the server
configuration. You can create a server configuration once and then use it for multiple
servers. Configuration parameters include the IP address range, DNS servers, and
split-tunnelling rules. You can create the server configuration from the Microsoft
Intune admin center.
After creating the server configuration, you would create the site configuration. Sites
are logical groupings of servers that host Microsoft Tunnel. You would assign a
server configuration to each site you create. You can create the site configuration
from the Microsoft Intune admin center.
After creating the site configuration, you would install Microsoft Tunnel Gateway.
You can use the script available for download from the Microsoft Intune admin
center to install Microsoft Tunnel Gateway (as shown in the exhibit).
You would run the script as root on the server. When the script is started, it
downloads the images from Microsoft Tunnel Gateway container images in the
Intune service and creates the required files and folders on the server. You would
complete the required steps that the script will prompt for while it is running the
setup.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Microsoft Learn > Microsoft Intune > Intune service > Microsoft Tunnel for Microsoft
Intune
Microsoft Learn > Microsoft Intune > Intune service > Prerequisites for the Microsoft
Tunnel in Intune
Microsoft Learn > Microsoft Intune > Intune service > Configure Microsoft Tunnel for
Intune
Question 8:
Skipped
You are an enterprise admin for the Verigon Corporation. Your company recently
received a shipment of new desktop computers that will be distributed to all your
offices onsite. The machines are preloaded with the latest version of Windows 10
Professional Edition and have not yet been configured. You want to bulk enroll
them in your MDM solution.
(Correct)
You would not choose to create a configuration profile using Microsoft Endpoint
Manager. You cannot create a configuration profile for these machines because they
have not yet been MDM enrolled.
You would not choose to create an MDM enrollment profile using Microsoft
Configuration Manager because the devices have not yet been MDM enrolled.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Question 9:
Skipped
After implementing an Application Protection Policy in Microsoft Intune, you
discover that there are a few iOS users who are still able to violate the policy by
saving sensitive corporate documents to their personal devices using Microsoft
Office Apps on iOS. You have selected the correct apps and settings for your policy
and assigned the correct groups to include. You verify that the users in question
are part of the correct groups as specified in the policy assignments.
What else could you do to ensure the Application Protection Policy is properly
being applied?
•
B) Use the Intune App Wrapping Tool to ensure the Application is
enforceable
C) Make sure the users have been assigned Microsoft Intune licenses
(Correct)
You should not assign certificates to the users’ iOS devices. Certificate assignment
would only be necessary to grant users protected connections through a VPN,
authenticated Wi-Fi, or protected email profiles. This is not necessary for the current
situation.
You should not use the Intune App Wrapping Tool to ensure that the Application is
enforceable. This tool is used mostly on internally developed Line-of-Business apps
that you want to be managed by Intune policies. Apps that already support Intune
management (such as MS Office apps) do not need this step.
You should not turn on Multi-Factor Authentication (MFA) to validate the offending
users. MFA will certainly bring more security in authentication by forcing the user to
provide more than just their username/password, but it will not resolve the problem
as specified.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Create and deploy app protection policies - Microsoft Intune | Microsoft Learn
Learn about the types of certificate that are supported by Microsoft Intune |
Microsoft Learn
Prepare apps for mobile application management with Microsoft Intune | Microsoft
Learn
Question 10:
Skipped
You are a system administrator for your organization. They have an Azure AD
environment. All workstations in your organization are running the Windows 11
operating system and joined to Azure AD, and all devices are registered with
Microsoft Intune.
(Correct)
Selecting the Action to “Send email to users” will not work in the given scenario. This
option will only send a notification email when the device is non-compliant. It can be
configured with other Actions of noncompliance. Configuring this option alone will
not ensure company data is removed from the device and the device is removed
from Intune management.
Selecting the Action to “Remotely lock the noncompliant device” will not work in the
given scenario. This option will only lock the device when the device is non-
compliant. It can be configured with other Actions of noncompliance. Configuring
this option alone will not ensure company data is removed from the device and the
device is removed from the Intune management.
Selecting the Action to “Send push notification to end user” will not work in the given
scenario. This option will send a notification about non-compliance to a device
through the company portal app or Intune app on the device. This option can be
configured with other Actions of noncompliance. Configuring this option alone will
not ensure company data is removed from the device and the device is removed
from Intune management.
Objective:
Manage identity and compliance
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
Configure compliance policies with actions for noncompliance in Microsoft Intune |
Microsoft Learn
Question 11:
Skipped
You are a system administrator for Verigon Inc. Your organization has acquired the
Nutex Corporation, which has 10,000 Windows 10 devices. Most of the Nutex
employees work from home.
You are planning to upgrade all Windows 10 devices to Windows 11. You have been
tasked with establishing requirements and determining which Windows 11 editions
will suit the existing devices. You are investigating the Windows 11 Home and Pro
editions.
A) Secure boot
(Correct)
D) Windows Security
Explanation
Windows 11 Home Edition does not support the BitLocker device encryption feature.
BitLocker encrypts your device and secures your information. If you misplace your
device or it is stolen, BitLocker will lock everything, and unauthorized individuals will
not be able to access your system or data. This feature requires Trusted Platform
Module (TPM) 2.0 or later.
The following features are supported by both Windows 11 Home and Pro Editions.
• Device encryption – Helps protect the device by encrypting your data.
• Find my device – Helps in locating your device or digital pen.
• Firewall and network protection – Protects your device against viruses,
malware, and ransomware.
• Internet protection – Secures your device against malicious apps, files,
websites, and downloads.
• Paternal controls and protection – Helps you limit access to adult content,
limit screen time, and control online purchases when connecting your family
Microsoft accounts.
• Secure boot – Protects your device from malicious apps and unauthorized
operating system services loading when the device starts.
• Windows Hello – Provides passwordless authentication and uses facial
recognition, fingerprint, or a PIN for a secure, password-free login method.
This feature only works with compatible Windows devices.
• Windows Security – Helps you view and manage device health and security.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
Question 12:
Skipped
You have recently joined the Nutex Corporation as the Security Administrator.
Nutex is a growing company in the e-commerce sector. They are planning to start
offices in multiple geographical locations. The IT team at Nutex is planning the
implementation of Azure AD and Intune to manage the core infrastructure and
Windows 11 endpoints. You are tasked with coming up with secure practices for
managing endpoints. You plan to implement Local Administrator Password
Solution (LAPS).
Which of the following statements about LAPS are TRUE? (Choose two.)
•
(Correct)
(Correct)
Explanation
The following statements are true:
• Local administrator account passwords protected with LAPS are
tamperproof.
• LAPS policy can be configured with the reset administrator password if the
local administrator account authenticates on an endpoint.
Local administrator account passwords protected with LAPS are tamperproof. Local
Administrator Password Solution (LAPS) is a Microsoft solution for the potential
security issues related to using a common local account with an identical password
on every computer in a domain. LAPS generates different, random passwords for the
common local administrator account on the endpoints in the domain. For situations
where support is needed on endpoints using the administrator account, the domain
administrator can grant access to authorized helpdesk technicians to read the
password from Azure AD and log in to the administrator account. LAPS is designed
to be tamperproof and completely managed from Azure AD, without any ability to
change the password locally. Such attempts are logged, and you can see them in
Event Viewer.
LAPS policy can be configured with the reset administrator password if the local
administrator account was actively used on an endpoint. You can do this using the
PostAuthenticationResetDelay and PostAuthenticationActions settings. Use the
PostAuthenticationResetDelay setting to set a specific time to wait after an
authentication before executing the specified post-authentication actions. Use the
PostAuthenticationActions setting to specify one of the following actions after the
wait time: Reset password, Reset password and log off, or Reset password and
reboot.
LAPS not only works for endpoints with an existing administrator account, but you
can also specify a new local administrator account for which the LAPS policy must
apply when pushing the policy. Use the AdministratorAccountName setting to
specify the account name. However, the account must be created on the endpoint
before pushing the LAPS policy.
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
Question 13:
Skipped
You have recently joined the Nutex Corporation as the Windows Client
Administrator. Nutex is a growing company in the e-commerce sector. All
employees use Windows 10 endpoints. You are tasked with identifying a suitable
Microsoft service for remotely managing and troubleshooting issues on the
endpoints. You plan to use Windows Admin Center for this.
Which of the following statements about Windows Admin Center are TRUE?
(Choose two.)
(Correct)
(Correct)
Explanation
The following statements are true:
• In Windows Admin Center, extensions can be made available only at the level
of a gateway.
• Shared Connections can be configured to allow all gateway users to manage
all endpoints.
Windows Admin Center is an extensible platform that allows you to integrate with
other IT administration products and solutions seamlessly. It contains Solution and
Tool extensions built using modern web technologies, including HTML5, CSS,
Angular, TypeScript, and jQuery, and can manage target servers via PowerShell or
WMI. Extension is a gateway-level setting that the Gateway Administrator must
enable for the gateway users.
Shared Connections can be configured to allow all gateway users to manage all
endpoints. Gateway users are IT team members who manage endpoints remotely
and have been assigned access to the Windows Admin Center service by a Gateway
Administrator. The Gateway Administrator must add the endpoints that must be
managed to Windows Admin Center. Adding all the endpoints using the Shared
Connections feature automatically authorizes all Gateway users’ access to the
endpoints. You can also add a specific set of high-priority endpoints as Shared
connections to make remote support available.
Machines running Windows 11, Windows 10, Windows Server Semi-Annual Channel,
Windows Server 2019, Windows Server 2016, Microsoft Hyper-V Server 2016,
Windows Server 2012 R2, Microsoft Hyper-V Server 2012 R2, and Windows Server
2012 can be managed from Windows Admin Center. You can also manage Arc-
enabled servers, Azure Stack HCI cluster nodes, and Azure VMs.
Microsoft does not recommend using Windows Admin Center for local management
of the same server on which it is installed. You can use Windows Admin Center to
connect to a server remotely from a management PC or other computer to manage
the server. Windows Admin Center client does not need to be installed on the
endpoints that must be managed. Windows Admin Center is a browser-based app
for managing Windows servers, clusters, hyper-converged infrastructure, and
Windows 10/11 endpoints. To manage endpoints, you would install Windows Admin
Center on a Windows endpoint or Windows server acting as a gateway server, and
remotely connect to the endpoints.
Objective:
Deploy Windows client
Sub-Objective:
Configure remote management
References:
Configure shared connections for all users of the Windows Admin Center gateway |
Microsoft Learn
Question 14:
Skipped
You are planning to implement Microsoft Intune to ensure protection of sensitive
corporate materials on unmanaged user devices. As part of your plan you decide to
create security groups in Azure Active Directory to aid in assigning appropriate
protections.
What next steps should be part of the plan to ensure that Nutex Corporation’s
documents are properly secured when using applications on user devices? (Choose
three.)
•
A) Enable device platforms
(Correct)
(Correct)
(Correct)
Explanation
Your plan should include the following:
• Assign Intune and Office 365 user licenses appropriately
• Add and deploy apps to Intune
• Create and assign App Protection Policies
The apps must be added and identified to Intune so that Intune can manage
application capabilities.
App Protection Policies should be created and assigned. App Protection Policies are
the part that makes Mobile Application Management work. The devices do not have
to be managed as long as the App Protection Policies are created and appropriately
assigned.
Your plan does not require device enrollment. Device Enrollment is necessary for
using Intune in a Mobile Device Management (MDM) environment but not for Mobile
Application Management (MAM) as described in our scenario.
Your plan does not need to include creating and assigning certificates to user
devices. Certificates ensure protected connections over VPN, Wi-Fi, and more secure
Email profiles. This, however, is not necessary in our specified scenario.
Your plan does not need to enable device platforms. Device platforms do not need to
be enabled for MAM. In an MDM environment this would be required, especially if
preparing for iOS or MacOS devices.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Question 15:
Skipped
Your network contains an Active Directory domain named nutex.com that is synced
to Microsoft Azure Active Directory (Azure AD).
You have a Microsoft 365 subscription. You have devices that run Android, iOS, and
Windows. Devices can connect either in the office or remotely. You want to have a
conditional access policy to enforce Microsoft Cloud App Security session control
when Android, iOS, or Windows devices are unmanaged and not joined to Azure AD.
A) Device Platform
D) Locations
Explanation
You should choose Filter for device. Filter for device condition replaces the
deprecated Device state condition. The Filter for device condition is more granular
than the Device state condition and can exclude hybrid Azure AD-joined devices
from a conditional access policy. It can also mark a device as compliant in a
conditional access policy. Device state can be used to apply a conditional access
policy to unmanaged devices to enforce the Microsoft Cloud App Security session
control when a device is unmanaged.
You should not choose Locations in the conditional policy. By default, all locations
are included in the conditional policy.
You should not choose Users and Groups. This condition is used to include or
exclude guest users, directory roles, or a specific group of users.
Objective:
Manage identity and compliance
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
Question 16:
Skipped
You are the cybersecurity admin for the Nutex Corporation.
You want to secure corporate data on your endpoint MDM-enrolled client devices
and prevent users from copying and pasting corporate data when using
applications in order to prevent data leakage.
Which of the following options will achieve this objective using Microsoft Endpoint
Manager?
(Correct)
You would not choose to create an app configuration policy. App configuration
policies are used to deploy desired application settings and cannot prevent app data
leakage.
You would not choose to create a Windows 10 compliance policy that requires
BitLocker encryption. While BitLocker can protect data at rest, it cannot prevent app
data leakage.
You would not choose to create an Endpoint Security profile that enables full disk
encryption. While enabling full disk encryption can protect data at rest, it does not
prevent app data leakage.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Create and deploy app protection policies - Microsoft Intune | Microsoft Learn
Question 17:
Skipped
You plan to implement Windows Hello with devices that run Windows 10.
A) HD webcam
B) Near-infrared camera
(Correct)
Windows Hello cannot be used with night vision, high contrast, or HD webcams, as
they do not provide a consistent image, regardless of the ambient lighting conditions
in the room.
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
Question 18:
Skipped
Nutex Corporation uses Microsoft Intune as its mobile device management
solution. All devices are enrolled using the Hybrid AD Join method. You have been
asked to provide regular reports on the health of these devices.
What products can give you this information? (Choose all that apply.)
•
(Correct)
(Correct)
(Correct)
D) Windows Autopilot
Windows Security Center offers device health information and would work in this
scenario. To enable it, go to Windows Security and choose Device Performance and
Health. However, a cloud-based solution would be a better choice.
Windows compatibility reports in the Microsoft Endpoint Manager admin center can
report on devices that crash frequently and identify drivers that are causing those
crashes.
Azure Monitor Log Analytics can provide information on device health. It depends on
the Microsoft Monitoring Agent Service to collect information and provide it to Azure
Monitor.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Monitor devices
References:
Question 19:
Skipped
You are the remote desktop administrator for the nutex.com domain. You have
several RemoteApps that users need to run on their mobile devices.
A) You must run at least the iOS 6.x operating system on an iPad to run the
remote desktop client.
(Correct)
B) You must run at least the iOS 5.x operating system on an iPad to run the
remote desktop client.
•
C) You must run at least Android 4.1.x (Jelly Bean) operating system on an
Android device to run the remote desktop client.
(Correct)
D) You must run at least the iOS 4.x operating system on an iPad to run the
remote desktop client.
E) You must run at least the Android 2.3.7 (Gingerbread) operating system
on an Android device to run the remote desktop client.
F) You must run at least Android 4.0.4 (Ice Cream Sandwich) operating
system on an Android device to run the remote desktop client.
Objective:
Deploy Windows client
Sub-Objective:
Configure remote management
References:
Remote Desktop clients for Remote Desktop Services and remote PCs - Windows
Server | Microsoft Learn
Get started with the Android client | Microsoft Learn
Question 20:
Skipped
You are the enterprise admin for the Verigon Corporation. The company has an
Employee Choice program that allows employees to choose their own company
device. All devices are then enrolled in Microsoft Endpoint Manager. You want to
create a policy that will enforce a minimum OS version for both iOS and Windows
10 devices.
Which of the following will allow you to achieve this objective using Microsoft
Endpoint Manager?
(Correct)
Explanation
You would choose to create a device compliance policy. Device compliance policies
set the conditions by which devices and users are allowed to access the company’s
network and resources as long as they meet compliance. One such requirement can
be a minimum version for designated operating systems.
You would not choose to deploy a security baseline. Security baselines in Intune are
settings that are pre-configured and represent best practice recommendations from
the relevant Microsoft security teams for the product. They do not involve minimum
operating system requirements.
You would not choose to create a device configuration profile. Device configuration
profiles are used to deploy desired settings to client machines and users. They
cannot enforce a minimum operating system version.
You would not choose to create a conditional access policy. Conditional access
policies are used to enforce which devices and apps can access your corporate
resources. They cannot enforce a minimum operating system version.
Objective:
Manage identity and compliance
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
Question 21:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
environment and has procured a Microsoft Intune subscription. All Windows 11
devices are registered with Microsoft Intune. You want users enrolling their
Windows devices and signing in for the first time to see their provisioning status on
the Enrollment Status Page (ESP). The enrollment should meet the following
requirements:
• Users should see a custom error message specific to your organization when
they encounter enrollment errors.
• Users should not be able to use their devices until all required apps are
successfully installed.
The ESP displays the provisioning status to users enrolling their Windows devices
and signing in for the first time. This helps users view their progress in the setup
process. You can also configure the ESP to block the device from being used until all
the mandatory policies have been applied and applications installed.
To create a new ESP profile, log in to the Microsoft Intune admin center and
select Devices. Choose Windows > Windows enrollment > Enrollment Status
Page and click Create.
Click Next. Navigate to Assignments and select the groups to receive the profile.
Review your settings in Review + Create and then click Create.
Creating an Autodiscover service connection point (SCP) in Microsoft Intune is not
the first thing you would do to deploy the ESP on the devices. Autodiscover SCPs are
not created in Intune. A service connection point (SCP) object in Active Directory
provides a way for domain-joined clients to find Autodiscover servers. Intune does
not use an SCP.
Installing the Intune Connector for Azure AD on the Windows 11 machines is not the
first thing you would do to deploy the ESP on the devices. Using the Intune
Connector creates autopilot-enrolled computers in the on-premises domain. It does
not allow you to see their provisioning status on the Enrollment Status Page (ESP).
While joining devices to a domain using Windows Autopilot, you would follow these
steps:
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Set up the Enrollment Status Page in the admin center - Microsoft Intune | Microsoft
Learn
Enrollment for hybrid Azure AD-joined devices - Windows Autopilot | Microsoft Learn
Question 22:
Skipped
Employees at Verigon Corporation use company-provided Windows 10 laptops that
are managed with Intune. Verigon has decided to allow some employees to use
their personal iPhones to access company email.
What steps will be part of the process to allow users to enroll their personal
devices? (Choose all that apply.)
•
(Correct)
C) Have users install the Intune Company Portal application on their iOS
devices
(Correct)
D) Have users install the Lookout for Work application on their iOS devices
You do not need to create a CSV file with a list of devices to add. This action would
be a part of using Windows Autopilot to enroll company devices in Intune, but is not
relevant here.
You do not need to have users install the Lookout for Work application on their iOS
devices. Lookout for Work is one of several MDM Mobile Threat Defense
applications that you may choose to implement, but they are not part of enrollment.
You do not need to add a device enrollment manager account to Intune. Adding a
user as a device enrollment manager account would allow the user to enroll up to
1000 devices. The scenario is about self-enrollment.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Question 23:
Skipped
The Sales department at Nutex is planning for a deployment of the newest
Microsoft 365 Apps release. They currently use Excel workbooks and Word
documents that have some fairly intense macros built into them for their day-to-
day work. You decide to use the Readiness Toolkit for Microsoft 365 Apps add-ins
and VBA utility to prepare for this deployment. On a specific user’s computer, you
execute the following command:
What will this command accomplish? (Choose all that apply. Each option is part of
the complete answer.)
B) This will scan the specified files for macros and make recommendations
to fix their compatibility
(Correct)
D) This will scan the specified files for add-ins and report on their possible
readiness status
E) This will scan files in the user’s Most Recently Used list
(Correct)
Explanation
When you execute the command ReadinessReportCreator.exe -mru -output
\\NutexServ\finance -silent, the Readiness Toolkit will scan files in the user's Most
Recently Used list and generate an Excel workbook as output, stored in
the \\NutexServ\finance folder, without sending any output back to the screen. The
benefit of allowing the Readiness Report Creator to only scan Office documents that
are in the user's most recently used files list is that it allows you to narrow the focus
of the scan to documents that the user accesses on a regular basis.
The command will only scan the specified files for MACROS and make
recommendations to fix their compatibility. It does not fix or repair code in VBA
macros. This command does not include the -addinscan option, which would be
required to scan and report on add-ins.
The command contains the parameter -output \\NutexServ\finance. The value of this
parameter is the output destination for the Excel workbook output. This command
will NOT scan the files in the folder \\NutexServ\finance but will use the folder as the
output destination.
This command will NOT fix deprecated/broken macro code or add-ins for
compatibility in the scanned files. It only recommends possible fixes and
compatibility statuses.
This command will NOT scan the specified files for add-ins and report on their
possible readiness status. You would need to add the -addinscan option to
accomplish this.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Use the Readiness Toolkit to assess application compatibility for Microsoft 365
Apps - Deploy Office | Microsoft Learn
Question 24:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
environment and has procured a Microsoft Intune subscription. All the devices are
enrolled in Microsoft Intune. You want to understand the following metrics:
• Average device startup time in seconds.
• Average sign-in time to the device in seconds.
• Top apps that have been reducing your score in the past 14 days.
Which of the following Adoption Score features should you use to analyze the
metrics?
A) Teamwork
C) Endpoint analytics
(Correct)
•
D) Content collaboration
Explanation
In the given scenario, you would use Endpoint analytics to analyze the metrics. The
Adoption Score is your organization’s overall score on how they are using Microsoft
365 and provides metrics, insights, and recommended actions. It reflects people and
technology experience measurements, which can be compared against the
organization’s benchmarks.
The Endpoint analytics score averages the Startup performance score, Application
reliability score, and Work from anywhere score.
The Application reliability score provides information on the top apps that are
reducing your score over the past 14 days. The information includes app name,
mean time to failure in hours, and active devices.
The Work from anywhere score represents a weighted average of the percent of
devices that have deployed insights for allowing users to work remotely or non-
remotely.
The Adoption Score can be enabled from the Microsoft 365 admin center after
logging in with a Global Administrator role.
You can view your organization’s total score and primary insights for each category
from the Adoption Score home page (refer to the exhibit).
Sub-Objective:
Monitor devices
References:
Because this kiosk will reside in the building lobby, you must also ensure that a
person using the kiosk cannot do anything on the device except use the kiosk app.
Also, if the computer restarts due to a power problem, the NutexUser should log in
automatically and the device should launch the kiosk application.
A) Go to Start > Settings > Accounts > Sign-in options and configure the
account to be used as the kiosk account.
(Correct)
(Correct)
•
E) Disable user account control (UAC).
F) Go to Start > Settings > Accounts > Other users and configure the account
to be used as the kiosk account.
(Correct)
Explanation
For a Windows 10 computer to act as a kiosk, you must enable user account control
(UAC).
To ensure that the NutexUser account is logged in and the kiosk is automatically
launched if the Windows 10 computer is rebooted, you should configure the Use my
sign-in info to automatically finish setting up my device after an update or
restart setting to ON. If this setting is set to OFF, then the account does not
automatically sign in when the device is restarted.
You should go to Start > Settings > Accounts > Other users and configure the
account to be used as the kiosk account. From this page, you can choose to set up a
kiosk by adding a local account that will act as the kiosk account and choose the
app that will run when the kiosk account signs in to the computer.
You can use the PowerShell cmdlet Set-AssignedAccess to configure access to the
kiosk account and kiosk application.
You can use the kiosk wizard in Windows Configuration Designer to configure
access to the kiosk account and kiosk application:
You would not go to Start > Settings > Accounts > Sign-in options and configure the
account to be used as the kiosk account. The Sign-in options page allows you to
configure Windows Hello, Picture password, PIN, or Dynamic Lock for your
computer.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Question 26:
Skipped
The Nutex Corporation has multiple branches worldwide. You manage 10,000
workstations that run with a Windows 11 Pro license. You want to upgrade the
current license from Windows 11 Pro to Windows 11 Enterprise with no keys or
reboots.
A) Subscription activation
(Correct)
B) Windows Autopilot
C) In-place upgrade
D) Provisioning packages
Explanation
Windows 11 Enterprise E3 and Windows 11 Enterprise E5 are available as online
services via subscription. You can deploy Windows 11 Enterprise in your
organization with no keys or reboots. If you were running Windows 10 version 1703
or later, you could upgrade from a Windows 11 Pro license to a Windows 11
Enterprise license. Product key-based Windows 11 Enterprise licenses can be
transitioned to Windows 11 Enterprise subscriptions.
You cannot use subscription services to upgrade from Windows 10 to Windows 11.
You would not use Windows Autopilot for a Windows 11 Enterprise license upgrade.
Windows Autopilot uses various technologies to set up and preconfigure new
devices. It can be used to repurpose, recover, and reset devices. Windows Autopilot
helps IT administrators and reduces the time IT spends on deploying, managing, and
retiring devices. It also minimizes the amount of infrastructure required to maintain
the devices and maximizes ease of use for all types of end users.
You would not use provisioning packages for a Windows 11 Enterprise license
upgrade. Windows provisioning is best suited for small to medium-sized
deployments that range from ten to a few hundred. A provisioning package is a
container for a collection of configuration settings. You should use Windows
Configuration Designer to create a provisioning package. Windows Configuration
Designer is an app in the Microsoft store.
You would not use an in-place upgrade for the Windows 11 Enterprise license
upgrade in the given scenario. An in-place upgrade is used to upgrade an earlier
version of Windows to a new version. It automatically preserves all data, settings,
applications, and drivers. The in-place upgrade supports manual or automatic rolling
back to the previous OS in case you encounter issues either during or after the
deployment.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
Question 27:
Skipped
You have a 60 Android devices and 50 iOS devices enrolled in an Intune tenant. You
plan to add a device compliance policy to apply settings depending on the version
of the operating system of Android or iOS.
(Correct)
•
C) Configure corporate device identifiers in Device enrollment
You do not have to configure Device settings in Azure Active Directory. Device
settings in Azure Active Directory allows you to set whether if devices can join Azure
AD, if users can register with AD, if the device must have multi-factor authentication
(MFA), the maximum number of users that can be added per users, and if users can
sync settings and app data across devices.
You do not need to configure corporate device identifiers in Device enrollment. You
can use corporate identifiers to specify if a device is corporate or personal. You can
use the IMEI number or serial number of the device. You can add the IMEI number or
serial number of multiple devices by uploading a .csv file that specifiers the
identifiers.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Question 28:
Skipped
You want to deploy a Windows 10 device restriction policy to only the corporate
devices in the Engineering department, while excluding personal devices. You
create a new policy and manually add the following information to the filter rule:
What else should you add to the filter rule? Choose three.
(Correct)
•
C) and (device.deviceCategory -eq "Engineering devices")
(Correct)
A filter rule allows you to apply a policy to a specific group for a specific set of
devices. You can target devices based on the OS version of the operating system
whether it is Windows 10 or higher, Android, or iOS. You could use filters for the
following scenarios:
• Set restriction policies on the corporate devices that run Windows 10 for the
Engineering department while excluding their personal devices from the
policy.
• Deploy a specific app to iOS devices in the Sales group.
• Deploy a compliance policy to Samsung Galaxy S20 phones to all users in
your company.
The -eq operator in the (device.osVersion -eq "10.0.18362") code equals a particular
version of the operating system. The (device.manufacturer -eq "Microsoft")operator
ensures that the operating system of the device is Microsoft. You can also check for
Android and iOS operating systems. The (device.deviceCategory -eq "Engineering
devices") code ensures that the filter rule applies to devices that meet the Intune
device category of "Engineering devices". The (device.deviceOwnership -ne
"Personal")code is using the -ne operator to exclude devices that are in the Intune
device category of personal devices. You should not use the
(device.deviceOwnership -eq "Personal") code because this segment uses the -eq
operator which will include personal devices.
You should not use either the (device.isRooted -eq "True") or the (device.isRooted -eq
"False")code. Whether the device is rooted or not is not relevant to the scenario. You
only need to allow Microsoft devices (Windows 10) that are used by the Engineering
department and that are not their personal devices.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Question 29:
Skipped
You are a system administrator for Nutex Inc. Your organization has an Azure AD
environment. Employees use Windows and Android devices. The Android devices
include both corporate-owned fully-managed devices and personally-owned work
profile devices. Users with Android devices have access to highly sensitive data. All
devices are enrolled in Microsoft Intune.
You are creating a device restriction configuration profile for the Android devices.
Which of the following security configuration frameworks are recommended for the
fully managed and personally owned work profile devices to protect the highly
sensitive data? (Choose all that apply.)
(Correct)
(Correct)
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Question 30:
Skipped
You are a system administrator for Nutex Inc. Your organization has an Azure AD
Premium P1 subscription and hosts business-critical applications in the Azure
cloud.
You have been tasked with implementing OATH hardware tokens (Preview) in
Microsoft Azure for enhanced authentication. You have procured compatible
tokens.
D) Upload the tokens to Azure Active Directory (Azure AD) in CSV file
format.
(Correct)
Explanation
You would upload the tokens to Azure AD in CSV file format. You must include the
user principal name (UPN), serial number, secret key, time interval, manufacturer,
and model in the CSV file (as shown in the image).
You would follow the below steps to configure OATH hardware tokens with multi-
factor authentication (MFA):
1. While the CSV file is being uploaded, you can check the status by clicking on
the File upload is in-progress text (as shown in the exhibit).
1. After the CSV file is uploaded, you would activate the OATH token (as shown
in the exhibit).
1. You would then press the button to generate an OTP/code on the token and
enter the verification code.
1. Finally, you need to verify that the token status has been changed to
activated.
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
All Things Cloud > OATH TOTP Hardware tokens with Azure MFA
Question 31:
Skipped
You manage devices that run Windows 10. You do not have an existing on-
premises Active Directory environment. You plan to use Windows Hello for
Business on the devices.
(Correct)
(Correct)
You should not implement a PKI. A separate PKI is not required to implement
Windows Hello for Business, and is only necessary for smart card deployments or
other certificate-based needs.
You should not use the Microsoft Cloud App Security add-on. This is an Enterprise
Mobility + Security component for securing applications.
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
Microsoft Inside Track > Implementing strong user authentication with Windows
Hello for Business
Question 32:
Skipped
As a deployment administrator for the Verigon Corporation, you need to configure
100 laptops for the Austin, TX office. The laptops are off-the-shelf with Windows
10 Professional already installed.
Verigon does not have a mobile device management infrastructure (MDM) in place.
You must configure some basic desktop settings, such as AD enrollment. You need
a streamlined configuration solution that does not require an office network
connection.
What steps would be required as part of streamlining this process? (Choose all that
apply.)
(Correct)
•
C) Create an encrypted provisioning package
(Correct)
Explanation
You will want to download the Windows Assessment and Deployment Kit (ADK) for
Windows 10 to obtain the Windows Configuration Designer tool. The Windows
Configuration Designer tool is needed for this scenario and is part of the kit. You
could also download it directly from the Microsoft Store.
You will create a project using the desktop wizard option in the Windows
Configuration Designer. This will allow you to customize the basic desktop settings
as indicated in the scenario. Windows Configuration Designer also provides a mobile
wizard, a kiosk wizard, and a HoloLens wizard.
You do not need to set up Azure AD Join. The scenario does not mention this
requirement, and the desktop wizard of Windows Configuration Designer does not
allow for bulk enrollment in Azure AD.
You do not want to download the Windows Imaging and Configuration Designer
(ICD) Tool. That is a legacy tool, and support has been removed for making
customized images.
You do not need to encrypt the provisioning package. Microsoft suggests that you
do not apply security to your packages unless the package contains sensitive
security data such as credentials or certificates.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft
Deployment Toolkit (MDT)
References:
Question 33:
Skipped
Your company has an Active Directory domain named nutex.com. All client
computers in the domain run Windows 10. You have a computer named wks1 in your
department that is having issues with a sound card. You have ordered a new sound
card, but need to disable the existing sound card device. You create the following
script on a share on a server to temporarily fix the problem temporarily:
What should you run on your computer to resolve the issue on the other computer?
A)
B)
C)
D)
E)
F)
Explanation
You should run the following on wks1:
Enable-PsRemoting -Force
You should first ensure that Enable-PsRemoting -Force is run on the computers that
you want to remotely access so that the remote computers can receive remote
commands. The Enable-PsRemoting cmdlet starts the WinRM service and sets the
service to start automatically. It also creates a firewall rule that allows incoming
connections from remote computers. The -Force parameter ensures that there is no
user intervention.
The Invoke-Command cmdlet runs a script on a remote computer. You should use
the -FilePath parameter to specify the location of the script. The script will run
on wks1 and return the results to your computer.
You should not run the Start-Process cmdlet to invoke the script file on the remote
computer. This cmdlet will start a process, but not run a script.
You should not run the following on wks1 because this should be run on the local
computer, not the remote computer:
Objective:
Deploy Windows client
Sub-Objective:
Configure remote management
References:
Question 34:
Skipped
Nutex Corporation has chosen Intune as its MDM solution. Nutex has a few new
Windows 10 laptops that they will be deploying in a branch office. Nutex wants to
minimize costs. Nutex would like to use Intune to assign Outlook Online and Excel
Online to these devices. Nutex has Office 365 Business licenses for new laptops,
which are all registered with Intune.
(Correct)
(Correct)
(Correct)
Explanation
You will need to add the Windows 10 app type to Intune. You will be asked to choose
between Configuration Designer or Enter XML data. For the few laptops in this
scenario, Configuration Designer is the preferred choice.
You will need to upgrade the license subscription to Office 365 ProPlus. As of this
writing, Office 365 Business edition is not supported by Intune. Office 365 ProPlus is
the minimum subscription level to deploy Office 365 apps with Intune.
In Intune, you will create an App Suite. You can add Outlook and Excel so they will
appear as one app in the apps list.
You do not need to create a Windows Information Protection (WIP) policy. A WIP is
used to protect apps without device enrollment and is outside the scope of this
scenario.
You do not need to upgrade the license subscription to Office 365 E1. While this
would meet the requirements of the scenario, it is not a preferred answer as it is only
necessary to upgrade to Office 365 ProPlus, and Nutex wants to minimize costs.
Note that you can assign an app to a device whether or not the device is managed by
Intune.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Add Microsoft 365 Apps to Windows 10/11 devices using Microsoft Intune |
Microsoft Learn
Question 35:
Skipped
Your organization has eight Windows 10 computers and all domain controllers run
Windows Servers 2012. All group policies are managed at the enterprise level.
You purchase a Windows Store app that you use for troubleshooting, and install the
app on two devices that you will soon add to the domain. You attempt to install the
app on another domain user's computer after you log in to the computer using your
Windows account. You receive the following error message:
"Windows Store is not available on this PC. Contact your system Administrator for
more information."
You need to be able to install this app on all Windows 10 computers on your
organization's network.
(Correct)
Explanation
You should disable the Turn off the Store application group policy in the Computer
Configuration\Administrative Templates\Windows Components\Store path. When
this policy is set to Enable, it will prevent users from being able to access Windows
Store apps. This group policy controls access to the entire Windows Store. If the
policy is not configured or is set to Disable, it will allow access to the Windows Store
application.
This policy can be set at the machine level or the user level. The Turn off the Store
application group policy is shown in the following exhibit:
Note that the Store Policy folder does not appear on a Windows Server 2012 R2
computer or a Windows 10 computer. On your Windows Server 2012 R2 computer,
you have to download the Administrative Templates (.admx) for Windows 8.1 Update
and Windows Server 2012 R2 Update. You can copy the Administrative Templates
to C:\Windows\PolicyDefinitions or to your Group Policy Central Store to overwrite
the old ADMX and ADML files with the new ones. The Store policy definitions are not
included in the Windows 10 ADMX templates. However, if you enable the Turn off
the Store application in a Group Policy, it will disable the Windows Store application
on a Windows 10 computer.
When you purchase a Windows Store app, you can install that app on up to 10
devices per Microsoft account. If you want to install the app on an eleventh device,
you will be prompted to remove the app from another device. You will need to log in
with your Microsoft account and remove a device from the Windows Store device
list.
If you want to control which apps can be installed on a device, you should use the
AppLocker feature, not the Turn off the Store application group policy. AppLocker is
a set of Application Control Policies introduced with Windows Server 2008 R2.
AppLocker adds features to manage Windows apps that are downloaded from the
Windows store.
You should not configure the Allow Store to install apps on Windows To Go
workspaces group policy. This policy controls the installation properties of Windows
Store apps on Windows To Go workspaces. The scenario does not mention
Windows To Go. This group policy is shown in the following exhibit:
You should not enable the Turn off the Store application group policy. This is the
current setting for this group policy based on the error message you received. This
policy is located in the Windows Components\Store path.
You should not configure the Turn off Automatic Download of updates group policy.
This policy in the Windows Components\Store path controls the download of
Windows Store app updates. While this group policy can control the download of the
updates, update installation must still be initiated manually by the user. Windows 10
checks the Windows Store for updates on a daily basis. When an update for an
installed app is available, Windows updates the Store tile in the Start screen to
indicate that updates are available. The user can choose to update one, several, or all
of their installed apps. The Turn off Automatic Download of updates group policy is
shown in the following exhibit:
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Question 36:
Skipped
You are a system administrator for Verigon Corporation. You have procured
Microsoft Defender for Endpoint Plan 2. Your environment comprises Windows 11
devices, Windows servers, Linux servers, and macOS devices. You are onboarding
the devices to Microsoft Defender for Endpoint.
Which of the following deployment tools should you use to onboard Linux servers
to Microsoft Defender for Endpoint?
A) Puppet
(Correct)
B) JAMF Pro
C) Microsoft Intune
Although it was not offered as an option, you could also use Chef, a local script,
Ansible, or Saltstack to onboard a Linux server to Microsoft Defender for Endpoint.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Deploy Microsoft Defender for Endpoint on Linux with Puppet | Microsoft Learn
Question 37:
Skipped
You are a system administrator for your organization. They have 15,000 Windows
10 Enterprise workstations. You have been tasked to automate a Windows 11
Enterprise deployment on all workstations.
You are planning to use the Microsoft Deployment Kit (MDT) for creating reference
images for the operating system deployment.
Which of the following MDT task sequence templates should you use to run a User
State Migration Tool (USMT) backup and the full Windows Imaging (WIN) backup
action?
(Correct)
D) Standard Client
Task sequences are essential and play a crucial role in the deployment solution. You
have to select a template when creating a task sequence. The templates are typically
located in the MDT installation directory and determine the default actions present in
the task sequence. Task sequence is the list of actions that must be executed in a
specific order.
MDT has nine default task sequence templates, and you can create your own if
desired. You should store the custom created template in the default MDT
installation directory. The nine templates are:
• Sysprep and Capture task sequence – This template uses the System
Preparation (Sysprep) tool and makes an image of a reference computer.
• Standard Client task sequence – This template is most frequently used for
creating reference images and deploying clients in production.
• Standard Client Replace task sequence – This template runs a USMT backup
and the full WIN backup action. It can also be used to do a secure wipe of a
machine that you are planning to decommission.
• Custom task sequence – This template has only one default action.
• Standard Server task sequence – This is used to deploy operating system
images to servers. It does not contain any USMT actions because USMT is
not supported on servers.
• Lite Touch OEM task sequence – This template can be used to preload
operating system images on the computer hard drive. It is typically used by
computer original equipment manufacturers (OEMs), but some enterprise
organizations also use this feature.
• Post OS Installation task sequence – Using this template, a task sequence is
prepared to run actions after the operating system has been deployed.
• Deploy to VHD Client task sequence – This is similar to the Standard Client
task sequence template but also creates a virtual hard disk (VHD) file on the
target computer and deploys the image to the VHD file.
• Deploy to VHD Server task sequence – This template is the same as the
Deploy to VHD Client task sequence but is used for servers.
• Standard Client Upgrade task sequence – This is a simple task sequence
template used to perform an in-place upgrade from Windows 7, Windows 8, or
Windows 8.1 directly to Windows 10 or 11, automatically preserving existing
data, settings, applications, and drivers.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft
Deployment Toolkit (MDT)
References:
Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) - Windows
Deployment | Microsoft Learn
Set up the Microsoft Deployment Toolkit for client deployment - Training | Microsoft
Learn
Question 38:
Skipped
You are an enterprise admin for the Verigon Company.
You are preparing for a large-scale deployment of Windows 10 devices using
Autopilot and Intune. You have already configured Microsoft Intune for auto-
enrollment. You have also registered the devices within Intune and assigned them
to a device group.
Click on the correct page within the Microsoft Endpoint Manager admin center to
begin the next step in the enrollment process in order to complete the deployment.
A) 419,791,857,904
B) 885,652,1322,765
C) 419,652,861,763
(Correct)
•
D) 419,292,856,428
Explanation
The next step in the deployment process is to create a Windows Autopilot profile. To
do so, go to Devices > Device enrollment | Enroll devices > Windows
enrollment > Windows Autopilot Deployment Program | and select Deployment
Profiles.
You would not choose the Intune Connector for Active Directory. This option
configures a device to be on-premises and Active AD joined.
You would not choose Devices. This option will not complete the deployment
process, it allows you to manage devices in Windows Autopilot.
You would not choose Automatic Enrollment. This option allows Windows devices to
join or register with Azure Active Directory.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Question 39:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
Active Directory (Azure AD) subscription with 20,000 Windows 11 devices. All
devices are enrolled in Microsoft Intune and joined to Azure AD.
You want Microsoft Intune logs to be routed to the Azure Monitor service. You have
procured an Azure Storage account to be used for storing logs.
Which of the following Azure Monitor features should you enable to route the logs
to Azure Monitor?
B) Diagnostic settings
(Correct)
C) Endpoint Analytics
D) Log Analytics
Explanation
You would enable Diagnostic Settings to route the logs to Azure
Monitor. Diagnostics Settings in Intune sends log data to different services, a
storage account, an event hub, or to Log Analytics.
Microsoft Intune contains the following built-in logs that provide information
regarding your environment:
• Audit logs – Help you view the record of activities that generate a change in
Microsoft Intune; contain a record of activities, including create, update,
delete, assign, and remote actions.
• Operational logs – Help you view details on users and devices that
successfully enrolled or failed to enroll and details of non-compliant devices.
• Device Compliance Organizational logs – Help you view organizational
reports for device compliance in Intune and details on non-compliant devices.
• IntuneDevices logs – Help you view the device inventory and status
information for Intune enrolled and managed devices.
You can send this log information to Azure Monitor and Azure Storage. You can
specifically archive Intune logs to an Azure Storage account, stream Intune logs to
an Azure event hub for analytics using SIEM tools, integrate Intune logs with your
custom log solutions, or send Intune logs to Log Analytics to enable rick
visualizations, monitoring, and alerting on the connected data.
Enabling Log Analytics will not route the logs to an Azure Monitor service such as an
Azure Storage account. Log Analytics is a feature in the Azure portal that is used to
edit and run log queries with data in Azure Monitor Logs.
Enabling Endpoint Analytics will not route the logs to an Azure Monitor service such
as an Azure Storage account. Endpoint Analytics is part of the Microsoft Productivity
score, which provides you with a view for measuring how your organization is
working and the quality of the experience you are delivering to your users. It also
helps identify the hardware or policy issues that may impact device performance and
helps you to take proactive measurements to improve performance before the user
raises an issue ticket.
Integrating Intune logs in Azure Monitor will not route the logs to the Azure Monitor
service. You can integrate Intune logs with your custom log solutions by enabling
Diagnostic Settings.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Monitor devices
References:
Route logs to Azure Monitor using Microsoft Intune | Microsoft Learn
Question 40:
Skipped
Your organization has a Microsoft Intune subscription. Most of the employees are
mobile users and travel frequently for business purposes, using their personal
devices to access their corporate email.
You have applied app protection policies to the Microsoft Outlook app. You want to
add the Microsoft Outlook app to the approved list of apps that can be used while
accessing corporate email.
(Correct)
You would not configure a device-based Conditional Access policy in the given
scenario. Device-based Conditional Access policies can help your Azure Active
Directory (Azure AD) use the device status and grant or deny access to the
organization’s apps and services. You can create a device-based Conditional Access
policy from the Microsoft Intune admin center.
You would not configure a location-based Conditional Access policy in the given
scenario. Conditional Access policies are if/then statements and make decisions
based on signals. One of the signals is location. Organizations can use a location-
based Conditional Access policy when requiring multi-factor authentication (MFA)
for users accessing the service when not in the corporate network and blocking
access for users to the corporate network or services when trying to access
resources from specific locations or countries your organization never operates
from.
You would not configure device-based and location-based Conditional Access
policies in the given scenario.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Use app-based Conditional Access policies with Intune - Microsoft Intune | Microsoft
Learn
Question 41:
Skipped
You are an enterprise admin for the Verigon Company.
You are currently deploying Windows 10 devices using Windows Autopilot in user-
driven mode. A user calls the helpdesk to report that the deployment process is
failing on their machine.
Which of the following may be reasons why the deployment is failing? (Choose
two.)
C) The device cannot find any available domain controllers due to DNS.
E) The user that logged on lacks Azure Active Directory join permissions.
(Correct)
Explanation
One reason why the deployment is failing could be that the target device must have
network connectivity to download the Windows Autopilot profile.
Another reason could be that devices must be able to join Azure AD to complete the
deployment process using Windows Autopilot in user-driven mode.
Windows Autopilot does not require client devices to have PXE-capable network
interface controllers.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Question 42:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
Active Directory (Azure AD) environment with a number of departments, including
Sales, Finance, and HR. The departments have workstations with different
configurations, as shown in the table below.
(Correct)
You cannot configure Sales workstations using self-deploying mode because their
workstations do not have TPM 2.0, and TPM 1.2 will not work with self-deploying
mode.
With Windows Autopilot's self-deploying mode, you can deploy a device with little or
no user interaction. Self-deploying mode performs the following:
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Question 43:
Skipped
You are a system administrator for a new startup called the Nutex Corporation. You
want to deploy Windows 11 on all of the new workstations with some customized
applications that employees will use for their daily business activities.
You are in the process of creating a reference image that will help reduce
deployment time and install a standard set of applications on all the workstations.
You have set up the Microsoft Deployment Toolkit (MDT), built a lab deployment
share, and added the setup files and required applications.
(Correct)
You would configure the MDT Build Lab deployment share rules after you have
created the reference image task sequence. The configuration of these rules will
reside in the bootstrap.ini and CustomSettings.ini files. These files work together.
The bootstrap.ini file is available on the boot image and executed first. Its purpose is
to provide information to MDT to find the CustomSettings.ini file, which is stored on
the server in the Deployment Share\Control folder.
You would build the Windows 11 reference image after configuring the MDT Build
Lab deployment share rules. The image is created by launching the task sequence
that you had created earlier.
You would configure permissions for the deployment share for the account that will
access the MDT Build Lab deployment share, which is already in place in this
scenario. Configuring permissions will help read files in the deployment share and
write the reference image back to it. You must also assign NTFS and SMP
permissions to the MDT Build Account for the MDTBuildLab folder that was created
while creating the MDT deployment share.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft
Deployment Toolkit (MDT)
References:
Question 44:
Skipped
You are the enterprise admin for Verigon. The company has recently enrolled more
than 2,000 Windows 10 laptops with Microsoft Endpoint Manager.
Using the Endpoint Security node, click on the tool that will achieve this objective.
•
A) 292,473,574,509
B) 292,633,574,665
C) 292,709,574,745
D) 292,381,574,415
E) 292,756,574,786
F) 292,339,574,370
(Correct)
Explanation
You would choose the following:
Security baselines are pre-configured groups of Windows settings that help you
apply a known group of settings and default values that the relevant security teams
recommend.
All the other answers are incorrect because they do not deploy configurations.
Device compliance is used to create policies that establish the conditions by which
devices and users can access the company’s network and resources.
Conditional access is used to create policies that enforce which devices and apps
can access your corporate resources.
Attack surface reduction is used to create policies that help reduce your attack
surfaces by integrating with Endpoint antivirus.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Question 45:
Skipped
You have recently joined the Nutex Corporation as the Microsoft 365 Administrator.
Nutex is a startup company in the IT Services sector. You are tasked with
developing a strategy to deploy and manage the Microsoft 365 apps. You plan to
use the Microsoft 365 Apps admin center to accomplish this.
Which of the following statements about the servicing profile feature in Microsoft
365 Apps admin center are TRUE? (Choose all that apply.)
(Correct)
D) Devices that use Microsoft 365 apps must be part of the inventory of the
Microsoft 365 Apps admin center.
(Correct)
Devices that use Microsoft 365 apps must be part of the inventory in the Microsoft
365 Apps admin center inventory are a prerequisite for applying a servicing profile to
a device. From the admin center Inventory page, you can also get insights into Office
builds, Office Update channels, and Office add-ins on endpoints.
Servicing profiles can include up to three rollout waves (at the time of writing), with
each wave specifying the Azure AD groups that get the updates and the duration
between the rollouts.
Servicing profiles on a device take precedence over app configurations deployed
using tools such as the Office Deployment Tool or Microsoft Endpoint Manager, not
the other way around.
The servicing profile can be configured to roll back versions. A rollback can be
triggered at the level of devices or Azure AD groups. With a rollback scheduled, the
target endpoint is automatically rolled back to the previous version when connected
to the Internet. Endpoints rolled back will stay on the previous version until the next
version of Monthly Enterprise Channel is released.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Overview of inventory in the Microsoft 365 Apps admin center - Deploy Office |
Microsoft Learn
Overview of servicing profile in the Microsoft 365 Apps admin center - Deploy Office |
Microsoft Learn
Overview of the Microsoft 365 Apps admin center - Deploy Office | Microsoft Learn
Question 46:
Skipped
You have recently joined the Nutex Corporation as the Microsoft 365 Administrator.
Nutex is a growing company in the IT Services sector with over 100 employees.
They use Microsoft Intune to manage all employees’ endpoints.
The IT Administration team has recently discovered a shadow IT and initiated the
deployment of the licensed version of the Microsoft 365 apps on the endpoints
using Intune. Some employees cannot use the licensed version of the Microsoft
365 apps deployed from Intune.
Which of the following are probable causes of this issue? (Choose all that apply.)
(Correct)
(Correct)
D) There are multiple app assignments with different sets of apps in the
suites.
(Correct)
Multiple app assignments from Intune are not additive. The last assignment will
clean up the existing assignment and install the apps. In this case, the last
assignment could be using fewer apps than in the former assignment since the later
app assignment overwrites pre-existing installed app assignments.
To remove a shadow IT from endpoints, the Intune App suite should typically be set
to remove existing apps from the endpoint. Unless the Microsoft Software Installer
(MSI) Office apps are manually removed, the app assignment will not initiate the
deployment of apps from Intune. To manually remove existing apps, you would use
the Remove MSI feature. This feature can remove all Office (MSI) apps from a
device.
A prerequisite for Intune app assignments to work is that the existing Microsoft apps
on the endpoints must not be in use. In such cases, the installation may fail.
The app assignment could be missing some endpoints. Check the app assignment
and add another assignment for the affected users.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Add Microsoft 365 Apps to Windows 10/11 devices using Microsoft Intune |
Microsoft Learn
Question 47:
Skipped
You are a system administrator for Nutex Corporation. Your organization has an on-
premises Active Directory (AD) and an Azure AD. Windows 11 is installed on all the
workstations.
You have a business-critical application hosted on the Azure cloud that users want
to access from their home workstations. Your organization’s policy states that the
user’s device should be compliant with Intune policy before accessing the
business-critical application. Below are the home workstations with their
configurations.
Which of the following should you do to ensure that users can access business-
critical applications from home? (Choose all that apply.)
•
(Correct)
(Correct)
(Correct)
(Correct)
Explanation
In the given scenario, you would join HomePC3 and HomePC4 to Azure AD and
enroll HomePC2 and HomePC3 to Microsoft Intune. MDM tools such as Microsoft
Intune can control the Azure AD registered devices and enforce organization-
required security policies.
The goal of Azure AD registered devices is to provide your users with Bring Your Own
Device (BYOD). Users can then access the organization’s resources using their
personal devices.
Azure AD registered devices can be managed easily through Microsoft Intune.
You can determine that an Azure AD join is the best solution for a device in a
different state. The following table shows how to change the state of a device:
Once you have registered or joined your devices to Azure AD, you can use the Azure
portal as a centralized place to manage the device identities.
You would not join HomePC2 and HomePC3 to the on-premises AD. Their device
should be compliant with organization policies before they can access the
organization’s resources. Their device should be joined to Azure AD. Joining devices
to the on-premises AD is not the requirement in the given scenario.
You would not use Windows Autopilot for HomePC1, HomePC2, HomePC3, and
HomePC4 in the given scenario. Windows Autopilot consists of technologies to set
up and pre-configure new devices. It can be used to reset, repurpose, and recover
devices. Windows Autopilot helps IT administrators and reduces the time IT spends
on deploying, managing, and retiring devices. It minimizes the infrastructure required
to maintain the devices and maximizes ease of use for all types of end users.
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
Plan your Azure Active Directory device deployment - Microsoft Entra | Microsoft
Learn
You tried to redeploy the device and it returned the error code 0x80180014.
Which of the following solutions can fix the issue? (Choose all that apply.)
(Correct)
(Correct)
(Correct)
Explanation
In the given scenario, you can use the following to fix the issue:
• Delete the device record in Microsoft Intune.
• Redeploy the Autopilot deployment profile.
• Enable the MDM enrollment in case it is disabled.
Sometimes devices are not re-enrolled automatically using Autopilot and it returns
the error code 0x80180014 as shown in the exhibit:
Event Tracing for Windows (ETW) logs may show the following error:
And in case Windows MDM (Mobile Device Management) is disabled, you should
enable the MDM enrollment.
Checking for missing or incorrect licenses assigned to User1 and checking in case
too many devices are enrolled for User1 are not the correct solutions in the given
scenario. These are some of the common issues with Intune enrollment. In such
issues, error code 0x80180018 is shown, not error code 0x80180014. Error code
0x80180014 typically returns the error page "Something went wrong”. This error
means that the MDM enrollment failed.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Reddit > r/Intune > Update to Self-Deployment mode and Pre-Provisioning mode
experiences in Autopilot
Question 49:
Skipped
Verigon Corporation has configured Windows Intune for its Mobile Device
Management (MDM) solution. All Windows 10 devices are domain-joined and Azure
AD-registered. Verigon has Azure AD Premium. They want these corporate devices
to be automatically enrolled in Intune.
Explanation
You will need to create a GPO to enable automatic MDM enrollment. This is the
Hybrid AD join method which is appropriate for this scenario. The GPO setting is a
computer policy under Administrative Templates > Windows Components > MDM.
You would not use the Windows Imaging and Configuration Designer (ICD) tool to
create a provisioning package. This tool would be used if you were doing a bulk
enrollment of computers, such as in a school setting, not automatic enrollment per
device.
You do not need to configure Hybrid Azure AD join in Azure Active Directory Connect.
The scenario indicates that the devices in question are already joined and Azure AD-
registered.
You will not need to configure MDM auto-discovery using an email address. With
Azure AD Join, the discovery URL is passed down to the device from Azure.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -
Windows Client Management | Microsoft Learn
Windows 10, Azure AD and Microsoft Intune: Automatic MDM enrollment powered
by the cloud! - Microsoft Community Hub
Question 50:
Skipped
Your organization has a hybrid Active Directory (AD) environment and a Microsoft
Intune subscription. Employees in your organization use workstations that run
Windows 11 and mobile devices that run Android 9.0. The mobile devices are fully
managed, dedicated, and corporate-owned work-profile devices.
As the year's end is approaching, you want the Android devices to block all
incoming system updates and security patches.
How should you configure the device restriction policy in Microsoft Intune?
(Correct)
B) Set the System update option to Maintenance window under User and
Accounts settings.
You would not configure the device restriction policy and set the System
update option to Postponed under Applications settings for blocking all incoming
system updates and security patches. This Postponed option along
with Automatic and Maintenance window options are under General settings,
not Applications settings. The Postponed option is used under System
update settings to postpone the updates for 30 days. Once this period is completed,
Android devices will prompt users to install the updates.
You would not configure the device restriction policy and set App auto-updates
(work-profile level) to Never under Applications settings for blocking all incoming
system updates and security patches. Using this setting, the device checks for app
updates daily.
You would not configure the device restriction policy and set the System
update option to Maintenance window under User and Accounts settings for
blocking all incoming system updates and security patches. . This Maintenance
window option along with Automatic and Postponed options are
under General settings, not User and Accounts settings. The Maintenance
window option is used to install updates on devices during the maintenance window
you provided using Microsoft Intune. You would use this option for dedicated
devices such as kiosks.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Question 51:
Skipped
As a security administrator for Verigon Corporation, you are responsible for the
security of Office 365 applications. You are considering Azure AD conditional
access policies based on many factors. Some users should access only specific
cloud apps from home, and others should only have access when in the home
office, for example.
What steps should be part of your planning process? (Choose all that apply.)
•
A) Create a test plan
(Correct)
C) Define a response
(Correct)
(Correct)
Explanation
You will want to define a response. A response specifies the action to take when a
condition is met, such as blocking or granting access based on a certain
requirement. A response is a required component of a conditional access policy.
You will need to define users and groups access conditions. In this scenario, one
condition would be when the users are in the home office location, for example.
You should create and implement a test plan. You need to ensure that your
conditional access policies are giving the expected results before you impact the
users.
You would not select all cloud apps because the requirement here is that some
users should only have access to specific cloud applications.
Objective:
Manage identity and compliance
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
Question 52:
Skipped
You are a system administrator for Nutex, Inc. Your organization has an on-
premises IT environment with 20,000 devices and workstations. All workstations
are running Windows 10.
You are planning to deploy Windows 11 on all the workstations. You have
completed the readiness assessment for all the workstations. You need to choose
the appropriate deployment scenario for Windows 11 deployment based on your
requirements.
A) Dynamic
C) Modern
(Correct)
•
D) Traditional
Explanation
You would choose the modern Windows deployment scenario. There are three
primary deployment scenarios, and each comes with specific tools or methods.
• Windows Autopilot – You can customize and deploy a new system with apps
and settings already configured.
• In-place upgrade – You can use Windows Setup to upgrade the existing OS
and migrate the previous apps and settings.
The dynamic deployment method enables you to configure applications and settings
for specific use cases, such as:
The traditional deployment method uses existing tools to deploy operating system
images on devices. You can use one of the following methods in a traditional
deployment:
• Bare metal – Deploy a new device or wipe an existing device and deploy it
with a fresh image.
• Refresh – Redeploy a device by saving the user state, wiping the disk,
installing the new OS and applications, and then restoring the user state. This
method is also called wipe and load.
• Replace – Replace an existing device with a new one after migrating the user
state from the old device to the new device.
Microsoft recommends the use of the modern deployment method unless you have
a specific need to use a different procedure.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
Question 53:
Skipped
The Nutex Corporation uses Windows Intune to enroll devices. Jane is the device
enrollment manager (DEM) in Intune. Joe has several devices that he needs to
enroll.
(Correct)
(Correct)
A single Intune user can enroll up to 15 devices by using a single Intune license. Joe
can enroll up to 15 devices.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Question 54:
Skipped
You are your company's systems administrator. The network contains fifteen
Windows 11 computers in a workgroup.
A user named Tom recently left your company, and his user account was disabled.
Cathy has been hired as Tom's replacement. You need to ensure that Cathy has
access to all of the same resources that Tom accessed.
A) Run the User State Migration Tool (USMT) to migrate Tom's settings to
Cathy's profile.
•
B) Create a new user profile for Cathy, and copy the settings from Tom's
profile to Cathy's profile.
C) Change the name for Tom's user profile to Cathy, and re-enable the
profile.
(Correct)
You should not create a new user profile for Cathy and copy the settings from Tom's
profile to Cathy's profile. Tom's profile has a unique security ID (SID). The only way to
ensure that Cathy is able to use this SID is for her to be given access to the same
account.
You should not run USMT to migrate Tom's settings to Cathy's profile. USMT is used
to migrate user settings from one computer to another, not from one profile to
another.
You should not use scanstate and loadstate to migrate Tom's user profile settings to
Cathy's user profile. This is the process you should use this process if you need to
migrate a user profile from one computer to another or from one operating system
to another.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft
Deployment Toolkit (MDT)
References:
GroovyPost > How to Change Your Account Name on Windows 10
Partition Wizard > How to Change Account Name in Windows 11 – the Top 4
Methods [Partition Magic]
Question 55:
Skipped
You have been managing the Nutex Corporation’s computers and mobile devices
using Intune for quite some time. You need an overview of the Windows 10
computer devices you have in use.
How might you be able to view the most recent Intune device inventory?
A) Use the Intune Data Warehouse with the Power BI Desktop App
B) Browse the list of enrolled devices in Intune using Devices > All devices
>
(Correct)
C) Use Microsoft Endpoint Manager (MeM) to see the Device Health reports
D) Use the Azure portal and Graph APIs to provide data reports
(Correct)
You could also use the Azure portal and Graph APIs to provide data reports. This
option provides the most flexibility but comes with the most complexity.
You could also view the device inventory after a 24-hour delay using:
The Microsoft Intune Data Warehouse with the Power BI Desktop App provides a
method to create reports.
The Intune Compliance Data Warehouse Power BI App Online provides a collection
of premade reports.
Using the Device Health reports will reveal enrolled devices but with little to no focus
on inventory, making it difficult to satisfy the needs of this scenario.
Because these three options delay their reporting for 24 hours, you will not be able to
report on the "most recent" inventory.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Monitor devices
References:
Connect to the Data Warehouse with Power BI - Microsoft Intune | Microsoft Learn
Question 56:
Skipped
You have recently joined the Nutex Corporation as the Microsoft 365 Administrator.
Nutex is a growing company in the e-commerce sector with over 100 employees
who use Windows 10 endpoints. The IT Administration team at Nutex has recently
deployed Microsoft 365 apps using the Microsoft 365 Apps admin center.
You are tasked with limiting the service data sent to Microsoft from the apps. You
plan to use the Cloud Policy service for Microsoft 365 to accomplish this.
A) In-product recommendations
B) Connected experiences
(Correct)
C) Essential services
D) Diagnostic data
Explanation
The connected experiences policy setting must be tweaked. Connected experiences
is a Microsoft 365 cloud functionality that analyzes your content and interaction with
Microsoft 365 apps to provide you with design recommendations, editing
suggestions, data insights, and similar features. The connected experiences policy
setting can be set to one of the following:
• Allow the use of connected experiences in Office that analyze the content
(Dictation, Editor, and so on)
• Allow the use of connected experiences in Office that download online
content (Insert objects, Templates, and so on)
• Allow the use of additional optional connected experiences in Office (Office
add-ins, Recent documents, and so on)
• Allow the use of connected experiences in Office (most of them available with
the other three settings).
None of the other options impact service data.
Diagnostic data is data that Microsoft collects to keep Office secure and up-to-date,
to detect, diagnose, and fix problems, and to make product improvements. Cloud
Policy settings for diagnostic data can be set to Required (minimum required data),
Optional (minimum required and some additional data), or Neither. Diagnostic
settings have no impact on service data sent by connected experiences
functionality.
In-product recommendations help users use Microsoft 365 features better. This is
not a policy setting.
Essential services is the mandatory service data related to the core functionality of
Microsoft 365 that is collected and sent to Microsoft, regardless of any other
privacy-related policy settings that you have configured. Some of the essential
services include Authentication, Licensing, and Telemetry. Essential services is not a
policy setting.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Use policy settings to manage privacy controls for Microsoft 365 Apps for enterprise
- Deploy Office | Microsoft Learn
Question 57:
Skipped
Verigon Corporation is transitioning from the traditional configuration manager
(SCCM) and local Active Directory (AD) to the new "modern" IT. They plan to
ultimately move to Intune and Azure AD. As a migration consultant, you have been
asked to suggest the next steps in this co-management goal. All laptops are
already running Windows 10 and Office 365.
What steps would you recommend to bridge the transition? (Choose all that apply.)
(Correct)
(Correct)
(Correct)
(Correct)
Explanation
You want to enable co-management in Configuration Manager, then you can slowly
transition workloads as needed. Co-Management allows you to attach a
Configuration Manager deployment to the Microsoft 365 cloud utilizing Microsoft
Intune, mobile device management (MDM), and Configure Management agents.
You will want to begin deploying corporate images using Autopilot. Autopilot can join
devices to Azure AD or AD via hybrid Azure AD join, can customize OOBE content,
and create as well as auto-assign device-to-configuration groups based on the
device’s profile.
You will want to use the Windows Update for Business Service component of
Windows Analytics to deploy and manage Windows updates.
You want to stop managing configuration policies through Group Policy. You will use
the policies in Intune instead. Microsoft offers a free tool called Microsoft Migration
Analysis Tool (MMAT) that can compare Group Policies for a target computer and
cross-reference them against a built-in list of MDM policies.
You do not want to deploy essential security updates using Windows Server Update
Services (WSUS). You want to move to Windows Update for Business. Windows
Update for Business can be configured using Intune and offers a peer-to-peer
distribution technology.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Question 58:
Skipped
The sales team at Nutex is using a new custom Line-of-Business (LOB) application.
They have found a bug that affects some very important sales issues. The software
development team has written an update to fix the bug and they want you to deploy
it using Intune.
What must the users do to receive the update?
A) The users must open the LOB app and find the update option in the
menus
(Correct)
C) They must run Windows Update and select the LOB Update
D) They must download the update from Intune and install it manually
Explanation
The users should do nothing. Once you have deployed the fix update to Intune, it will
be available for the users and will be applied automatically. When applications are
deployed using Intune, the updates generated through Intune are automatically
applied.
You do not have to run Windows Update and select the LOB Update. Windows
Update will successfully apply operating system updates and if pressed into service
can also apply updates for other software and drivers. But Windows Update has no
place in deploying this update from Intune.
Users do not have to open the LOB app and find the update option in the menus. This
would certainly suffice if the app were written to deploy updates in this manner.
However, this is not the type of interaction that Intune uses as the question
indicates.
Users do not have to download the update from Intune and install it manually. This is
unnecessary as the update in Intune will apply automatically. As a matter of fact, the
user has NO say in whether this update applies or not. When indicated, the user WILL
receive this update automatically.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Question 59:
Skipped
You are an MDM administrator for the Verigon Corporation. You created several
application policies for your Azure AD-joined laptops over a month ago. You now
want to find out if users are being affected by these policies as well as the
compliance status of the machines.
Using Windows Intune app management, click on the tool that will allow you to
access this information.
•
A) 294,599,528,630
B) 294,301,528,327
(Correct)
C) 294,391,528,419
D) 294,645,528,671
E) 294,260,528,289
Explanation
You would choose the following:
You can use Apps > Monitor to verify the status of the app protection policies that
you have applied to users from the app protection pane in Intune.
App protection policies is where you create the policies, not monitor them.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Question 60:
Skipped
Recently, Josh's computer was the source of a malware attack inside your
company. You are concerned about threats affecting other Windows 10 computers
in your company. You have the following script run on each computer after hours:
You need to find the threats affecting the computers. Which cmdlet will retrieve the
history of threats that Microsoft Defender detected on a computer?
A) Get-MpThreat
(Correct)
•
B) Get-MpThreatDetection
C) Get-MpThreatCatalog
D) Get-MpPreference
Explanation
The Get-MpThreat cmdlet retrieves the history of threats that Microsoft Defender
detected on the computer. For example, the following command will find the history
of the threat on the local computer that has the ID 1953:
The Get-MpThreatCatalog cmdlet gets a list of all possible known threats based on
the signatures from the Microsoft Defender definitions catalog. The definitions
catalog contains references to all known threats that Microsoft Defender can
identify. The following command will display the virus signatures that have the
greatest severity level:
The Get-MpThreatDetection cmdlet finds active and past malware threats that
Microsoft Defender detected.
The Get-MpPreference cmdlet finds preferences for the Microsoft Defender scans
and updates.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
B) Configuration Manager
C) XML data
•
D) Configuration Designer
(Correct)
Explanation
You would choose Configuration Designer, which is a configuration settings format option in
Microsoft Endpoint Manager. If you choose “Configuration Designer” for Configuration
Settings Format instead of “Enter XML data”, you will be able to modify options under the
following sections: Configure app suite, App suite information, and Properties.
You would not choose XML data because it does not use the native interface to configure the
application deployment settings. Instead it requires that you import XML data under
the Setting format dropdown box.
You would not choose Configuration Manager because it is a part of System Center
Configuration Manager and can be used to deploy applications to domain-joined computers.
It is not used within Microsoft Endpoint Manager to deploy applications.
You would not choose the Office Deployment Tool (ODT). ODT is a command-line tool that
you can use to download and deploy Microsoft 365 apps to your client computers.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Add Microsoft 365 Apps to Windows 10/11 devices using Microsoft Intune | Microsoft Learn
Plan your enterprise deployment of Microsoft 365 Apps - Deploy Office | Microsoft Learn
Question 2:
Skipped
You are a system administrator for your organization. They have several Windows 11
devices that are enrolled in Microsoft Intune. You have recently pushed software
changes to several devices. However, the changes are not reflected under Devices in the
Microsoft Endpoint Manager admin center.
A) every 12 days
B) every 7 days
(Correct)
•
C) every 15 days
D) every 5 days
Explanation
Hardware and software inventory in Microsoft Intune is refreshed every seven days starting
from the date of enrollment. The Devices feature displays detailed information regarding the
devices you manage, including their hardware and installed apps. To view the device details,
you would follow these steps:
1. Log in to Microsoft Endpoint Manager admin center.
2. Select Devices > All devices and choose one of your listed devices.
3. Open the device’s details:
• Overview – displays the device name and lists key properties of the device.
• Use Properties to assign a device category you have created and change ownership of
the device to a personal or corporate device.
• Hardware includes details such as device ID, operating system and version, and
storage space.
• Discovered apps shows all the apps that Intune found installed on the device and the
app versions.
• Device compliance displays all assigned compliance policies and whether the device
is compliant or not.
• Device configuration displays all device configuration policies assigned to the device
and whether the policy succeeded or failed.
• App configuration Recovery keys shows available BitLocker keys found for the
device.
• Managed apps displays all the managed apps that Intune has configured and
deployed to the device.
5, 12, and 15 days are not the correct number of days and, therefore, these answers are
incorrect.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Monitor devices
References:
What Windows 10 settings can be configured with this method? (Choose all that apply.)
A) Wi-Fi
(Correct)
B) Device features
C) VPN
(Correct)
D) Certificates
(Correct)
E) Email
(Correct)
Explanation
You can use device profiles to control email. You can control ActiveSync without any setup
required by the user.
You can use device profiles to configure the startup of a VPN connection.
Certificates can be configured with device profiles, such as Simple Certificate Enrollment
Protocol (SCEP) and Public-Key Cryptography Standard (PKCS) certificates.
You cannot use device profiles to configure device features, as these settings are only found
on iOS and macOS devices.
Other device profile options include Administrative Templates, with various settings for
software, similar to Group Policy. Another is Device Restrictions, which would allow you to
control hardware, such as restricting the device camera.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Question 4:
Skipped
You are a system administrator for Nutex Inc. Your organization has an Azure
subscription. There are 10,000 Windows 11 devices joined to Azure AD and 200 iOS
devices.
• Set a minimum password length and block simple passwords on the Windows
devices.
• Allow mobile users access to AirPrint printers on your network.
Which of the following settings should you configure in the configuration profiles?
(Choose all that apply.)
(Correct)
(Correct)
To create a configuration profile, you would log in to Microsoft Intune Admin Center and
choose Devices. Next, click Configuration profiles and click Create profile (as shown in
the image).
Choose the platform from the Select platform drop-down list. In the Profile section,
select Device restrictions from the drop-down list.
Alternately, you can click Templates and then Device restrictions.
Provide information in Basics and choose Next. In Configuration settings, choose the
platform for which to add detailed settings. In Assignments, specify the users or groups you
want to receive the profile. Click Review + Create, review your settings, and click Create.
In the same way that you created the device restriction, you would create a Device
features profile for iOS devices.
There is no need to create a Microsoft Defender for Endpoint configuration profile. Microsoft
Defender for Endpoint can be integrated with Microsoft Intune as a Mobile Threat Defense
solution. Microsoft Defender for Endpoint works with Android, iOS/iPad, Windows 10 and
later, and Windows Server 2008 R2 and later.
You would use the Identity Protection configuration profile to manage Windows Hello for
Business on devices in Microsoft Intune.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Deploy policy for Windows Hello to groups of Windows 10 and Windows 11 devices in
Microsoft Intune | Microsoft Learn
Question 5:
Skipped
You are a system administrator for Verigon Corporation. Verigon has an Azure Active
Directory environment with 500 workstations running Windows 10 Enterprise. You
have been asked to upgrade the workstations to Windows 11 Enterprise and join the
workstations to Azure AD.
You should ensure that applications and settings installed on the users’ workstations
are retained and that the upgrade process requires minimal user intervention.
(Correct)
You would not use Microsoft Windows Autopilot to upgrade from Windows 10 Enterprise to
Windows 11 Enterprise in the given scenario. Windows Autopilot uses various technologies
to set up and preconfigure new devices. It can be used to repurpose, recover, and reset
devices. Windows Autopilot helps IT administrators and reduces the time IT spends on
deploying, managing, and retiring devices. It also minimizes the amount of infrastructure
required to maintain the devices and maximizes ease of use for all types of end users.
You would not use Windows Deployment Service (WDS) to upgrade from Windows 10
Enterprise to Windows 11 Enterprise in the given scenario. With WDS, you can deploy the
Windows operating system over the network, which means you do not have to install the OS
directly from CD or DVD. This approach is best suited for fresh installations on new
workstations.
You would not use the Windows Easy Transfer feature to upgrade from Windows 10
Enterprise to Windows 11 Enterprise in the given scenario. Windows Easy Transfer is best
used for transferring files from one computer to another.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
Question 6:
Skipped
You plan to manage several servers running Windows Server 2019 that are running
robotic software for a manufacturing environment in a separate subnet located on the
factory floor. The servers are not connected to the on-premises domain or to Azure
Active Directory.
You are installing Windows Admin Center on a Windows 11 device to manage the
subnet. The Windows 11 device is joined to Azure Active Directory.
A) Modify LMHOSTS
(Correct)
E) Modify TrustedHosts
(Correct)
(Correct)
G) Select the Azure Active Directory certificate for the user running
Windows Admin Center when prompted on the first launch
Explanation
You should do the following:
• Modify TrustedHosts
• Create a firewall exception for the WinRM service
• Select the Windows Admin Center Client certificate when prompted on the first
launch
In this scenario, the Windows 2019 servers that need to be managed are connected to a
workgroup since they are not connected to the on-premises domain or Azure Active
Directory. Since the Allow Windows Admin Center to modify this machine’s trusted
hosts settings option was NOT checked in the exhibit, you must modify the TrustedHosts
setting manually. TrustedHosts must be configured if you are working in a workgroup
environment or using the credentials of the local administrator in a domain.
You can modify TrustedHosts with the Set-Item cmdlet to configure the NetBIOS name, IP
address, or FQDN of the computers that you want to manage:
You could also use wildcards to configure all computers as computers that need to be
managed:
Both the Windows 11 computer and the Windows server must be running the WinRM service
to allow management from Windows Admin Center. If it is not running, you should
run Enable-PSRemoting from the PowerShell console on the machine where the service
should be enabled.
You must create an exception on the Windows Server’s firewall for the WinRM to allow
access from the Windows 11 computer. By default, the WinRM firewall exception for public
profiles allows access to remote computers on the same subnet. In this scenario, the servers
are in a different subnet on the manufacturing floor. You can run the following command on
the Windows 11 computer to create the firewall exception:
You can run the following command on the Windows Servers to create the firewall
exception:
You should select the Windows Admin Center Client certificate on the first launch.
If you choose another certificate, whether for the current user account or computer account,
you will get the following error message:
“You are not authorized to view this page. If you recently updated Windows Admin Center,
you may need to restart your browser, and then refresh the page."
If this error occurs, restart the browser and choose the Windows Admin Center
Client certificate.
You should not modify the LMHOSTS file. This file is used by legacy Windows operating
system to resolve IP addresses to NetBIOS names. This file is not used by Windows Admin
Center.
You should not create a firewall exception on the Windows Servers for the Background
Intelligent Transfer Service (BITS). This service uses an idle network bandwidth available to
transfer files. This service is not used by Windows Admin Center.
Objective:
Deploy Windows client
Sub-Objective:
Configure remote management
References:
Question 7:
Skipped
Dreamsuites Incorporated has adopted Microsoft Intune to manage access on their
Windows 10 devices. As a security administrator, you have been asked to prevent all
devices from using JavaScript on certain sites in Microsoft Edge. You begin your setup
by creating a device profile.
What options will you configure, at a minimum? (Choose all that apply.)
(Correct)
(Correct)
Explanation
You will need to configure the Platform property. You can configure the following platforms
for your devices:
• Android
• Android enterprise
• iOS
• macOS
• Windows 10 and later
• Windows 8.1 and later
You will need to configure the Profile Type property. This list changes based on the platform
chosen.
You will not need to configure the Device Configuration Setup property. This property would
allow you to add a certificate authority, which is not indicated in the scenario. To create a
new profile, you would choose the Manage option of Device Configuration.
You will not need to configure the Settings property for this scenario. These settings relate to
usage of the device itself, such as connecting to the App Store or allowing Bluetooth
connectivity.
You will not need to configure the Scope Tag property for this scenario. Scope tags assign
and filter policies to specific groups.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Question 8:
Skipped
You are a system administrator for Nutex Inc. Your organization has an Azure
environment that includes 20 Windows Server 2022 servers, 500 Windows 11 devices,
and 100 macOS devices.
You have created the antivirus profile for the macOS devices and configured Microsoft
Defender for Endpoint. Microsoft Defender is configured to share information with
Microsoft for any problem it detects. You want to disable this setting.
Which of the following settings should you disable for Microsoft Defender for
Endpoint?
A) Real-time protection
D) Cloud-delivered protection
(Correct)
Explanation
In the scenario, you would disable the Cloud-delivered protection setting for Microsoft
Defender for Endpoint. By default, Microsoft Defender is configured to share information
with Microsoft for any problem it detects. Microsoft uses this information for researching and
analyzing the issues faced by customers and improving their offered solutions.
In the scenario, you would not disable the Real-time protection setting for Microsoft
Defender for Endpoint. Enabling the Real-time protection setting will identify and prevent
malware from installing or running on a device. By default, this setting is not configured.
In the scenario, you would not disable the Automatic sample submission setting for
Microsoft Defender for Endpoint. By enabling this, sample files are automatically sent to
Microsoft, which helps protect device users and your organization from potential threats. By
default, this setting is not configured.
In the scenario, you would not disable the Diagnostic data collection setting for Microsoft
Defender for Endpoint. By default, this setting is not configured. This setting helps you
configure how Microsoft shares your diagnostic and usage data.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune | Microsoft
Learn
Question 9:
Skipped
The Nutex Sales Application needs to be deployed to the sales users’ computers using
Intune. You plan to create a group named SalesUsers to assign the app to Intune.
How should you create the group to ensure that this deployment delivers the app to the
correct users with the least administrative effort?
C) Create a dynamic user group in Intune and specify the membership rule
- user.department -eq "Sales"
(Correct)
D) Create an Azure Active Directory group and add the Sales users’
accounts as members
Explanation
You should create a dynamic user group in Intune and specify the membership rule -
user.department -eq "Sales". This will ensure that the Sales department users are granted
membership and thus will receive the assigned app for the installation.
You should not create an Intune assigned group and choose the users to be members
manually. Although this would suffice, it requires more administrative effort than using the
dynamic user group.
You should not create a dynamic device group in Intune and indicate the membership rule -
device.department -eq "Sales". This would not accomplish the requirement because
department is not a valid device attribute.
You should not create an Azure Active Directory group and add the Sales users’ accounts as
members. This, too, would accomplish the requirement, but will requires more work than the
dynamic user group.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Add groups to organize users and devices - Microsoft Intune | Microsoft Learn
Question 10:
Skipped
As a Windows 10 administrator for Verigon Corporation, you have been tasked with
configuring a few hundred laptops purchased from several resellers. You have chosen to
use Windows Autopilot and Intune to simplify configuration. The laptops have not been
registered by the resellers. All Autopilot service prerequisites have been configured.
•
A) At an administrative command prompt, run sysprep /generalize /oobe
(Correct)
md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
You must not connect each laptop to the Internet. This would cause the laptop to download
an empty profile that would have to be removed. Collect the hardware ID first.
You cannot enroll the laptops in Intune until you have a CSV file containing their hardware
IDs.
You will want to create an Autopilot device group, but this can only be done after you have
added the devices.
You would not, at an administrative command prompt, run sysprep /generalize /oobe. This
process would only be relevant to Autopilot when attempting to clear a stored profile.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Question 11:
Skipped
You manage devices that run Windows 10 with Azure Active Directory Premium. You
need to enable two-factor authentication on the devices without the use of third-party
applications. Users already enter a user ID and password to log in to their devices.
What other factor(s) should you use? (Choose all that apply.)
A) Fingerprint recognition
(Correct)
B) Facial recognition
(Correct)
C) RSA keys
D) Retinal scan
Explanation
You should use fingerprint recognition or facial recognition. Both two-factor authentication
types are supported by Windows Hello for Business using Azure AD Premium. You can use
a user ID and password as the first authentication factor and a biometric recognition as a
second authentication factor.
If your device is joined to a domain, the device itself becomes one of the two factors required
for authentication.
You should not use a retinal scan or RSA keys. These options are not supported by Windows
10 or Azure AD Premium without a third-party application.
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
Microsoft Inside Track > Implementing strong user authentication with Windows Hello for
Business
Question 12:
Skipped
Your company has an Active Directory domain named nutex.com. All client computers in
the domain run Windows 10. You have a computer named wks1 in your department that is
having issues with a sound card. You create the following script on a share on a server to
retrieve information about the device:
Enable-PsRemoting -Force
You want Karen to run the script to retrieve information about the sound card from wks1. On
Karen’s computer, she will enter the following:
Using the principle of least privilege, which group membership on wks1 does Karen require
to run these commands?
A) Device Owners
•
(Correct)
Karen does not need to be a member of Remote Desktop Users. Members of this group can
log on remotely, but group membership does not allow the users to run remote PowerShell
commands on the computers.
Karen does not need to be a member of Device Owners. Members of this group can change
system-wide settings, but group membership does not allow the users to run remote
PowerShell commands on the computers.
Karen does not need to be a member of Network Configuration Operators. Members of this
group can change network settings, but group membership does not allow the users to run
remote PowerShell commands on the computers.
Objective:
Deploy Windows client
Sub-Objective:
Configure remote management
References:
Below are the details for the devices that you want to enroll in Endpoint analytics via
Intune.
Which of the following devices can be enrolled in Endpoint analytics via Intune?
(Choose all that apply.)
A) DevicePC4
B) DevicePC3
(Correct)
C) DevicePC2
(Correct)
D) DevicePC1
E) DevicePC5
Explanation
In the given scenario, you would be able to enroll DevicePC2 and DevicePC3 in Endpoint
analytics via Intune. There are Intune, endpoint, licensing, and endpoint analytics
prerequisites for the enrollment.
Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint
manager.
The Intune Service Administrator role is required to start gathering data for endpoint
analytics. After data-gathering begins, it can be viewed by read-only roles. The following
additional permissions are used for Endpoint analytics:
You can onboard Intune-managed devices from the Endpoint analytics portal by visiting the
URL https://aka.ms/endpointanalytics.
You cannot enroll DevicePC1 and DevicePC4 devices to Endpoint analytics via Microsoft
Intune because they do not run Windows 10 version 1903 or later. You cannot enroll
DevicePC5 because it is not Azure AD joined or hybrid Azure AD joined.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Monitor devices
References:
Question 14:
Skipped
You are a system administrator for Nutex Inc. Your organization has a hybrid Active
Directory (AD) environment with legacy servers, including Windows Server 2012 R2
and Windows Server 2016 servers, as well as newer servers running Windows Server
2019 and Windows Server 2022.
You want to use Microsoft Intune and Windows Autopilot to set up hybrid Azure AD-
joined devices. You are in the process of setting up an Intune connector for your AD
that will create Autopilot-enrolled computers in the on-premises AD domain.
What is the minimum required operating system for installing the Intune connector for
Active Directory?
(Correct)
You should install multiple Intune connectors in your environment to increase scale and
availability. Microsoft recommends installing them on servers that do not have other Intune
connectors.
You would install multiple Intune connectors if your environment has multiple domains. You
must create a service account to create computer objects in all of the domains. This service
account should have the following permissions:
• Logon as a service
• Part of the Domains user group
• A member of the local Administrators group on the Windows server on which Intune
Connector is installed
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
Enrollment for hybrid Azure AD-joined devices - Windows Autopilot | Microsoft Learn
Question 15:
Skipped
You are a Microsoft Intune administrator for the Nutex Corporation. Nutex has its
Windows devices joined to Microsoft Azure Active Directory (Azure AD) and enrolled
in Microsoft Intune. Most Windows devices run Windows 11 Enterprise, but a few
computers run Windows 10 Pro.
Which suggestion should you use to upgrade the Windows 10 Pro computers to
Windows 11 Enterprise with the least amount of effort?
C) Subscription activation
(Correct)
Explanation
You should create a device configuration profile to upgrade the Windows 10 Pro computers
to Windows 11 Enterprise with the least amount of effort. A device configuration profile can
upgrade all computers that are enrolled in Microsoft Intune. You can create a device
configuration profile by selecting Devices > Configuration profiles > Create profile from the
Intune admin center. Choose Windows 10 and later as the value for the Platform
and Edition upgrade and mode switch as the name of the template, as shown in the exhibit:
You can configure the profile to upgrade many different editions and versions:
You can use the Microsoft Software Download site or create installation media from the
Microsoft Download site to upgrade from Windows 10 to Windows 11. However, you would
have to perform an upgrade manually on each computer.
You cannot use a subscription activation to upgrade from a different version of an operating
system from Windows 10 to Windows 11. You can use subscription activation to upgrade
from a different edition of the same version of an operating system. For example, you could
use subscription activation to upgrade from Windows 11 Pro edition to Windows 11
Enterprise edition or Windows 10 Pro edition to Windows 10 Enterprise edition.
You cannot use a device compliance policy to upgrade from Windows 10 Pro computers to
Windows 11 Enterprise. A device compliance policy sets the rules for a device to be
compliant based on device properties, device health, configuration, system security, and
Microsoft Defender.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
Upgrade Windows 10/11 edition or switch S mode in Microsoft Intune | Microsoft Learn
Question 16:
Skipped
You are a desktop admin for the Nutex Corporation.
The company would like you to implement several shared guest PCs in the corporate
lobby. The PCs will host a single application for guests to check in. You will be
converting existing domain-joined machines that run the latest version of Windows 10
to do so.
Which of the following methods should you use to achieve the objective without
reimaging the machines?
(Correct)
•
D) Use Windows Deployment Services to configure the machines to Shared
PC mode.
Explanation
You would choose to enable kiosk mode from the Accounts Section of the Windows 10
settings because this mode is ideal for this situation. Any Windows 10 computer with version
1703 or higher can enable kiosk mode within the local Windows 10 settings. A single-app
kiosk runs a single app above the lock screen by using the Assigned Access feature. The app
is launched automatically when the kiosk account signs in. The user at the kiosk cannot
access anything on the computer except the kiosk app. The User account control must be
turned on to run kiosk mode.
You would not choose to use Microsoft Endpoint Manager or another MDM solution to set
up the kiosk configuration. You cannot use an MDM solution to enable kiosk mode for
domain-joined machines. Microsoft Endpoint Manager and other MDM solutions can only
manage MDM-enrolled machines.
You would not choose to use Windows Server Update Services to update the machines to
version 1703. Although kiosk mode does require Windows 10 version 1703 or higher,
updating to version 1703 will not automatically enable kiosk mode, it must be specifically
configured.
You would not choose to use Windows Deployment Services (WDS) to configure the
machines to Shared PC mode. You cannot use WDS to configure Shared PC mode on the
machines without reimaging them.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Question 17:
Skipped
You want to configure a Windows 10 computer named NutexLobbyPC, which is
connected to a 60-inch screen in the main lobby of the corporate headquarters. It should
only run the NutexAnnouncements application whenever the machine is turned on, and
it should not allow any other apps to be accessible.
(Correct)
Each of the other options will successfully be able to meet the requirements.
You can configure a single-app kiosk by using the Assigned Access feature which can run a
single application above the lockscreen. The user of the kiosk device can only access the app
but cannot do anything else on the kiosk device. To accomplish, this you would use a feature
known as Assigned Access, which sets up a user account that will be used to auto-login
whenever the PC is turned on and auto-launch a specified app in full screen mode, thereby
blocking access to run any other application.
You can also configure the Assigned Access feature via PowerShell. You can execute Set-
AssignedAccess -AppName NutexAnnouncements -UserName AAUser in PowerShell where
AAUser is the Assigned Access user account.
You can also use the kiosk wizard in Windows Configuration Designer to configure a single
application kiosk. With the Windows Configuration Designer, you can add multiple
applications to make the kiosk a multiple application kiosk if need be.
You can also use Mobile Device Management to set up a kiosk configuration.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Guidelines for choosing an app for assigned access - Configure Windows | Microsoft Learn
Prepare a device for kiosk configuration on Windows 10/11 - Configure Windows | Microsoft
Learn
By using GPO alone, can I turn a Windows machine into kiosk mode? (spiceworks.com)
Question 18:
Skipped
The Nutex Corporation has a domain environment running on Windows Server 2019.
All workstations in the organization use Windows 11. You have recently moved to a
hybrid Azure Active Directory (Azure AD) environment and procured a Microsoft
Intune subscription.
You are configuring Windows Autopilot user-driven mode to join devices to an on-
premises AD domain. What should you do after the device has been registered with
Windows Autopilot?
(Correct)
In the Create Profile blade for user-driven mode, there is an option under Join to Azure AD
as named Hybrid Azure AD joined. You should select this option from the drop-down list
of options as shown in the exhibit.
Once you have created the Autopilot deployment profile, you should install the Intune
Connector for Active Directory on a computer running Windows Server 2016 or higher. The
Intune Connector for Active Directory communicates with your on-premises domain
controller during the Windows Autopilot process. The Intune Connector for Active Directory
does not run on a Linux based server such as Ubuntu or Red Hat.
You would not create an Autopilot deployment profile specifying Azure AD joined as the
method by which you would like to join devices to Azure AD. This scenario talks about a
hybrid environment. You should select the Azure AD joined method when you have only the
Azure AD environment.
You would not install the Intune Connector for Active Directory on a computer running
Windows 11. You should install the Intune connection for Active Directory once you have
created an Autopilot deployment profile. However, the connector should be created on a
computer running Windows Server 2016 or later, not on Windows 11 or any other client
operating system.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Enrollment for hybrid Azure AD-joined devices - Windows Autopilot | Microsoft Learn
A) Wipe the device without selecting Retain enrollment state and user
account
C) Wipe the device selecting Retain enrollment state and user account
D) Use Fresh Start without selecting Retain user data on this device
(Correct)
You should not delete the device from Intune and re-enroll. Deleting the device from Intune
is unnecessary in light of the other options available.
You should not wipe the device by selecting Retain enrollment state and user account.
This option will leave content and other user data on the computer and that is not what our
scenario requires.
You should not wipe the device without selecting Retain enrollment state and user
account. This option will remove most of the user content but might leave some unnecessary
applications.
You should not retire the device within Intune. This action will remove the device from
Intune completely and that is not what our scenario requires.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Question 20:
Skipped
You are an enterprise admin for the Verigon Company.
You are preparing a PC refresh for 200 computers. You are configuring your MDT
server for a Lite Touch deployment strategy due to the large number of client machines
involved.
Which of the following types of repository should you use to distribute the necessary
setup files and scripts?
(Correct)
Explanation
You would choose to create a deployment share on the MDT server. A deployment share is a
folder on the server that is shared and contains all the setup files and scripts needed for the
deployment solution. It is required for Lite Touch deployments.
You would not choose to create a bootable image using MDT offline deployment media.
Offline MDT deployment media should only be used for small environments that have no
open connections to the MDT server.
You would not choose to create a configuration profile using Microsoft Endpoint Manager.
MDT does not integrate with MDM solutions such as Microsoft Endpoint Manager, so they
cannot be used to distribute the required deployment files.
You would not choose to create a web-based share in Azure blob storage because you cannot
use Azure blob storage to distribute files used in an MDT deployment.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft Deployment
Toolkit (MDT)
References:
Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) - Windows
Deployment | Microsoft Learn
Deploy a Windows 10 image using MDT (Windows 10) - Windows Deployment | Microsoft
Learn
Question 21:
Skipped
You have recently joined the Nutex Corporation as the Microsoft Intune Administrator.
The email accounts and apps on the employees’ mobile devices are managed from
Microsoft Intune. Some employees use Android Enterprise licenses. New hires do not
have their licenses yet. You are tasked with creating app configuration policies for all
employees.
Which of the following statements about implementing app configuration policies are
TRUE? (Choose all that apply.)
B) Only devices using Android 9.0 or higher are supported for management
using the Managed apps-type app configuration policy.
(Correct)
C) When new app permissions are added to an app, users are prompted to
provide consent for the permissions.
(Correct)
Explanation
The following statements are true:
• Configuration settings for a policy can be created using the configuration designer or
JSON.
• Only devices using Android 9.0 or higher are supported for management using the
Managed apps type app configuration policy.
The configuration designer can be used to create configuration settings for a policy. Managed
Google Play apps that support configuration settings can be configured using the
configuration designer; otherwise, you must use the JSON Editor to enter the values.
You must run at least Android 9.0 to have apps managed in an app configuration policy. If
you want to manage devices that use a version prior to 9.0, you must enroll them in Intune
and use a Managed devices-type app configuration policy.
When new app permissions are added to an app, users are not prompted to provide consent
for the permissions. There are two settings for app permissions: Approval Settings at the time
of adding the app as a Managed Google Play app and Permissions at the time of setting the
app permissions in the app configuration policy. Approval Settings can be set to Keep
approved when the app requests new permissions (app usage is not disrupted) and Revoke
app approval when the app requests new permissions (app usage is disrupted). App
permissions are Prompt (ask user consent), Auto grant, and Auto deny.
You cannot enable auto-updates to apps in an app configuration policy. The Update setting of
an app depends on the type of app you add to Intune. Store apps, web apps, and built-in
Microsoft apps are updated automatically. You will need to check the update for new app
permissions and configuration settings if you want to configure them in the app configuration
policy.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Add app configuration policies for managed Android Enterprise devices - Microsoft Intune |
Microsoft Learn
CodeTwo > Microsoft 365 & Exchange Admin's Blog > How to deploy and configure
Microsoft Outlook for Android via Intune: A complete guide
Which of the following statements about Windows Admin Center are TRUE? (Choose
all that apply.)
(Correct)
(Correct)
Windows Admin Center was released in late 2020 and is built for modern browsers.
Although Microsoft expects all features to work as expected on browsers such as Firefox,
they strongly recommend that you use the latest version of Microsoft Edge or Google
Chrome for Windows Admin Center operations.
Windows Admin Center is built to leverage its capabilities to integrate with selected other IT
administration products and solutions through the Extensions feature. The extensions are built
using technologies such as HTML5, CSS, Angular, TypeScript, and jQuery.
Windows Admin Center, when installed on local Windows 10 devices, cannot be run in the
Gateway mode of administering Windows devices and VMs. However, this is possible with
domain-joined Windows 10 devices. The Gateway mode of administration involves using
Windows Admin Center gateway (installed with Windows Admin Center) to manage
Windows devices and VMs. The gateway must be published to the DNS servers and allowed
access through the enterprise firewall.
Objective:
Deploy Windows client
Sub-Objective:
Configure remote management
References:
Network World > 10 features of Windows Admin Center to streamline server administration
Question 23:
Skipped
You are the project manager for a large scale PC refresh migration involving up to
5,000 machines. The machines will run Windows 10 Pro as well as Office applications.
One of the objectives of the project is to migrate existing user accounts, user files, and
application settings. The project has a tight deadline so you need to streamline the
process as much as possible.
B) PCmover Express
(Correct)
Explanation
You would choose the User State Migration Tool. This tool is used to streamline and simplify
user state migrations during large deployments of Windows operating systems.
You would not choose PCmover Express. While it can be used to migrate user states, it is
used only when migrating a few computers. PCmover Express is third-party software created
for Microsoft by Laplink.
You would not choose the Readiness Toolkit for Office add-ins and VBA. It is used to assess
application compatibility with Windows 10, not perform user state migrations.
You would not choose the Microsoft Deployment Toolkit because it is used to create task
sequences to deploy new installs of Windows 10, not perform user state migrations.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
User State Migration Tool (USMT) Overview (Windows 10) - Windows Deployment |
Microsoft Learn
Question 24:
Skipped
You are a network administrator for Verigon Corporation. You have been tasked with
monitoring the security of your domain-joined Windows 10 laptops.
What Microsoft products and/or services are designed to give you security information?
(Choose all that apply.)
(Correct)
(Correct)
F) Windows Autopilot
Explanation
You should choose:
Microsoft Intune – Security Baselines allows you to compare your devices to a security
standard based on Microsoft recommendations.
Windows Defender Security Center Security – Device Security, not Windows Defender
Security Center Security -Device performance & health, can display security information.
Windows Defender Security Center Security – Device Performance and Health is a good tool
to check for issues that might affect the device’s health, formerly known as Windows
Defender Security Center. This tool provides information on storage capacity, device drivers,
battery life, as well as apps and software.
This tool shows information if you have Secure Boot enabled or you are using core isolation.
Windows Analytics – Device Health is not a security monitoring solution. Device Health
identifies device crashes and identifies misconfigurations. Windows Analytics deprecated in
November 2022.
Mobile Threat Defense does not monitor the security of Windows 10 devices. It will,
however, protect mobile devices from selected security attacks, such as man-in-the-middle.
Windows Autopilot is used to deploy and pre-configure new devices, not monitor the security
of existing ones.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Check the success or failure of security baselines in Microsoft Intune | Microsoft Learn
Learn about Windows security baselines you can deploy with Microsoft Intune | Microsoft
Learn
Question 25:
Skipped
You have recently joined the Nutex Corporation as the Microsoft Intune Administrator.
Microsoft Intune manages the email accounts and apps on the employees’ mobile
devices. Some employees use Android Enterprise licenses, while new hires do not have
these licenses. All mobile devices are managed by Intune.
After a new app was made available through a Managed Google Play account and an
app assignment, existing and new employees cannot find it on their mobile devices. You
are tasked with investigating the cause of the issue and recommending a suitable fix.
Which of the following are the probable causes of this issue? (Choose all that apply.)
(Correct)
(Correct)
C) App has new app permissions that are not yet configured as part of the
app configuration policy.
(Correct)
•
D) App assignment is set to Available for enrolled devices.
If the app has new app permissions that are not yet configured as part of the app
configuration policy, users may not be able to find it on their mobile devices. When an app is
added to Intune as a Managed Google Play app, the Approval Settings can be set to revoke
the app approval to Intune when new app permissions are added. In such cases, the app is no
longer seen in the Play Store without re-approval. You would revisit the app and review and
approve the new app permissions.
If an app assignment is not yet configured for new users, they may not be able to find the app
on their mobile devices. The app assignment can be assigned to groups of users. In this
scenario, it is possible that the wrong group was targeted in the assignment. Apps are not
installed on devices and app configuration policies do not take effect without an app
assignment. A new app assignment must be created with the Available with or without
enrollment option for new users.
If an app assignment is set to Uninstall, users will not find the app installed on their mobile
devices. When this option is selected for an existing assignment, the app is uninstalled from
the devices in the selected groups if the existing assignment was used to install the app via an
“Available for enrolled devices” or “Required” option.
If an app assignment is set to Available for enrolled devices and the app assignment is set to
the correct group of users, the app will appear on a user’s mobile device. When an app
assignment is set to Available for enrolled devices, the Android device needs to be enrolled
in Intune, which is true in this scenario. The users’ devices will need to be enrolled in Intune
using Android Enterprise licenses, and the app must be assigned to new users, or a new app
assignment must be created with the Available with or without enrollment option for new
users.
If an app assignment is set to Required, the app will be automatically installed on all
enrolled devices of the users in the groups selected for app assignment. The users’ devices
will need to be enrolled in Intune using Android Enterprise licenses, and the app must be
assigned to new users.
The following table displays options that are available to assign apps to devices and users:
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
CodeTwo > Microsoft 365 & Exchange Admin's Blog > How to deploy and configure
Microsoft Outlook for Android via Intune: A complete guide
Question 26:
Skipped
You are an enterprise admin for the Verigon Corporation. Your company promotes a
BYOD program for its employees so that they can work with their mobile device of
choice. Since these are personal devices, they cannot be enrolled in the company’s
MDM. You want to create a policy that will confirm a user’s identity when they access a
corporate app.
A) Create an AppLocker policy using Group Policy and export it from the
GPO to deploy it using Microsoft Endpoint Manager.
•
C) Create an Intune app protection policy using Mobile Application
Management that requires a PIN to open an app in a work context.
(Correct)
You would not choose to create an Intune app protection policy using Microsoft Endpoint
Manager that requires an Active Directory credential to open an app in a work context. You
cannot use an MDM such as Microsoft Endpoint Manager to manage devices not enrolled
with an MDM. Also, an app protection policy does not require an Active Directory
credential.
You would not choose to create a compliance policy using Intune that requires alphanumeric
passwords to unlock the device. You cannot create a compliance policy for devices not
enrolled with an MDM. You also cannot use Intune to manage devices not enrolled with an
MDM.
You would not choose to create an AppLocker policy using Group Policy and export it from
the GPO to deploy it using Microsoft Endpoint Manager. AppLocker policies only restrict
access to given applications. You cannot deploy AppLocker policies on personal devices, nor
can you use Microsoft Endpoint Manager for devices not enrolled with an MDM.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Which of the following should you use to configure the automated investigation and
remediation capabilities?
A) Exploit protection
B) Device control
C) Device groups
(Correct)
D) Configuration policies
Explanation
You would use device groups to configure the automated investigation and remediation
(AIR) capabilities.. Microsoft Defender for Endpoint allows you to select the automation
level and assign AIR to a device group.
Note that Defender for Business sets the AIR level to full automation by default.
App configuration policies help organizations eliminate app setup problems by auto-
configuring apps when the users install them on their devices. For apps with app
configuration policies, users do not need to take action. App configuration policies also
reduce help desk calls from users for issues related to app settings.
Device control is a profile type that can be used when configuring an attack surface reduction
(ASR) policy. Using this profile, you can control several settings, including:
Exploit protection is a profile type that can be used when configuring an ASR policy. Using
this profile, you can control the following settings:
• Upload XML
• Block users from editing the Exploit Guard protection interface
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Question 28:
Skipped
50 computers that run Windows 10 will be deployed to Azure Active Directory. These
computers will be joined to the Microsoft Azure Active Directory (Azure AD) domain
and enrolled in Microsoft Intune.
You must configure a device restriction policy for the 50 deployed computers in Azure
Active Directory. Which three settings should you configure in Device restrictions?
Click the exhibit to select the correct setting.
•
A) 3,96,341,137
B) 5,358,343,402
C) 4,403,345,445
•
D) 3,579,344,623
(Correct)
E) 1,139,343,180
F) 3,449,342,488
G) 4,184,342,224
H) 4,52,341,94
I) 1,533,344,580
J) 6,228,344,268
K) 4,316,343,359
L) 2,272,344,312
(Correct)
M) 6,491,340,530
(Correct)
Explanation
The configuration of Intune device policy is similar to the following graphic:
However, in this scenario, you should choose the following device restrictions:
Microsoft Defender Antivirus settings allows you to scan all scripts loaded into Microsoft
Edge and enable real-time monitoring for malware, spyware, or other unwanted software and
scripts.
Microsoft Defender Smart Screen allows you to enable SmartScreen which protects users
from potential phishing scams. It also can prevent users from going to known malicious sites,
and preventing users from downloading unverified files.
Locked Screen experience settings will allow you prevent a user from interacting with
Cortana after the active user has stepped away from the device and the locked screen appears.
App store settings allow you allow apps from the Microsoft store that are installed to be
automatically updated.
Cloud and storage settings allow you to prevent end users from using a Microsoft account the
device.
Cloud printer settings allow you to configure the printer discovery URL, the printer access
authority URL, and other settings.
Display settings allow you to enable GDI DPI scaling for applications that are not DPI aware.
Microsoft Edge Browser settings allow you to configure the browser such as running the
browser in kiosk mode, configuring the start experience, configuring the favorites,
configuring the default search engine, allowing InPrivate browsing, or configuring browser
history settings.
Windows Spotlight settings will disable Windows Spotlight on Windows Tips, Microsoft
consumer features, or on the locked screen.
Personalization settings allow you to configure a background picture URL for the desktop.
Password settings allow you to specify the minimum password length, number of sign-in
failures before wiping the device, and other password settings.
Network proxy settings allow you detect proxy settings or use a manual proxy server.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Device restriction settings for Windows 10/11 in Microsoft Intune | Microsoft Learn
Question 29:
Skipped
You are a security administrator for Verigon Inc. Your organization has a Microsoft
Intune subscription. You plan to implement an app configuration policy for a business-
critical app that employees use. The policy must enforce the following:
• Require a minimum password length of 8 characters.
• Enable data encryption.
• Restrict the app from accessing the device camera.
Which of the following are NOT methods used to implement an app configuration
policy in Microsoft Intune? (Choose all that apply.)
•
A) Configuration designer
B) JAMF Pro
(Correct)
C) JSON file
D) XML file
(Correct)
Explanation
Mobile Application Management (MAM) and JAMF Pro are not configuration methods used
to implement an app configuration policy in Microsoft Intune. JAMF Pro and Mobile
Application Management are deployment tools used to onboard macOS devices to Microsoft
Defender for Endpoint.
When configuring an app configuration policy using the Microsoft Intune admin center, you
would choose a configuration settings format and select one of the following methods to add
the configuration information:
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Add app configuration policies for managed iOS/iPadOS devices - Microsoft Intune |
Microsoft Learn
Add app configuration policies for managed Android Enterprise devices - Microsoft Intune |
Microsoft Learn
Question 30:
Skipped
You have an Azure Active Directory (Azure AD) tenant named Nutex.com.
Nutex has purchased another company named Verigon Inc. Nutex plans to integrate the
assets of Verigon Inc into Nutex.com. Verigon Inc has an on-premises domain that uses
group policy object (GPO) settings to configure Office, Microsoft Edge, Firefox, and
Visual Studio for users and Windows 10 and 11 clients.
You must migrate the settings from Verigon’s GPOs into Intune and ensure they only
apply to specific IT groups.
Which three actions in the Microsoft Intune admin center should you perform in
sequence?
(Correct)
•
C) Import the ADMX and ADML files
(Correct)
(Correct)
ADMX and ADML files contain settings for Office, Microsoft Edge, and Visual Studio, as
well as third-party apps and browsers, such as Firefox. You can download these files from the
central store of Verigon’s Active Directory domain. The central store is a share on a domain
controller in the domain with the following path:
\\verigon.com\SYSVOL\\verigon.com\policies\PolicyDefinitions
You would first add the ADMX files by importing them into the Microsoft Intune admin
center.
You should then specify your ADML file's language and the ADMX file's version.
You should create a device configuration profile using the imported files in the Microsoft
Intune admin center. You should choose Windows 10 and later as the platform and
choose Imported Administrative templates as the profile type.
You can use optional Scope tags to assign a tag to filter the configuration profile to a specific
IT group or a specific person in an IT group, such as Canada-IT-Department or JohnRonin_
Canada-IT-Department.
You would not import the NTCONFIG.POL file. This file is used by Windows XP-based,
Microsoft Windows 2000-based, and Microsoft Windows Server 2003-based client
computers to configure system policies in a non-Active Directory environment. GPOs
configure system policies in an Active Directory environment. You cannot import .POL files
in the Microsoft Intune admin center.
You would not create a compliance policy. Compliance policies allow you to ensure that
users and devices meet certain health specifications. Compliance policies are based on
platforms such as Windows, iOS, and Android. You cannot import ADMX or ADML files
into a compliance policy.
You would not create a conditional access policy. Conditional access policies allow you to
enforce policies to users and devices by allowing access, blocking access, or requiring multi-
factor authentication. You cannot import ADMX or ADML files into a conditional access
policy.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Import custom and third party partner ADMX templates in Microsoft Intune | Microsoft
Learn
Question 31:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure
environment that includes 20 Windows Server 2022 and 1,000 Windows 11 devices.
You plan to configure an attack surface reduction (ASR) policy for the following
requirements:
To meet the above requirements, which profile types should you use while configuring
the ASR policy? (Choose all that apply.)
(Correct)
C) Application control
(Correct)
D) Exploit protection
E) Device control
F) Web protection
Explanation
In the given scenario, you would use application control and attack surface reduction rules
when configuring an ASR policy. The attack surface reduction rules profile can block
credential-stealing from the Windows local security authority subsystem (Isass.exe). The
application control profile can block users from ignoring Windows SmartScreen warnings.
The attack surface reduction rules profile also blocks users from ignoring Windows
SmartScreen warnings.
The following profile types are supported in Windows 10 and later:
|~EndpointSecurityAttkSurfaceRedWin10+.png~|
• App and browser isolation – Using this profile, you can control the following settings:
• Turn on Microsoft Defender Application Guard, which allows Application
Guard access to:
• print to PDF, XPS, and local or network printers
• text or image copy
• cameras and microphones
• use of Root Certificate Authorities from the user's device
• Windows network isolation policy
• Application control – Using this profile, you can configure the following Microsoft
Defender Application control settings:
• App locker application control
• Block users from ignoring SmartScreen warnings
• Turn on Windows SmartScreen
• Device control – Using this profile, you can control several settings, including:
• Allow hardware device installation by device identifiers
• Block hardware device installation by device identifiers
• Block write access to removable storage
• Scan removable drives during full scan
• Exploit protection – Using this profile, you can control the following settings:
• Upload XML
• Block users from editing the Exploit Guard protection interface
• Web protection (Microsoft Edge Legacy) – Using this profile, you can control the
following settings:
• Enable network protection
• Require SmartScreen for Microsoft Edge
• Block malicious site access
• Block unverified file download
The following profile types are supported in Windows 10 and later (ConfigMgr):
• Exploit protection
• Web protection
The following profile types are supported in Windows 10, Windows 11, and Windows
Server.
• Attack surface reduction rules – Using this profile, you can control several settings,
including:
• Block persistence through Windows Management Instrumentation (WMI)
event subscription
• Block credential-stealing from the Windows local security authority
subsystem (lsass.exe)
• Block Adobe Reader from creating child processes
• Block Office applications from injecting code into other processes
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Question 32:
Skipped
A recent audit of the help desk showed that 40% of help desk personnel time was spent
dealing with password issues from employees. After implementing smart card readers
with employee computers that run Windows 7, your company has decided to replace all
the old computers with new computers that run Windows 10. Your company has
decided to implement Windows Hello on all the company's Windows 10 computers. All
the new computers are equipped with a 3D camera.
One of the computers used by an employee, Jack Smith, was stolen by his twin brother
who works for a rival company. Jack's twin brother was able to easily access all files on
the computer.
You must implement a plan to ensure a data theft like this will not happen again. The
solution should cost as little money as possible since the budget has already been
exhausted. You also must ensure that users do not have to memorize any passwords or
keys. What should you recommend?
C) Require the employees to set up Windows Hello again and configure the
options under Improve recognition.
(Correct)
You cannot add a chemical biometric device to a Windows 10 computer. Although these
biometric devices can provide a DNA print that would be unique to a user, the devices are not
currently supported by Windows 10 and would require an extra expense.
You should not add HD audio microphones to all Windows 10 computers or use the existing
microphone on all Windows 10 computers to create a voiceprint. Windows Hello does not
support voiceprints as an authentication method.
You should not add a smart card reader to all Windows 10 computers, and configure Group
Policy to ensure that employees must use the smart card to log in. Although you do not have
to purchase smart card readers because you used them with the old Windows 7 computers,
the use of smart cards will require the user to know a PIN to log on. One of the requirements
was that you would not require users to remember a password or possess a key.
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
Windows Hello for Business Overview - Windows Security | Microsoft Learn
Question 33:
Skipped
You have computers that run Windows 10 Cloud. The computers are joined to
Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune. You
need to perform the following:
• Upgrade the computers to Windows 10 Enterprise
• Create a WiFi profile
• Block JavaScript on certain sites in Microsoft Edge
(Correct)
Explanation
You should set a device configuration profile. A device configuration profile allows you to
do the following:
• Perform edition upgrades, such as going from the Cloud edition to the Enterprise
Edition or going from the Pro Edition to the Enterprise edition
• Manage software updates, even when the updates are installed
• Allow or prevent access to Bluetooth on the device
• Set up a VPN or WiFi profile
• Use a profile template that blocks JavaScript on certain sites in Microsoft Edge.
You should not configure a device enrollment policy. A device enrollment policy specifies
how a device can be enrolled. You can use a device enrollment policy to restrict the devices
from enrolling by platform such as Android, Windows or iOS. You can also specify settings
on enrollment such as if reset is required, whether user affinity is used, or device is locked.
You should not use a device cleanup rule. A clean up rule can be used to specify what to do
with a device when it is no longer needed such as wiping the device or retiring the device.
A device compliance policy allows devices to meet compliance requirements. With a device
compliance policy, you can define rules and settings for compliance for security settings,
such as:
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Question 34:
Skipped
Verigon Corporation will be using Microsoft Intune to control access to Office 365
applications for all their locations. You need to ensure that all Finance group members
can access Excel Online from their Windows 10 laptops only via Multi-Factor
Authentication (MFA).
Which required settings in your access policy must you configure? (Choose all that
apply.)
•
A) 25,469,417,534
(Correct)
B) 21,174,414,219
(Correct)
C) 26,623,418,691
(Correct)
D) 25,382,414,450
(Correct)
E) 413,363,27,302
(Correct)
F) 26,824,413,896
(Correct)
Explanation
You will have to give the policy a name.
You will want to configure Users and Groups in the Assignment section. Here you can
choose the Finance group.
You will want to configure the Cloud Apps section to include the desired Office 365
applications. This is where you would choose Excel Online.
You will want to configure Conditions in the Assignment section. This is where you can add
the desired device platform.
You will want to configure the Grant portion of the Access Control section. This is where
you require MFA.
Note that you will also want to configure the Session section of Access controls.
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
What is Conditional Access in Azure Active Directory? - Microsoft Entra | Microsoft Learn
How to configure Microsoft Intune / Azure AD Conditional Access to Microsoft Office 365
Exchange Online
Question 35:
Skipped
You are a system administrator for your organization, Nutex, Inc. They have several
Windows 10 Enterprise devices that are enrolled with Microsoft Intune. You are
planning to upgrade the Windows 10 devices to Windows 11 Enterprise.
To achieve the objective, you have created feature updates policies in Microsoft Intune
and assigned feature updates for the Windows 10 devices.
Some users report issues after the feature update policy is applied and the Windows 10
devices are upgraded to Windows 11. You want to roll back the feature updates for
these devices.
How many days after upgrade does Microsoft allow you to roll back feature updates?
A) 30
B) 20
C) 40
•
D) 10
(Correct)
Explanation
Microsoft provides a 10-day grace period to roll back feature updates to Windows 10. If you
pass this grace period, you have to back up your data and perform a clean installation of the
Windows 10 operating system. To roll back feature updates to Windows 10, you have to
navigate to Settings > System > Recovery > Go back and select the build of Windows 10
you want to restore.
If the Go back option under the Recovery page is grayed out (as shown in the exhibit), this
means that the 10-day grace period is over, and you will have to re-install Windows 10
manually.
Rolling back to Windows 10 will keep your files intact without requiring additional steps.
Microsoft used to allow 30 days to roll back but has shortened the rollback grace period to 10
days.
20, 30, and 40 days are invalid options and therefore are incorrect answers.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft
Learn
PC Mag > Upgrade to Windows 11, and You'll Get 10 Days to Roll Back to Win 10
Question 36:
Skipped
Your network contains an Active Directory domain named nutex.com. The domain
contains computers that run Windows 10 and are enrolled in Microsoft Intune. Updates
are deployed by using Windows Update for Business and use the Semi-Annual Channel.
You need to configure the Windows 10 Update Rings in Intune to meet the
requirements. Which two settings should you change? (Click the image to select the
settings.)
•
A) 12,329,280,348
B) 11,188,281,208
(Correct)
C) 12,368,280,386
D) 12,228,281,248
E) 12,108,280,126
F) 13,69,281,85
•
G) 9,288,279,307
(Correct)
H) 12,148,282,168
Explanation
You should change the Feature update deferral period (days) setting. This setting
configures the number of days for which Feature Updates, such as Windows features, are
deferred. In this scenario, the IT support team must test new Windows features for at least a
week before allowing clients to use them.
You should change the value of the Automatic update behavior setting from Notify
Download to Auto install and restart at maintenance time. The Auto install and restart
at maintenance time setting allows the device to download and install during automatic
maintenance when the device is not in use or running on battery power. The Notify
Download setting notifies the user before downloading updates.
You can configure the Automatic update behavior setting with the following values:
• Notify download – Users are notified before downloading the update. Users can
choose to download and install updates.
• Auto install at maintenance time – Updates are downloaded automatically and then
installed during Automatic Maintenance only when the device is not in use or running
on battery power. Users are prompted to restart when a restart is required. The restart
can be delayed for up to seven days and then restart is forced.
• Auto install and restart at maintenance time – Updates are downloaded
automatically and then installed during Automatic Maintenance only when the device
is not in use or running on battery power. The device restarts when not being used if a
restart is required.
• Auto install and restart at scheduled time – Sets an installation day and time for
updates. Runs at 3 AM daily followed by a 15-minute countdown to a restart if no
time is specified. Users currently logged on can delay the restart of the device.
• Auto install and reboot without end-user control – Sets the end user’s control
panel to read-only when updates are downloaded automatically and then installed
during Automatic Maintenance, only when the device is not in use or running on
battery power.
• Reset to default – Resets Windows 10 machines that have the October 2018 Update
or later to the original auto-update settings.
You should not change the Microsoft product updates setting from Allow. This setting
allows a scan for Microsoft product updates. You want to ensure that updates are installed on
the computers.
You should not change the Windows drivers setting. This setting includes Windows Updates
for drivers during updates.
You should not change the Set feature update uninstall period (days) setting. This setting
sets the time after which feature updates cannot be uninstalled.
You should not change the Restart checks setting. This setting allows checks such as
checking for active users, battery levels, running games, and more.
You should not change the Quality update deferral period (days) setting from 0. This
setting is for updates that are typically fixes and improvements to existing Windows
functionality. Leaving the setting at 0 will not cause the deferral period to be 0 days, thus not
delaying the updates.
You should not change the Windows Update notification level setting. This setting controls
the level of Windows Update notifications that users see. This setting does not configure
when or how updates are downloaded and installed.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Windows Update settings you can manage with Intune Update Ring policies for Windows
10/11 devices. | Microsoft Learn
Question 37:
Skipped
You have been implementing security baselines in Intune for a few weeks. You need to
see a report of which computers running Windows 10 are currently not meeting the
security baselines being enforced.
How long does it take to get baseline-related information into the Security Baseline
monitoring reports?
•
A) 2 hours
B) 48 hours
C) 6 hours
(Correct)
D) 24 hours
Explanation
When implementing Security Baseline Monitoring, Intune changes take six hours to appear in
the reports. When first implementing the system, it will take 24 hours for the data to appear,
but in this question the system has been in place for a few weeks and the existing data will
already show there.
Two2 hours is not enough time for baseline data to be shown in the overview reports.
The changes to Security Baseline data will show up way before a 48-hour time period has
elapsed.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Check the success or failure of security baselines in Microsoft Intune | Microsoft Learn
Question 38:
Skipped
You have several Windows 11 computers that are deployed with Microsoft Intune. You finish
troubleshooting an issue with a computer in the Sales department using the
Troubleshooting+Support option of Microsoft Endpoint Manager admin center. You notice
that a Windows 11 computer in the Marketing department shows that the Azure AD
compliant status is No.
Which of the following should you do to resolve the problem with the Marketing department
computer?
(Correct)
You do not have to unenroll and then re-enroll the device. You would have to take this action
if the Azure AD Join Type displayed Not Registered as its status. Typically, re-enrolling the
device will fix this issue.
You do not remove all app protection policies. App protection policies safeguard data,
applications, and devices by using the user’s identity to protect company data by separating
personal data from work data. App protection policies can control the share of data between
apps and prevent saving work data to personal storage. They would not affect the Azure AD
compliant status.
You do not have to run Windows Update on the computer. It is essential to stay current with
any security patches or fixes. However, running Windows Update would not change
the Azure AD compliant status.
Objective:
Manage identity and compliance
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
Question 39:
Skipped
All users in the Engineering department use Windows 10. A MAM policy was created to
protect corporate data when using Excel Online, PowerPoint Online, and Word Online.
The policy is causing problems when Engineering users try to use Excel Online on
mobile devices.
What could prevent the MAM policy from working for the Engineering department?
(Correct)
It is unlikely that the problem is that the users do not have an Office 365 license. The other
Office 365 applications are working properly with the policy.
It is unlikely that the problem is the users are not on a managed device. Mobile Device
Management (MDM) can work with MAM via Intune, but it is not required. MAM can work
with other third-party MDM solutions, or even none at all for mobile devices.
It is unlikely that the problem is the users are on Android devices. MAM works with both
Android and iOS.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Validate your app protection policy setup - Microsoft Intune | Microsoft Learn
Question 40:
Skipped
You are a system administrator for the Nutex Corporation. Nutex has an Azure Active
Directory (Azure AD) environment. All client devices in your organization run the
Windows 11 Enterprise operating system.
You have deployed updates to all the Windows 11 devices using Microsoft Intune. You
need to ensure the following update compliance requirements are met:
•
A) Windows 10 and later update rings report in Intune
(Correct)
None of the other options can provide all of the update compliance features.
The Windows 10 and later update rings report in Intune, the Windows 10 and later feature
updates report, and the Feature update failure report will not display information about
bandwidth usage and savings for devices displayed through Delivery Optimization.
Using Microsoft Intune, you can deploy updates to Windows 11 devices by using policies for
update rings for Windows 10 or later and feature updates for Windows 10 or later. To
monitor and troubleshoot update deployments, Microsoft Intune provides the following
reporting options:
• Windows 10 and later update rings – This is a built-in report that is ready by default
when you deploy update rings to your devices.
• Windows 10 and later feature updates – This option uses two built-in reports that
work together to gain a better understanding of the update’s status and issues found.
The Feature update failure report is not used to monitor Windows update rollouts. The data in
the Microsoft Intune reports for feature updates for Windows 10 and later policy is used for
the below reports:
Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Windows Update for Business reports overview - Windows Deployment | Microsoft Learn
Windows Update for Business reports overview - Windows Deployment | Microsoft Learn
Question 41:
Skipped
You are a security administrator for Verigon Inc. Your organization has a Microsoft
Intune subscription. You have implemented an app configuration policy for the
productivity app used by the employees.
A user has reported that the app configuration policy has yet to be enforced. You want
to validate the app configuration policy on the user’s device.
Which of the following is NOT a method that can be used to validate the app
configuration policy?
C) Verify in the Microsoft Intune admin center by clicking Apps > All Apps
and selecting the productivity app.
•
D) Verify in the Microsoft Intune admin center by clicking Apps > Monitor >
App protection status and then selecting the productivity app.
(Correct)
Explanation
An app configuration policy cannot be validated by navigating to Apps > Monitor > App
protection status and selecting the productivity app. If you observe that the app configuration
policy is not functioning as expected on the user’s device, you would check whether the user
is licensed for Microsoft 365.
You can validate the app configuration policy using any of the following three methods:
• Verify the app configuration policy visibly on the user’s device. Check and confirm
whether the app configuration policy is functioning and how it is expected to perform.
• Verify via Diagnostic Logs.
• Verify in the Microsoft Intune admin center, click Apps > All Apps, and select the
productivity app. Under the Monitor section, click either Device install status or User
install status (as shown in the exhibit).
• You can also check for assigned app configuration policies from the Microsoft Intune
admin center by navigating to Devices > All Devices and selecting the device
under App configuration.
To check the user app protection status, log in to the Microsoft Intune admin center, navigate
to Apps > Monitor > App protection status, and click the Assigned user's tile. On the App
reporting page, click Select User, and select the user from the search list. Here you can check
whether the user is licensed for app protection and has a Microsoft 365 license.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Validate your app protection policy setup - Microsoft Intune | Microsoft Learn
Question 42:
Skipped
You have recently joined the Nutex Corporation as the Microsoft Intune administrator.
Microsoft Intune is used to manage the office email accounts and apps on the
employees’ mobile devices. Some employees use Android Enterprise licenses, but new
hires do not have these licenses. You are asked to develop a plan to implement app
configuration policies for all employees.
Which of the following statements about app configuration policies available with
Microsoft Intune are TRUE? (Choose all that apply.)
(Correct)
(Correct)
•
App configuration policies help organizations eliminate app setup problems by auto-
configuring apps when the users install them on their devices. For apps with app
configuration policies, users do not need to take action. App configuration policies also
reduce help desk calls from users for issues related to app settings.
App configuration policies can be applied to mobile devices whether they are enrolled in
Intune or not. The configuration in an app configuration policy can be delivered through the
Mobile Device Management (MDM) OS channel on enrolled devices ( which includes
the Managed App Configuration channel for iOS or the Android in the Enterprise channel for
Android) or through the Mobile Application Management (MAM) channel. To create and
apply an app configuration policy to enrolled devices, select Managed devices as the Device
enrollment type for the policy. To create and apply an app configuration policy to other
devices, select Managed apps as the Device enrollment type for the policy and use an Intune
app protection policy to protect app data.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Question 43:
Skipped
Users in the PC Support group in the IT department enroll devices for employees in the
Nutex Corporation. When the PC Support group accesses the Microsoft Intune
company portal, that text appears at the bottom of the sign-in page. You want to ensure
that when the PC Support group visits the sign-in page they view the new legal
statement that the HR department has released.
Which menu option should you choose to configure this? (Click the image to select the
correct option.)
•
A) 34,210,214,238
(Correct)
B) 34,92,215,125
C) 38,284,211,313
D) 34,170,217,200
E) 38,247,215,275
F) 33,133,216,162
G) 38,322,212,351
Explanation
You should choose the Company branding option. The Company branding option is
typically used for adding the company name and logo that appears during the Out-of-Box
Experience (OOBE) in Windows Autopilot. With the Company branding option, you can
configure the following:
• A background image for the page. The image is limited to 1920x1080 pixels.
• A banner logo, which can be the company or department logo.
• A Username hint to help users who may have forgotten their username.
• Sign-in page text. This text can contain additional information such as a legal
statement or a phone number or email address for the help desk.
All other options are incorrect because you cannot specify the sign-in text on the Company
Portal.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Add branding to your organization's sign-in page - Azure AD - Microsoft Entra | Microsoft
Learn
INTUNE - Intune and Autopilot Part 3 - Preparing your environment | Microsoft Learn
Question 44:
Skipped
You are an enterprise admin for the Verigon Company. You want to upgrade your fleet
of company devices to Windows 10 Enterprise using the Subscription Activation
feature.
(Correct)
Provisioning packages are not used to upgrade to Windows 10 Enterprise using the
Subscription Activation feature. With Windows 10 version 1507 and earlier, you can use a
provisioning package to change the SKU.
The Subscription Activation feature does not require Configuration Manager or the Microsoft
Deployment Toolkit, so integration of the two is not required. Configuration Manager allows
you to keep track of company owned hardware and software. The Microsoft Deployment
Toolkit automates Windows client and server deployment.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
Question 45:
Skipped
You are a domain admin for the Verigon Company. Your company currently uses two
Windows Server 2019 virtual machines to host its on-premises Active Directory
environment. You need to deploy Windows 10 Pro to eight existing machines and join
them to your domain. The company does not utilize Configuration Manager.
Which of the following includes the steps necessary to achieve this objective?
(Correct)
You would not choose to create a provisioning package and wrap it up using the Win32 App
Packaging Tool, then upload it to an MDM for deployment. MDM solutions can only deploy
Windows 10 to MDM-enrolled devices, not domain-joined machines.
You would not choose to create a task sequence using the Microsoft Deployment Toolkit and
upload it to Microsoft Endpoint Manager to deploy it. Microsoft Endpoint Manager is an
MDM solution; thus, it can only deploy Windows 10 to MDM-enrolled devices, not domain-
joined machines.
Objective:
Deploy Windows client
Sub-Objective:
Prepare for a Windows client deployment
References:
Question 46:
Skipped
You are a security administrator for Nutex Inc. Your organization has a Microsoft Intune
subscription. Employees use both company-owned and personally owned Windows 11
devices for work purposes. The company-owned devices are enrolled in Microsoft Intune.
You want Intune to collect event data and provide recommendations to improve performance
on the Windows devices.
To achieve the above requirement, you are creating a Windows Health Monitoring device
configuration profile using the Microsoft Intune admin center. You have performed the
following steps:
(Correct)
•
B) Configure Applicability Rules.
D) In Assignments, select the users or user groups that will receive the
created profile.
Explanation
The next step in the given scenario would be to configure Health
Monitoring under Configuration settings and select Enable.
Below are the steps to create a Windows Health Monitoring device configuration profile:
1. Click Next.
2. In Assignments, select the users or user groups that will receive the created profile
(as shown in the exhibit).
1. Click Next.
2. Configure Applicability Rules (if required) and click Next.
3. Check the configuration and click Create.
Enrolling personal Windows 11 devices in Microsoft Intune is not the next step in the given
scenario. However, if you want personal devices to use the Windows Health Monitoring
feature, you should enroll the personal devices in Microsoft Intune.
You would select the users or user groups that will receive the created profile after enabling
Health Monitoring.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Monitor devices
References:
Question 47:
Skipped
You are the remote desktop administrator for the nutex.com domain. You need to copy
the list of RemoteApp programs and deployment settings from one Remote Desktop
Session Host (RD Session Host) server to another RD Session Host server. This server is
not part of a server farm.
What must you do to ensure that all users can use the RemoteApp programs on the new
server? (Choose all that apply.)
B) Create Windows Installer packages for the new RD Session Host server.
(Correct)
C) Create new .rdp files for the new RD Session Host server.
(Correct)
You do not need to manually update the RemoteApp Programs list on the new RD Session
Host server. The RemoteApp Program list is included in the configuration settings that are
exported from the RemoteApp Manager.
You do need to manually update the deployment settings on the new RD Session Host server.
The deployment settings are included in the configuration settings that are exported from the
RemoteApp Manager.
Objective:
Deploy Windows client
Sub-Objective:
Configure remote management
References:
Use the winget tool to install and manage applications | Microsoft Learn
Question 48:
Skipped
You are a system administrator for Nutex Corporation. They have 15,000 Windows 11
devices that are managed by Microsoft Intune. You have configured Windows updates
for all devices. However, you have observed a higher bandwidth consumption when
devices download Windows updates.
You are in the process of configuring Delivery Optimization for the devices.
Once you have created the configuration profile, you can assign or deploy that profile to your
Windows devices.
You would not configure Delivery Optimization as part of a device compliance policy using
Microsoft Intune. You would configure a compliance policy to protect your organization’s
resources from devices that are non-compliant with your organization’s security policies.
Using a compliance policy, you can define the rules and settings that users and devices must
meet to be compliant and include those rules that apply to devices that are non-compliant.
You can also combine a compliance policy with Conditional Access, which can block users
and devices that do not meet compliance rules and settings.
You would not configure Delivery Optimization as part of Windows Server Update Service
(WSUS). WSUS provides good control over operating system updates and is natively
available in the Windows Server operating system. You can defer the updates and have the
ability to approve the updates. You can also choose to deploy updates on specific computers
or groups of computers whenever ready. You can utilize Delivery Optimization with
Windows Update, Windows Update for Business, WSUS, or Microsoft Endpoint Manager.
However, it is easier to manage delivery optimization of many Windows devices via a device
configuration profile using Microsoft Intune than using a WSUS server.
You would not configure Optimization as part of a Windows Autopilot deployment profile
using Microsoft Intune. Windows Autopilot uses various technologies to set up and pre-
configure new devices. It can be used to repurpose, recover, and reset devices. Windows
Autopilot helps IT administrators and reduces the time IT spends on deploying, managing,
and retiring devices. It also minimizes the amount of infrastructure required to maintain the
devices and maximizes ease of use for all types of end users. Autopilot deployment profiles
are used to configure Autopilot devices.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Delivery Optimization settings for Windows devices in Microsoft Intune | Microsoft Learn
Question 49:
Skipped
You are an enterprise admin for the Verigon Corporation. You are currently deploying
Windows 10 for all your desktops using Lite Touch Installation. You are having
problems during the deployment process.
You decide to review the logs to aid in identifying the problem. Which of the following
options represent MDT deployment logs? (Choose two.)
(Correct)
•
(Correct)
Explanation
You would choose the aggregated MDT log, BDD.log, and the Task Sequencer transactions
log, SMSTS.log, because both are MDT deployment log files.
BDD.log is the aggregated MDT Deployment log file that is copied to a network location at
the end of the deployment and can be used to troubleshoot Lite Touch installations.
SMSTS.log is created by the Task Sequencer and describes all Task Sequencer transactions.
You would not choose the User State Migration Toolkit Capture log. The log
file, USMTCapture.log, is used to troubleshoot user state migrations, not Lite Touch
installations.
You would not choose the Task Scheduler History log because these files are used to
troubleshoot scheduled background tasks on any Windows machine and are not associated
with Lite Touch Installation deployments.
You would not choose the Remote Installation Services log. Remote Installation Services is a
legacy Microsoft deployment tool that has been replaced by Windows Deployment Services
and did not support Lite Touch Installation deployments.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft Deployment
Toolkit (MDT)
References:
You have created a configuration profile for the devices. From the Microsoft Endpoint
Manager admin center, you are viewing the status of the configuration profile and
whether it has been successfully assigned to the devices. You observe that the
configuration profile is not assigned to a few devices.
Which profile assignment status helps you understand if the device has not checked in
to receive the configuration policy?
A) Succeeded
B) Conflict
C) Error
D) Pending
(Correct)
E) Not applicable
Explanation
The Pending profile assignment status shows you that the device has not checked in to
receive the configuration policy.
Once you have created your device profile, Microsoft Intune provides graphical charts that
display the status of the profile, which shows whether the profile has been successfully
assigned to the devices or if the profile shows a conflict.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Question 51:
Skipped
You plan to use Windows Autopilot to add several Windows 10 devices to Azure AD.
These devices will be joined automatically to Azure AD.
All other answers are incorrect. Computer name, MAC address, and IP address are not
needed in the CSV file.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Create device groups for Windows Autopilot - Microsoft Intune - Microsoft Intune |
Microsoft Learn
Question 52:
Skipped
You are a system administrator for Verigon Inc. Your organization has an Azure Active
Directory (Azure AD) configuration with a Microsoft Intune subscription, and all Windows
11 devices are joined to Azure AD. You have a business-critical application
named BusinessApp1 hosted in the Azure cloud.
You are configuring a Conditional Access policy for the following requirements:
Which options on the image should you choose while configuring a Conditional Access
policy? (Choose all that apply.)
•
(Correct)
(Correct)
(Correct)
When configuring the Conditional Access policy, you would make these configurations:
• Under Assignments, choose Users to select the identities to whom you want the
policy applied. Click on Users and Groups.
• Under Assignments, configure Cloud apps or actions and select the app for which
you want to apply the Conditional Access policy (in this scenario,
select BusinessApp1).
Under the Access controls section, click Grant and select Require multi-factor
authentication.
You will need to create a separate Conditional Access policy to meet the requirement that any
potentially compromised user account must be blocked. To do so, select the devices for
which you want the policy to be enforced. Click on Conditions under
the Assignments section, and configure Device platforms (as shown in the image):
You would not configure Session configuration under the Access Controls section in the
given scenario. Session configuration enables you to control user access based on session
controls to enable restricted experiences within the specific cloud applications.
Objective:
Manage identity and compliance
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
Set up device-based Conditional Access policies with Intune - Microsoft Intune | Microsoft
Learn
4sysops > Conditional Access: Create policies to secure cloud resources using AAD
authentication
Github > Azure-Docs > howto-conditional-access-policy-block-access.md
Question 53:
Skipped
You are a desktop administrator for Verigon Corporation based in Orlando, FL. You
are responsible for deploying Windows 11 to all desktops and laptops in the London
branch office. There are no servers in London, but over 500 computers have been
deployed in waves. You need to confirm that all of these devices have the latest
Windows security updates.
(Correct)
You would not use the Upgrade Readiness component of Windows Analytics. That
component determines if a computer is ready to upgrade to Windows 11. Windows Analytics
deprecated in November 2022.
You would not use Windows Autopilot. Autopilot would be useful for deploying the OS to
new devices, but it is not used to monitor the status of update delivery.
You could use Windows Update for Business to collect diagnostic information, but by itself it
is not a complete monitoring solution. It only gathers data that is used by the Update
Compliance component of Windows Analytics.
You would not use System Center Configuration Manager (SCCM) in this scenario. There is
no server in the branch location. This would not be the best scenario to deliver and monitor
these updates. The Windows Update for Business component is a better way to deliver
updates as it offers a peer-to-peer delivery option that is monitored by the Windows Update
for Business reports.
Objective:
Manage identity and compliance
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
Windows Update for Business reports overview - Windows Deployment | Microsoft Learn
Monitor Windows Updates and Microsoft Defender AV with Update Compliance - Windows
Deployment | Microsoft Learn
Question 54:
Skipped
Dreamsuites Incorporated wants to ensure that the corporate data stored in Office 365
remains secure when Office 365 is accessed from mobile devices. Not all devices that
access Office 365 are company owned.
What action could be taken to offer this protection?
B) Run Mpcmdrun.exe
(Correct)
You do not need to implement Intune MDM. Intune provides both mobile device
management (MDM) and mobile application management (MAM). In this scenario, not all
devices are company owned. You are required to protect the Office 365 apps.
You do not need to create an iOS email profile. The scenario does not indicate the type of
mobile OS being used by the devices, and you need to protect Office 365 applications.
You would not run Mpcmdrun.exe. This is a command-line tool used to manage Windows
Defender Antivirus.
You do not need to create a device compliance policy. The scenario is focused on Office 365
applications, not device management.
Windows Information Protection (WIP) is another technology that can protect laptops, but is
more directly focused on the data. It uses other Microsoft Information protection technologies
to protect files that a sensitivity label.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Create and deploy app protection policies - Microsoft Intune | Microsoft Learn
Enabling Intune: Part 1 – Intune Mobile Application Management Only | Microsoft Learn
Question 55:
Skipped
You work for Nutex Inc as a system administrator with a global administrator role.
Your organization has Microsoft Intune and Azure AD subscriptions.
You have hired a user named User1 to manage device compliance and Conditional
Access policies in Microsoft Intune.
Which built-in role should you assign to User1 for managing these features in Microsoft
Intune?
(Correct)
C) Cloud PC Administrator
•
D) Application Manager
Explanation
In the given scenario, you would assign the Endpoint Security Manager built-in role
to User1 to allow them to manage device compliance and Conditional Access policies in
Microsoft Intune.
You can assign built-in roles to groups or users without making any changes to the role
configuration. You cannot delete or edit the name, description, types, or permissions of the
Intune built-in roles.
Endpoint Privilege Manager, Application Manager, and Cloud PC Administrator roles will
not enable the user to manage device compliance and Conditional Access policies in Intune.
The other built-in roles that you can assign to users and groups are:
• Application Manager – granting this role will enable users to manage mobile and
managed applications, read device information, and view device configuration
profiles.
• Endpoint Privilege Manager – granting this role will enable users to manage Endpoint
Privilege Management policies.
• Endpoint Privilege Reader – granting this role will enable users to view Endpoint
Privilege Management policies.
• Help Desk Operator – granting this role will enable users to perform tasks remotely
on users and devices and assign policies or applications to devices or users.
• Intune Role Administrator – granting this role will enable users to manage custom
Intune roles and add assignments for built-in roles. This is the only role that can
assign permissions to administrators.
• Policy and Profile Administrator – granting this role will enable users to manage
configuration profiles, compliance policies, corporate device identifiers, security
baselines, and Apple enrolments.
• Organizational Messages Manager – granting this role will enable users to manage
organizational messages in the Microsoft Intune console.
• Read-Only Operator – granting this role will enable the user to view user, device,
enrolment, configuration, and application information. However, the user cannot
make changes.
• School Administrator – granting this role will enable users to manage Windows 10/11
devices in Intune for Education.
• Cloud PC Administrator – granting this role will enable the user to view and update
all Cloud PC features located within the Cloud PC blade.
• Cloud PC Reader – granting this role will enable the user to view all Cloud PC
features located within the Cloud PC blade.
Objective:
Manage identity and compliance
Sub-Objective:
Manage identity
References:
Question 56:
Skipped
Dreamsuites Corporation has been using Configuration Manager for their devices, but
has now implemented Windows Intune for their mobile device management solution.
All devices are joined to the Drearmsuites.com domain. Dreamsuites has an Azure AD
Premium subscription. You have been asked to provide a solution to enroll existing
Windows 10 devices in Intune that does not require any end-user interaction.
What methods might meet the Dreamsuites requirement? (Choose all that apply.)
(Correct)
(Correct)
C) Windows Autopilot
(Correct)
E) Bulk enrollment
(Correct)
Explanation
You could use bulk enrollment as an enrollment method. This method requires the creation of
a provisioning package using Windows Configuration Designer (WCD).
You could use a device enrollment manager (DEM) account as an enrollment method. A
DEM account lets a single user account enroll up to 1000 devices.
You could use Hybrid Azure AD Join as an enrollment method. You can set up a GPO for
this purpose to trigger auto-enrollment for domain-joined devices.
Windows Autopilot would a useful method for the deployment and pre-configuration of new
devices in the future, but the scenario applies to existing devices.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Question 57:
Skipped
You have recently joined the Nutex Corporation as the Microsoft 365 Security
Administrator. The employees at Nutex use Windows 11 endpoints, and Microsoft 365
apps are available to all employees. The endpoints and apps are secured using Microsoft
Defender.
The Security team at Nutex has recently implemented Attack Surface Reduction (ASR)
rules in Microsoft Defender. The team is seeing a high number of false positives and
false negatives after enforcing the rules. You are tasked with investigating the cause and
coming up with fixes.
Which of the following can help you fix the false positives and false negatives? (Choose
all that apply.)
(Correct)
(Correct)
(Correct)
Installing and enabling real-time protection in Microsoft Defender Antivirus on the endpoints
is a prerequisite in order to benefit from enabling the ASR rules for endpoints. Real-time
protection policies provide behavior monitoring and heuristics to identify malware based on
known suspicious and malicious activities. Disabling any of the Real-time Protection rules
can result in false negatives. Real-time Protection rules can be enabled on all endpoints by
setting them in the Microsoft Defender Antivirus details > Real-time Protection area in the
Group Policy Editor.
You can add exclusions to the relevant rules to avoid false positives. An Exclusion is a list of
files, folder paths, or FQDNs that will be excluded from being processed by the ASR rules.
The exclusion applies to all rules that support exclusions. It cannot be set at the level of a
rule. With apt files, folders, and FQDNs excluded such that the ASR goals are met,
exclusions can help you reduce and even fix false positives.
You should report false negatives to Microsoft Support. False negatives are alerts that result
when one or more rules do not work as expected. Ensure that you include adequate diagnostic
data.
Setting the relevant rules to Warn mode does not help fix the issue. The four states of ASR
rules are Disabled, Audit, Warn, and Block. For rules set to Warn mode, users see a dialog
box that indicates the content is blocked. Users can unblock the content. The related
operation is available to the user for 24 hours, and then the block resumes. Warn mode can
help users temporarily unblock false positives, but does not fix the issue with false negatives.
A third-party antivirus solution running on the relevant endpoints is not a reason for false
positives. A prerequisite to benefitting from enabling the ASR rules for endpoints is to use
only Microsoft Defender Antivirus on the endpoints. With a third-party antivirus solution
enabled, Microsoft Defender Antivirus disables itself. So, no alerts will be generated from the
relevant endpoints.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Enable and configure Microsoft Defender Antivirus always-on protection | Microsoft Learn
Microsoft Defender Antivirus compatibility with other security products | Microsoft Learn
Question 58:
Skipped
You are an enterprise admin for the Verigon Corporation.
You want to deploy security and critical updates for your MDM-enrolled Windows 10
laptops that are being used by company employees.
(Correct)
You would not choose to create a Windows 10 feature updates policy in Microsoft Endpoint
Manager. Windows 10 feature updates introduce new features and functionality to Windows
10 and do not involve security or critical updates.
You would not choose to create and populate a Windows 10 update ring using Windows
Server Update Services (WSUS). WSUS is not used to update MDM-enrolled machines. It is
used in conjunction with Group Policy to update domain-joined machines.
You would not choose to enroll the laptops in the Windows Insider Program for Business
Channel because this is not used to deploy security and critical updates. It is used to validate
feature updates in advance of their release.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Learn about using Windows Update for Business in Microsoft Intune | Microsoft Learn
Windows client updates, channels, and tools - Windows Deployment | Microsoft Learn
Question 59:
Skipped
You are a system administrator for your organization. They have several Windows 11
devices and iOS 10.3 supervised devices. You use Microsoft Intune device configuration
profiles to manage software updates for the iOS supervised devices.
While configuring the policy for the iOS updates, you chose to deploy an older version
of the software update. What must you do to prevent users from updating the OS
manually?
(Correct)
•
C) Deploy a device restriction profile to allow visibility of software updates.
When using update policies for iOS devices, you may have to delay the visibility of iOS
updates. You can delay the visibility of the software updates to prevent users from updating
the OS manually, or deploy an older update while preventing users from installing a more
recent one.
To delay visibility, you should deploy a device restriction template with the following
configuration settings:
Deploying a device restriction profile to allow visibility of software updates is not the correct
answer in the given scenario. By default, users have visibility of software updates, and update
profiles do not prevent users from updating the OS manually.
You should not unenroll the device using Apple Business Manager. The device will not be a
supervised device once unenrolled by Apple Business Manager. You can use Microsoft
Intune device configuration profiles to manage software updates for iOS / iPad devices
enrolled as supervised devices.
Configuring the iOS update policy to update the devices during a scheduled time is not the
correct answer in the given scenario. While configuring the iOS update policy, you can
configure a schedule during which the update will be installed.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Use Microsoft Intune policies to manage iOS/iPadOS software updates | Microsoft Learn
Question 60:
Skipped
You are a laptop administrator for the Nutex Corporation. You are currently taking
advantage of Group Policy to control configuration of your Windows 10 devices. Nutex
is moving to Intune to manage these devices. All laptops are running the latest version
of Windows 10. You are concerned about the precedence of possible conflicting policies
between Group Policy and Intune MDM. For now, you want Group Policy to "win" if
there is a conflict.
What steps could assist you in this process? (Choose all that apply.)
(Correct)
(Correct)
You will want to configure the ControlPolicy Conflict Group Policy setting. This will allow
you to control which policy will be used when both an MDM policy and an equivalent Group
Policy are set on a device. When the ControlPolicy Conflict policy is set to 1, then MDM
policy is used and the GP policy is blocked. You would configure the ControlPolicy
Conflict policy setting to ensure that the MDM policy overrides Group Policy.
You would not use the Update Compliance component of Windows Analytics to meet the
goal of the scenario. Update Compliance has been replaced by Windows Update for Business
reports. Windows Update for Business reports will not meet the goal of the scenario, although
it is a useful option for reporting after updates have been deployed.
You would not execute a Windows Autopilot Reset using Intune. This would remove all
applications, settings, and files from the devices.
You would not compare baselines with the Security Compliance Toolkit (SCT). This would
compare the current GPOs with Microsoft-recommended baselines, which does not meet the
goal of this scenario.
Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Windows 10 Group Policy vs. Intune MDM Policy who wins? | Microsoft Learn
(Correct)
You must turn on the remote device and make sure it is not in
sleep/hibernate mode.
(Correct)
(Correct)
(Correct)
Explanation
You need to manage several configuration settings to allow the use of the Microsoft
Remote Desktop client app. You must switch the remote device on; enable the
Remote Desktop connection feature; ensure that, if a firewall is being used, it allows
Remote Desktop connections; and set permissions to connect to the device. (The
user needs to be on the list of users for the device and know the username and
password.)
A LAN (local area network) connection to the device is required because the
Microsoft Remote Desktop client app can be used over a LAN, a WAN, Wi-Fi, and the
internet.
Question 2:
Skipped
On a Windows 11 PC, you can use the Settings app to pause both feature updates
and quality updates. What is the maximum pause time period that you can select?
15 days
20 days
7 days
35 days
(Correct)
Explanation
Windows 11 update options include a Pause Updates feature to pause both feature
updates and quality updates. You can set the pause period to a maximum of 35
days, although you can select other time periods.
Question 3:
Skipped
Windows 11 comes in several versions. Which business-oriented version supports
high-end hardware devices for enhanced performance?
Windows 11 Enterprise
(Correct)
•
Windows 11 Pro
Windows 11 Education
Explanation
Windows 11 Pro for Workstations is designed for businesses that have advanced
data needs and that are using high-performance workstations. It provides speed,
corruption repair, and increased processing power to cope with heavy data
processing demands.
(Correct)
(Correct)
•
(Correct)
Explanation
The Windows 11 boot loader is made up of three main components: the Windows
Boot Manager (Bootmgr.exe), the Windows Resume Loader (Winload.exe), and the
Windows Operating System Loader (Winresume.exe).
When you start a Windows 11 device, the Windows Boot Manager is loaded first.
Then it reads the boot configuration data, which is part of the boot process but is not
considered one of the main components of the boot loader architecture.
The Windows Boot Manager then invokes the Windows operating system loader. If
the boot configuration data indicates that the device was in a hibernation state when
it was shut down, the Windows Resume Loader is initiated instead.
Question 5:
Skipped
You are upgrading a PC to Windows 11. Your installation media contains an old
Windows 11 system image. How should you ensure that your PC will apply all
missing Windows 11 updates?
Download the most recent feature update and the most recent quality
update.
(Correct)
All the other answers are incorrect because you do not need to install multiple
previous releases or the creator updates. Also, you cannot just install the last
update. Because two different update types are available, you need to install both the
latest feature update and the latest quality update for the device to be fully up to
date.
Question 6:
Skipped
The Microsoft Remote Desktop client allows a Windows device to connect to
another Windows device remotely by using a WAN, a LAN, Wi-Fi, or the internet.
You attempt to connect to a remote computer on your local network by using
Remote Desktop Connection, but the connection fails. You successfully ping the
device. Which of the following are possible causes of the connection failure?
(Correct)
(Correct)
Explanation
The Microsoft Remote Desktop client app manages and facilities a remote session
from one Windows device to another. However, if the device to which a connection is
trying to be made is in sleep mode or hibernating, the connection attempt does not
work.
The question indicates that ping has been used to successfully connect to the
remote PC, and you know that if the operating system responded to the ping request,
the device is turned on.
To ensure that a connection is possible, you should troubleshoot to ensure that the
remote PC has not disabled Remote Desktop and that the Deny Logon Through
Remote Desktop Services user rights assignment policy has not been configured to
restrict access.
Question 7:
Skipped
During an in-place upgrade, a backup of the existing Windows version will be
automatically made before Windows 11 is installed. The backup is stored in a folder
called Windows.old and can be used to restore the computer to the previous
version of Windows. You may want to copy the Windows.old folder to an external
hard drive before deleting it to free up space. Where can you find the Windows.old
folder?
C:\Recovery\Windows.old
C:\Windows.old
(Correct)
C:\Windows\Windows.old
C:\Program Files\Windows.old
Explanation
The Windows.old folder contains the old Windows system that Windows 11 has
replaced.
During an in-place upgrade, Windows Setup creates the folder and saves files and
data from the existing Windows installation so that you can use this data to perform
a rollback if you have an issue with the Windows 11 upgrade.
The folder is automatically created on the main hard drive partition of the computer
(usually the C drive) in the root folder. Therefore, C:\Windows.old is the location for
the folder. All the other answers are incorrect.
Question 8:
Skipped
Your organization needs to ensure that certain devices do not receive Windows 11
feature updates. Which of the following is the most appropriate servicing channel
for these devices?
Semi-Annual Channel
(Correct)
The only way to block feature updates is to have these devices installed with the
Long-Term Servicing Channel image. They will, however, still receive quality updates.
The Semi-Annual Channel and the Windows Insider Program do not allow updates to
be blocked, only deferred, so these answers are incorrect.
Question 9:
Skipped
What configuration information does the Microsoft Remote Desktop client need to
connect to a remote Windows 11 device on the same network?
IP address
(Correct)
•
Computer name
(Correct)
Network location
MAC address
Explanation
When using the Microsoft Remote Desktop client app, during the setup connection
phase the user is promoted to enter the name or IP address of the device to which to
connect.
All the other answers are incorrect. Although they refer to location identifiers that
can be used to locate the remote device, the Microsoft Remote Desktop client app
does not use them.
Question 10:
Skipped
Windows 11 uses the Windows-as-a-service model to regularly push updates to
Windows 11 devices. In an enterprise environment, administrators can use
Windows Server Update Services (WSUS) to manage updates. What can WSUS do?
Defer updates
(Correct)
(Correct)
Block updates
Explanation
Administrators can use Windows Server Update Services (WSUS) to manage
Windows 11 updates. You can set up a WSUS server to centrally manage and deploy
updates to Windows 11 devices. WSUS allows administrators to defer updates, add
an approval layer for updates, and create deployment rings. You cannot use WSUS to
block Windows 11 feature or quality updates.
Question 11:
Skipped
What is the quickest way to check whether the latest Windows 11 feature update
has been successfully installed?
(Correct)
Explanation
The Update History feature in the Settings app displays a list of updates that have
been applied to a Windows 11 device. Update History shows whether an update has
installed correctly and provides detailed information about each update. Viewing this
information is a quick and easy way to check that all updates have installed
correctly.
Question 12:
Skipped
You plan to use the Windows Fresh Start tool to perform a clean installation of
Windows 11. Your colleague asks you how the tool works. Which of the following
statements are correct?
The tool removes only third-party apps; any Microsoft apps are retained.
•
(Correct)
The tool removes all apps, including Microsoft apps that are not included
with Windows 11.
(Correct)
The tool removes all personal files, so you must back them up before using
the tool.
The Microsoft Edge app is not removed when using this tool.
(Correct)
Any customized hardware settings are preserved; the tool does not change
them to Microsoft defaults.
Explanation
The RefreshWindowsTool.exe tool can install a clean version of Windows 11 Home
or Windows 11 Pro.
The Windows Fresh Start tool removes all nonstandard Windows 11 apps, including
Microsoft apps such as Office. However, apps that are included as standard with
Windows 11, such as Microsoft Edge, are unaffected. Using the tool may also
remove digital licenses for third-party apps, which can cause problems when
accessing these purchased apps in the future.
• The tool removes only third-party apps; any Microsoft apps are retained. This
is incorrect because the tool also removes any nonstandard Windows 11
apps, including Microsoft apps.
• The tool removes all personal files, so you must back them up before using
the tool. This is incorrect because you have an option when using the tool to
retain personal files. However, it is a good idea to perform a backup before
using the tool.
• Any customized hardware settings are preserved; the tool does not change
them to Microsoft defaults. This is incorrect because hardware settings (for
example, Power and Sleep settings) may be changed back to the Microsoft
default settings.
Question 13:
Skipped
You can use the Microsoft Remote Desktop client to access or control a Windows
11 computer remotely. Which of the following allows you to connect to the remote
device?
WAN
(Correct)
LAN
(Correct)
Wi-Fi
(Correct)
Internet
(Correct)
VPN
(Correct)
Explanation
The Microsoft Remote Desktop client is designed as remote-control software. The
client app is used by both the computer that is connecting to a remote device and
the remote device. The Microsoft Remote Desktop client app manages and
facilitates the remote access session. You may want to connect to a remote device
so that you can use the device for work, to perform administrative tasks, or to
provide support and assistance for an end user.
You can connect to a remote device by using a local area network (LAN), a wide area
network (WAN), Wi-Fi, a VPN, or an internet connection.
Question 14:
Skipped
Which of the following methods can you use to change the language of a Windows
11 device from English to German?
(Correct)
Change the keyboard language settings for the device by using the Settings
app.
Install a local experience pack you can download from the Microsoft Store.
(Correct)
(Correct)
Explanation
To change the current language of Windows 11, you can use the Time & Language
area of the Settings app to download and install a language pack. Once you have
installed the language pack, you can use the Settings app to set the new language as
the default.
In addition, you can download and use a local experience pack from the Microsoft
Store. When using a local experience pack, you can deploy new languages to a
Windows 11 device. You can also use local experience packs when creating a
Windows 11 image to add specific languages as part of a deployment.
Finally, you can use a provisioning package to change the language of Windows 11.
Provisioning packages configure a device so you do not need to re-image it. You can
use provisioning packages to manage settings such as language and Wi-Fi, to
configure shared usage, and to enroll a device in Azure Active Directory.
Question 15:
Skipped
Microsoft uses NTFS for Windows 11. You can set NTFS permissions to control and
manage access to the files and folders stored on data drives formatted using NTFS.
Select the two missing permissions that complete the following statement:
Permissions include Full Control, _______, Read & Execute, List Content Folders,
________ and Write.
Traverse
Partial Control
Read Only
Read
(Correct)
Modify
(Correct)
Delegate
Explanation
The full list of NTFS permissions is Full Control, Modify, Read and Execute, List
Content Folders, Read, and Write. Therefore, the two permissions missing in the
question are Modify and Read.
Question 16:
Skipped
Windows 11 needs to be deployed on 1,000 bare-metal devices. You need to
recommend the most suitable installation method that also reduces the
administrative effort involved in completing the deployment. Which of the following
do you choose?
Device Refresh
Media Install
Device Migration
System Image
(Correct)
Explanation
A bare-metal device is a computer that has been supplied with no operating system
installed. You cannot use Device Refresh on a computer that does not have an
operating system installed.
You may need to use Device Migration to move files and settings from an older
device to the new bare-metal device after Windows 11 has been installed. However,
this does not perform the Windows 11 installation itself, so you cannot use this
option for the deployment.
You could use the Install Media option, but because this requires someone to sit at
each device and manually perform each upgrade, it is not an efficient method of
deployment for 1,000 computers.
From the options available, the most suitable and efficient method to deploy
Windows 11 to 1,000 bare-metal devices is to use the System Image method.
Question 17:
Skipped
User data from a Windows 7 device has been copied to an external hard drive. You
will perform a clean install of Windows 11 to the Windows 7 device. Next, the user
data will be copied back to the upgraded machine. What is the name for this type of
user data migration?
Side-by-side migration
In-place upgrade
Dynamic provisioning
Wipe-and-load migration
(Correct)
Explanation
Wipe-and-load migration is the name for the process of copying user data and
settings from a device that is already running a version of Windows. The device is
then upgraded to Windows 11, and the user data and settings are copied back to the
upgraded device. With this type of migration, the source and destination devices are
the same.
Question 18:
Skipped
You can use the Settings app to manage updates for Windows 11 devices, including
pausing updates. If the Pause Updates option is used with the default setting,
which type of updates will be paused, and for how long will they be paused?
(Correct)
Reset This PC
(Correct)
(Correct)
•
• Diagnostics and Recovery Toolset (DaRT): You use this to identify and fix
operating system problems. It does not include an option to reinstall Windows
11.
• System Restore Point: You use this to roll back the device to a previous state
after updates. It does not include the option to fully restore Windows 11.
However, when you use the System Restore Point feature, personal files are
not affected.
• Windows 11 Installation Media: You can use installation media to complete a
full reinstall of Windows 11, but this does not allow you to retain personal
data files. You would need to back up these files first and then copy them
back to the computer after Windows 11 is running again.
Question 20:
Skipped
The Activation Troubleshooter tool is provided in the Settings app to help resolve
Windows 11 activation issues. Where can you locate the troubleshooting tool within
the Windows 11 Settings app?
(Correct)
Accounts
System
•
Devices
Explanation
The Activation Troubleshooter tool is in the Update & Security area of the Settings
app. This area is dedicated to managing licensing, updates, and Windows 11
security.
• The Accounts area is for managing sign-in options and user accounts.
• The System area is used to manage device hardware settings.
• The Devices area is used to manage input device settings such as touchpad,
mouse, and keyboard settings.
Question 21:
Skipped
When managing multiple Windows 11 devices in a corporate environment, you
might want to block the use of the local Windows 11 administrator account on
devices. What methods prevent the administrator account from being used?
(Correct)
(Correct)
Fingerprint
(Correct)
PIN
(Correct)
Picture password
Facial scan
(Correct)
Explanation
Windows Hello provides system support for biometric authentication, including
fingerprints, facial scans, and a PIN. After Windows Hello is configured with a
biometrics-based authentication method, you can link a password or PIN to unlock a
device.
Question 23:
Skipped
User Account Control (UAC) ensures that all standard tasks and apps run using a
non-administrator account. A standard user is logged in to a device and needs to
make a system change. How should the user complete this task?
•
When the UAC prompt appears, sign out and then sign back in using an
administrator account.
When the UAC prompt appears, ask for permissions on the standard user
account to be temporarily changed.
When the UAC prompt appears, enter the username and password for an
administrator account.
(Correct)
Explanation
User Account Control (UAC) is a core security feature of Windows 11. UAC ensures
that everyday standard tasks and apps are run using a non-administrator account.
Standard users do not need to log out and back in again using a different account,
and they do not need to switch profiles or ask for the permissions for the standard
user account to be temporarily changed. These answers are incorrect.
Question 24:
Skipped
Windows 11 includes User Account Control (UAC). Which of the following
statements describe the benefits of UAC?
(Correct)
(Correct)
Explanation
User Account Control (UAC) is a core security feature of Windows 11. UAC ensures
that everyday standard tasks and apps run using a non-administrator account. This
means that if a device is infected, there will be no access to administrator-level
permissions, so damage caused by malware can be stopped or restricted.
User Account Control is not an administrative interface that can manage passwords
for users or block access to user accounts; therefore, these answers are incorrect.
Question 25:
Skipped
With Windows 11 you can use share and NTFS permissions on files and folders.
When you use share and NTFS permissions together, which of the following
statements is true when a permission conflict occurs?
(Correct)
•
Share permissions always have precedence over NTFS permissions.
Explanation
When you are using only NFTS permissions, all files and folders adhere to the NTFS
permission rules that have been set. When you are using only share permissions, all
files and folders adhere to the share permissions that have been set. However, when
you are using the two systems together, you need a way to deal with permissions
conflicts. You resolve conflicts by applying the most restrictive permission
(regardless of whether it is an NTFS permission or a share permission).
This means the answers NTFS permissions always have precedence over share
permissions, Permissions granted on higher, root-level folders take precedence over
lower-level folder permissions, and Share permissions always have precedence over
NTFS permissions are all incorrect.
Question 26:
Skipped
When using Windows 11 local accounts, you can manage permissions by using
local groups so that any user assigned to a group inherits the permissions of that
group. Which of the following, by default, are members of the Users group?
Power users
Domain users
(Correct)
Authenticated users
(Correct)
Interactive groups
(Correct)
Explanation
In Windows 11, some user accounts are preassigned to groups. For example, the
administrator user account is a default member of the Administrators group.
Domain users, authenticated users, and interactive groups are members of the Users
group by default.
However, guest accounts and power users do not belong to the Users group. Guests
accounts belong to the Guests group, and Power Users is a legacy group from
previous versions of Windows. However, you can use this group type in Windows 11
by applying a security template.
Question 27:
Skipped
When using the Windows 11 Settings app to create a Wi-Fi profile, you need to
include the network name, the security type, and the __________.
Security key/password
(Correct)
Encryption key
Windows Hello
Timestamp
Explanation
Using a Wi-Fi profile allows you to preconfigure a Windows 11 device so that it can
automatically connect to a specific Wi-Fi network at some point in the future.
Settings that you need to configure for the Wi-Fi profile include the network name, a
security type to be used for the connection, and a security key/password.
Question 28:
Skipped
You need to deploy a customized Windows 11 Start screen layout to several
Windows 11 devices. Which of the following methods allow you to deploy a
customized Windows 11 Start screen layout to several Windows 11 devices?
Group Policy
(Correct)
PowerShell
(Correct)
Provisioning package
(Correct)
Explanation
In a corporate environment, you can control the Start screen layout by creating a
customized Start screen on a test computer. You can then export this layout to other
devices. The Start screen layout is exported as an .xml file.
You can deploy this .xml file to devices either by using Group Policy, as a Windows
Configuration Designer provisioning package, or by deploying the .xml file using a
mobile device management (MDM) service, such as Microsoft Intune.
However, although you will use the PowerShell cmdlet Export-StartLayout to create
the .xml file, you cannot use PowerShell to deploy a customized Start screen layout.
Question 29:
Skipped
On a Windows 11 device, PowerShell has been launched via the Command Prompt,
using a standard user account. The remoting features of PowerShell are not
available, but you need to access these features.
Launch PowerShell by using the Start menu and not the Command Prompt.
(Correct)
Disk encryption
Encryption
(Correct)
Device encryption
•
Data encryption
BitLocker can encrypt and protect files (including Windows 11 system files), as well
as applications and data held within applications. It protects against unauthorized
access and hacking attempts. If a device is hacked, BitLocker also protects data
from being copied or stolen because the data is encrypted.
Question 31:
Skipped
Review the following scenario:
In the office location, DCHPv4 is used to assign an IPv4 address, and in the
home location, an IPv4 address is entered manually for the static IP
address.
•
In the office location, DCHPv4 is used to assign an IPv4 address, and in the
home location, an alternate configuration is used to support the static IP
address.
(Correct)
In the office location, an IPv4 address is entered manually, and in the home
location, Automatic Private IP Addressing is used to support the static IP
address.
Explanation
You can configure a Windows 11 device to use an alternate IP addressing
configuration when a DCHP server is unavailable. This means you can use DCHPv4
in a corporate office environment to dynamically obtain IPv4 addresses from a
DHCP server. However, when no DCHP server is available, you can use the setting in
the alternative configuration. The alternative configuration can specify an APIPA
address or a static IP address. This is done automatically without input from the end
user. This means that the correct answer is c.
The scenario provided in the question requires a static IP address, whereas in some
scenarios, a home router may also provide DHCP services, which would allow the
laptop to obtain a dynamic IP address at home as well.
Question 32:
Skipped
Which of the following tunneling protocols does the built-in VPN client use in
Windows 11 Enterprise?
IKEv2
(Correct)
STTP
(Correct)
L2TP
(Correct)
•
PPTP
(Correct)
Open VPN
Explanation
Windows 11 Enterprise includes a built-in VPN client that can use several tunneling
protocols, including Internet Key Exchange version 2 (IKEv2), L2TP, STTP, and PPTP.
The built-in VPN client does not use the Open VPN tunneling protocol.
Question 33:
Skipped
You can set up Windows 11 devices to use a virtual private network (VPN). A VPN
allows secure connections to be made to a corporate network when an end user is
connecting from an external location. Which of the following is a mandatory
requirement when using the Windows 11 VPN feature?
A VPN provider
A VPN profile
(Correct)
Explanation
Before you can connect a Windows 11 device to a virtual private network (VPN), you
need to create a VPN profile. The VPN profile includes information such as the
server name, VPN type, and sign-in type.
A VPN provider is not required because one is built in to Windows 11. Some service
providers may use a VPN app, but this is not always the case, and it is not a
requirement. Also, a third-party Win32 app is not required because Windows 11
provides a fully working VPN platform.
Question 34:
Skipped
You are troubleshooting a device running Windows 11 Pro. The user reports that it
is slow to boot. You log on to the device as an administrator. Task Manager shows
many programs on the Startup tab. You decide to remove some of the apps from
the startup process. Which of the following startup apps can you not remove or
disable?
(Correct)
(Correct)
(Correct)
When many apps are automatically started on bootup, a device may run slowly.
Removing some of the apps from startup can speed up the boot process. You
cannot disable or remove apps from the startup process that are associated with
sound, network, and video devices.
Question 35:
Skipped
Which of the following management tools can you use to manage update settings
for Microsoft Edge in conjunction with Microsoft Intune?
Group Policy
(Correct)
(Correct)
•
All the other answers are incorrect because an internet service provider is required
only when connecting to the internet, Automatic Private IP Addressing is used when
a DCHP server is unavailable, and a Domain Name System server is a database of
public IP addresses and is not used to configure automatic IP address assignment.
Question 37:
Skipped
Group Policy is being used to manage security settings for users. However, one
policy is not being applied as expected. Upon evaluation, you notice that no user
security settings are being applied. You need to troubleshoot the issue. Which of
the following is a possible cause of the problem?
(Correct)
The issue is not being caused by other user-related security settings because the
question explains that no user-related security settings are being applied. Also, user-
related security settings can, in fact, be implemented using Group Policy.
Question 38:
Skipped
You can use the Microsoft Azure Backup tool with Windows 11 client devices to
back up data to the cloud. What is the name for the storage area that you need to
create first in Microsoft Azure?
Backup partition
Backup directory
Backup container
(Correct)
Explanation
Before using Azure Backup to back up either a Windows server or Windows 11 client
devices, you need to create an area to store files and folders. This area is known as a
Recovery Services vault.
The vault acts as a container for data, but container is not the correct name for the
storage area. The answers directory and partition are also incorrect because these
are not the storage types that need to be created to use the Azure Backup tool.
Question 39:
Skipped
When a user’s Windows 11 laptop is being used in the office, DCHPv4 dynamically
allocates IPv4 addresses. An alternate configuration using a static IP address is
used when the device is at home. The user reports not being able to access the
internet while at work. You troubleshoot the device. The following information is
available:
• The laptop is currently in the office location.
• The current IP address is 169.254.12.4.
The laptop has not been properly configured to be used in the home
location.
(Correct)
Explanation
The Windows 11 feature Automatic Private IP Addressing (APIPA) is used to
manage IP addresses when a DCHP server is not available. This means that DCHPv4
can be used in a corporate office environment to dynamically obtain IPv4 addresses
from a DHCP server. However, when no DCHP sever is available, APIPA assigns a
static IP address in the range 169.254.X.X.
Question 40:
Skipped
With a 64-bit edition of Windows 11, how are registry entries stored?
In 32-bit keys
•
In 32-bit keys and 64-bit keys
(Correct)
In 64-bit keys
Some registry keys are shared by both 32-bit and 64-bit applications. Shared keys
use a physical copy of a key stored in both the 32-bit location and the 64-bit location.
An edition of 64-bit Windows 11 does not store all keys as 32-bit, all keys as 64-bit,
or a mixture of 18-bit, 32-bit, and 64 bits; therefore, all these answers are incorrect.
Question 41:
Skipped
The Windows 11 Performance Monitor tool allows you to view system performance
information. You need to add counters to measure specific performance aspects.
Which subcomponent of the Performance Monitor tool should you select?
Reports
Event Logs
Performance Monitor
(Correct)
Explanation
The Performance Monitor tool includes the Performance Monitor, Data Collector
Sets, and Reports subcomponents. It does not include Event Logs, so this answer is
incorrect.
You use Performance Monitor to add counters to instruct the tool to collect specific
performance data. This is the correct answer.
Data Collector Sets is a saved set of performance counters that combines data into
a single collection. The Reports feature is used to generate reports from Data
Collector Sets. Therefore, neither of these two answers is correct.
Question 42:
Skipped
You manage a small network, and Windows 11 devices are configured to share
resources in a workgroup environment. You have implemented several Windows 11
configuration changes by using a local group policy. What is the scope of these
changes?
Settings will be changed on all devices that are in the same on-premises
domain.
(Correct)
To manage multiple on-premises devices, you need to use Group Policy in an Active
Directory domain environment.
(Correct)
If you want to allow users to use just one username and password to access both
cloud and on-premises services, you can join Windows 11 devices as hybrid Azure
AD joined devices to use functionality of both Azure AD and Active Directory.
Azure AD hybrid joined devices do not have access to only on-premises services or
only cloud services; such devices exist in both the cloud and on-premises at the
same time.
Question 44:
Skipped
Windows 11 allows you to use Wi-Fi profiles to preconfigure Wi-Fi network
connection settings. Say that you need to deploy 2,000 devices with Wi-Fi profiles.
Which of the following are possible solutions?
(Correct)
(Correct)
(Correct)
Explanation
Depending on your IT system setup, you have a few available options when
deploying Wi-Fi profiles to multiple Windows 11 devices. For on-premises systems,
you can use Windows PowerShell or Group Policy. For cloud-based systems, you can
use a mobile device management service through Intune or Windows PowerShell.
Question 45:
Skipped
You need to manually configure a static IPv4 address on a Windows 11 device.
Which of the following settings need to be configured?
IPv4 address
(Correct)
Subnet mask
(Correct)
Default gateway
(Correct)
DHCPv4
DNS server
(Correct)
Explanation
When you are manually managing IPv4 settings, you must configure all of the
following: the IPv4 address, the subnet mask, a default gateway, and a DNS server.
Because you need to configure static IPv4 addresses manually, automatic settings
are not configured. Therefore, settings for both DNCPv4 and Automatic Private IP
Addressing are not required.
Question 46:
Skipped
You need to manage the real-time performance of your Windows 11 PC. Which
tools can you use to view real-time CPU usage information?
Task Manager
(Correct)
Event Viewer
Resource Monitor
(Correct)
Performance Monitor
(Correct)
Explanation
Windows 11 includes several built-in tools to manage the Windows 11 environment.
You can use the Task Manager tool, Resource Monitor tool, and Performance
Monitor tool to view system performance and the resources that are being used,
such as the CPU.
The other answer is incorrect because you use the Event Viewer to view Windows 11
event logs.
Question 47:
Skipped
You need to manage the real-time performance of your Windows 11 PC. Which
tools can you use to view real-time CPU usage information?
Task Manager
(Correct)
Event Viewer
Resource Monitor
(Correct)
Performance Monitor
(Correct)
Explanation
Windows 11 includes several built-in tools to manage the Windows 11 environment.
You can use the Task Manager tool, Resource Monitor tool, and Performance
Monitor tool to view system performance and the resources that are being used,
such as the CPU.
The other answer is incorrect because you use the Event Viewer to view Windows 11
event logs.
Question 48:
Skipped
You manage 500 Windows 11 devices in your organization. All devices are
connected to your on-premises domain. Which management tool should you use to
modify registry settings if you want to minimize administrative effort and not incur
additional costs?
Microsoft Intune
Group Policy
(Correct)
You cannot use Microsoft Intune to make the changes because it works only for
cloud-based devices and not for on-premises devices. In addition, purchasing
Microsoft Intune would incur additional costs.
Question 49:
Skipped
Users store data in OneDrive for Business. The following process occurs:
4. The deleted file is moved to the Recycle Bin on the Windows 11 device.
(Correct)
Resource Monitor
Reliability Monitor
(Correct)
•
Task Manager
Performance Monitor
(Correct)
Explanation
Windows 11 includes several built-in tools to manage the Windows 11 environment,
and Reliability Monitor and Performance Monitor can provide historical data,
including reports and graphs. Although Task Manager does include some historical
data, it is only for app data and does not include historical CPU usage data or allow
you to save the data.
Question 51:
Skipped
Windows 11 is available in several editions. Which edition does not include the
Microsoft Edge browser?
Windows 11 Home
Windows 11 Enterprise
(Correct)
Explanation
The Microsoft Edge browser is included in all versions of Windows 11 except for the
Windows 11 Enterprise Long-Term Servicing Channel edition. This edition is a
special edition of Windows 11 that does not include feature updates and is missing
some of the other features normally included within Windows 11 Enterprise, such as
Microsoft Edge, Cortana, and the Windows Store client. This version of Windows 11
is designed for computers that need to be secure and stable, such as computers that
control medical devices.
Question 52:
Skipped
Windows Remote Management is included on all Windows operating systems.
However, it is not enabled by default in Windows 11. To use remote management
features for Windows 11 client devices, what must you enable?
Win32
Winrmsrv
Winmail.dat
WinRM
(Correct)
Explanation
You can enable WinRM on the Windows Server operating system but not on the
Windows 11 client. WinRM allows services such as PowerShell remoting and
Remote Desktop to be used. You can enable WinRM for all Windows 11 clients by
using Microsoft Intune or Group Policy Objects.
All the other answers are incorrect because Win32 is a set of APIs used to develop
applications, Winrmsrv is a virus executable that aims to open remote access to a
device maliciously, and Winmail.dat is a file that supports rich text in email
messages.
Question 53:
Skipped
All copies of Windows 11 require activation. What is the activation process?
•
Activation links a software product key to a particular installation of
Windows 11.
(Correct)
(Correct)
(Correct)
(Correct)
•
(Correct)
Explanation
You can share a folder using File Explorer in several ways. Methods include:
• Use the Share With option on the Share tab on the ribbon (also called Network
File and Folder Sharing).
• Select Advanced Security from the Share tab on the ribbon.
• Use the Sharing tab in the Properties dialog box.
• Use the Give Access To context menu by right-clicking a folder to be shared.
However, you would not create a new local user account on the device. Although
such an account would offer access to the PC, it would not necessarily offer access
to the folder.
Question 55:
Skipped
All copies of Windows 11 must be activated and then validated. What is the
difference between activation and validation?
Activation is the process of providing the license product key for Windows
11. Validation is the process of authenticating the product key.
(Correct)
Activation is the process of providing the license product key for Windows
11. Validation is the process of ensuring that the product key has not been
used for too many devices.
Activation is the process of proving the license product key for Windows
11. Validation is the process of using a key management service to
automate the activation process.
Explanation
Every copy of Windows 11 needs to be activated as part of the installation process.
Activation can happen in many ways, depending on how Windows 11 was installed—
for example, activation by using a product key, OEM (original equipment
manufacturer) activation by associating a device to a Windows 11 license, and
activation by using a key management service to manage Microsoft Volume
Licensing.
(Correct)
Explanation
Activation confirms that each copy of Windows 11 is genuine. Activation confirms
the licensing status, and validation confirms that the product can be used. You can
encounter issues due to a mismatch in the Windows 11 edition that is installed or
due to making major hardware changes to a device. The Windows Activation
Troubleshooter tool can resolve these types of issues. However, you cannot use the
tool to locate a correct product key for Windows 11.
Question 57:
Skipped
Your company has purchased 100 new Windows 11 computers. All user settings,
apps, and data files must be migrated from the old Windows 8.1 devices to the new
Windows 11 devices. Which of the following tools/methods allows you to automate
the migration process?
(Correct)
The User State Migration Tool (USMT) automates the migration process. You can
create a migration rule to control which files and settings are migrated. You can then
use this rule with the USMT tool’s ScanState and LoadState options to collect and
restore user files and settings.
Question 58:
Skipped
You can use PowerShell remoting to create sessions and run commands on remote
computers.
(Correct)
(Correct)
(Correct)
Question 59:
Skipped
You need to enable automatic start for PowerShell remoting on a Windows 11
device. Which command do you use?
winrm quickconfig
(Correct)
The other commands listed here are also PowerShell remoting commands, but you
use them for other purposes:
Windows 11 Enterprise
Windows 11 Home
(Correct)
Windows 11 Pro
(Correct)
Windows 11 Education
Explanation
The RefreshWindowsTool.exe supports both Windows 11 Home and Windows 11
Pro editions. It does not support other editions.