Microsoft MD-102: Endpoint Management

Questions and Answers

User1 needs to deploy new computers within Adatum. Which Azure AD role should be assigned to User1 to minimize administrative effort?

• Cloud Device Administrator (correct)
• Hybrid Identity Administrator
• Intune Administrator
• Global Administrator

Which devices are converted to Autopilot by the Profile1 configuration?

• All devices in Group2, except for those in Group1
• All Windows PC devices in the adatum.com domain
• All devices in Group1, except for those in Group2 (correct)
• Only devices that are already enrolled in Autopilot

You need to enable users in GroupA to deploy new computers while minimizing administrative effort. What should you configure?

• Delegate control in the on-premises Active Directory to allow GroupA members to join computers to the domain. (correct)
• Add the users to the local administrators group on each computer.
• Assign the Intune Administrator role to the GroupA in Azure AD.
• Configure a dynamic group in Azure AD that only contains users in GroupA.

Which statement is correct regarding BitLocker Drive Encryption and Secure Boot settings on the devices?

Device1 requires BitLocker, Device2 requires both BitLocker and Secure Boot, while Device5 requires neither. (A)

You need to ensure that only devices compliant with Intune policies can access Exchange Online. Which type of policy should you configure?

Conditional Access policy (B)

You are implementing Controlled folder access. Which folders are protected on Device2?

Both C:*\AppA.exe and D:\Folder1 (A)

What is the purpose of the Intune connector for Active Directory?

To enable hybrid Azure AD joined devices to enroll in Intune (D)

Which VPN connection types are supported by Connection1 and Connection2, respectively?

Connection1 supports L2TP, Connection2 supports IKEv2 (D)

You deploy Boundary1. Which devices will have the network boundary of 192.168.1.0/24 applied?

Device1, Device2, Device3, and Device4 (B)

After 30 minutes of inactivity on a device managed by the iOS App Protection Policy, what will happen?

The user will be prompted for their account credentials. (A)

You have assigned the App Protection policy. After a user enters the wrong PIN five times, what action will occur?

The app will be blocked. (B)

You need to customize the installation of Microsoft 365 Apps for enterprise. What are the correct steps to perform this task?

Download ODT, Edit XML, Run setup.exe /download, Run setup.exe /configure (B)

You need to determine the correct devices for app configuration policies. On which devices can you apply app configuration policies?

Device3 and Device4 (A)

You need to prevent users from copying and pasting data to other apps. Which type of policy and how many policies should be set?

App protection policy; one policy (C)

You want to install App1 before App2. You need to configure the App1 deployments first. What should you change?

The App2 deployment configurations. (C)

You have devices enrolled in Intune and you want to manage Apple1. What is the minimum app configuration policies required?

2 (A)

Which 'condition' setting should you add to CAPolicy1 to block only legacy authentication requests?

Application Types (B)

What settings should be updated in the Microsoft 365 Apps admin center to enable automatic installation of WebView2 Runtime and prevent users from submitting feedback?

Policy Management and Customization (C)

You need to deploy the Microsoft 365 Apps for Enterprise suite to all 10 computers. What should you do?

Add an app in the Intune admin center. (D)

A Windows 11 is having issues with connectivity and has been offline for 30 days. You need to remove this device. What should you use?

Delete Action (A)

You need to review the startup times and restart frequencies of the devices in Intune. Which option would accomplish this task?

Endpoint analytics (D)

If you need to be able to install the 'latest' to Windows 10 devices, which update setting should you ensure is enabled 'Allow'?

Microsoft product updates (D)

Android Enterprise contains corporate owned work profile and is enrolled in Microsoft Intune. What configuration settings should you modify in the device restriction profiles?

Device Experience. (B)

You need to ensure you can apply Defender policies. What should you do?

From the Microsoft Intune Admin Center, create a configuration profile. (D)

Which actions to minimize Microsoft Defender firewall?

Configure Windows Defender Antivirus, create a device configuration file and configure the endpoint protection settings. (C)

Your company must increase security. How do you configure PowerShell's to prevent suspicious scripts running on devices?

An attack surface reduction(ASR) rule. (D)

To migrate existing Default Domain Policies GPO, what device configuration profile is used?

Device restrictions. (C)

You want enable Android device to use Android work. What settings needs to be configured?

Set Android Enterprise(Work Profile) to Allow. (A)

You're setting up Kiosk. What two items should you configure?

Single app, full screen kiosk (C)

You can configure the devices to be connected and retrieve Windows updates from the internet and from other computers to local network. How are you able to configure the Delivery Optimization.

Download mode (D)

For an Azure, AD tenant to create notification1 too group 1, which statement must be true?

Users in Group1 must have devices enrolled in Intune. (A)

You are looking to start remote connection to computer 2. What must occur first?

Enable-PsRemoting. (A)

You are preparing for Autopilot, what first steps needs to occur?

Extract the Hardware ID information of each computer to a CSV file and upload the file from the Microsoft Intune Admin Center. (A)

You are working with Microsoft Deployment and modifying the WinPE settings. What step should you take Next?

Update the deployment share. (B)

When users join windows 10 computer. What must you extract?

Hardware ID Information. (A)

To enable the Windows Remote Management (WinRM) service on Computer1?

Enable-PSREmoting. (B)

In Microsoft Intune Deployment. Which three actions should you perform?

Reset the computer (D)

Which policy allows you to access specific microsoft exchange online.

Application access policies. (D)

Flashcards

adatum.com Domain

An on-premises Active Directory domain is named adatum.com. It contains servers like DC1, Server1, and Server2, with roles such as Domain Controller and Member Server.

User1's Role

User1 is assigned the Cloud Device Administrator role and is a member of GroupA.

User2 Role

User2 has the Azure AD Joined Device Local Administrator role & belongs to GroupB

User3 Role

Global Reader, belongs to GroupA, GroupB. *Read-only access to settings and reports.

User4 Role

Global Administrator, belongs to Group 1. Full control over the Azure AD tenant.

Device1

Corporate-owned, member of Group1, Default scope.

Device2

Corporate-owned, member of Group1, Group2, Tag2 scope.

Device3

Personally-owned, member of Group1, Tag1 scope.

Device4

Personally-owned, member of Group2, Tag2 scope.

Device5

Corporate-owned, member of Group3, Default scope.

Device1 Configuration

BitLocker enabled, Secure Boot disabled. Connects to VPN1.

Device2 Configuration

BitLocker enabled, Secure Boot enabled. Connects to VPN1, VPN3.

Device3 Configuration

BitLocker disabled, Secure Boot disabled. Connects to VPN3.

Device4 Configuration

BitLocker disabled, Secure Boot enabled. No VPN.

Device5 Configuration

BitLocker enabled, Secure Boot disabled. No VPN.

Policy1

It requires BitLocker only and assigned to group 1

Policy2

It requires secure boot only and assigned to group 1

Policy3

Require BitLocker and Secure Boot, assigned to Group2. Enforces both encryption and secure boot settings.

Compliance Policy Settings

The configuration service treats devices

Compliance

Devices with no compliance policy assigned are marked as compliant

Compliance Period

The compliance status validity period is 30 days

Protection 1

It blocks all apps from accessing protected folders

autopilot profile

New devices can be auto deployed to users in group 1

Boundary 1

all devices have 192.168.1.0/24.

Connection 1

The default is L2TP. Assigned to Group1, Group2 and GroupA

CAPolicy1

App1 must only accept modern authentication requests.

Study Notes

• The study notes cover information related to Microsoft MD-102 exam, focusing on endpoint administration, Microsoft Intune, and Active Directory within the context of a consulting company called Adatum Corporation.

Adatum Corporation Overview

• Adatum is a consulting firm with offices in Montreal, Seattle, and New York and uses a Microsoft 365 E5 subscription.

Network Environment

• The on-premises network uses an Active Directory domain called adatum.com and uses a hybrid Azure AD tenant with the same name.
• The domain contains the below servers:
  • DC1: Windows Server 2019, Domain controller
  • Server1: Windows Server 2016, Member server
  • Server2: Windows Server 2019, Member server

Users and Groups

• The adatum.com tenant contains the users:
  • User1: Cloud Device Administrator, Member of GroupA
  • User2: Azure AD Joined Device Local Administrator, Member of GroupB
  • User3: Global Reader, Member of GroupA and GroupB
  • User4: Global Administrator, Member of Group1
• All users have a Microsoft Office 365 license and EMS E3 license and Enterprise State Roaming enabled for Group1 and GroupA.
• Group1 and Group2 are assigned a membership type of Assigned.

Devices

• The corporation uses Windows 10 devices joined to Azure AD and enrolled in Microsoft Intune.
• Devices configuration
  • Device1: Corporate-owned, Member of Group1, Scope: Default, BitLocker: Yes, Secure Boot: No, VPN: VPN1
  • Device2: Corporate-owned, Member of Group1, Group2, Scope: Tag2, BitLocker: Yes, Secure Boot: Yes, VPN: VPN1, VPN3
  • Device3: Personally-owned, Member of Group1, Scope: Tag1, BitLocker: No, Secure Boot: No, VPN: VPN3
  • Device4: Personally-owned, Member of Group2, Scope: Tag2, BitLocker: No, Secure Boot: Yes, VPN: None
  • Device5: Corporate-owned, Member of Group3, Scope: Default, BitLocker: Yes, Secure Boot: No, VPN: None
• All Azure AD joined devices have an executable file C:\AppA.exe and a folder named D:\Folder1.

Microsoft Intune Configuration

• Microsoft Intune uses below compliance policies:
  • Policy1: Require BitLocker only, Assigned to Group1
  • Policy2: Require Secure Boot only, Assigned to Group1
  • Policy3: Require BitLocker and Secure Boot, Assigned to Group2
• Compliances policy settings: Devices with no compliance policy assigned are compliant, and enhanced jailbreak detection is disabled, and a compliance status validity period is 30 days.
• Automatic Enrollment configs are:
  • MDM user scope: GroupA
  • MAM user scope: GroupB
• Endpoint protection configuration profile settings:
  • Name: Protection1
  • Folder protection: Enabled
  • List of apps that have access to protected folders: C:\*\AppA.exe
  • List of additional folders that need to be protected: D:\Folder1
  • Assignments: Group2 and GroupB

Windows Autopilot Configuration

• The Intune connector for AD must be installed on Server1.
• Windows Autopilot profile settings:
  • Name: Profile 1
  • Convert all targeted devices to Autopilot: Yes
  • Device type: Windows PC.
• OOBE settings: - Deployment mode: User-Driven
  • Join to Azure AD as: Azure AD joined
  • Skip AD connectivity check: No
  • Language (Region): Operating system default
  • Automatically configure keyboard: Yes
  • Hide Microsoft Software License Terms, Privacy settings, and Hide change account options, User account type: Standard
  • No to Allow White Glove OOBE and Apply device name template
    • Included groups: Group 1
    • Excluded groups Group 2
• Planned changes:
  • Purchase a new Windows 10 device named Device6 and enroll the device in Intune
  • New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
• Microsoft Intune will deploy Boundary1
  • Name: Boundary1
  • Network boundary: 192.168.1.0/24
  • Scope tags: Tag1
  • Assignments: Group1, Group2
• The Microsoft Intune will deploy Connection1 and Connection2
  • Connection1: VPN1, L2TP, Group1, Group2, GroupA
  • Connection2: VPN2, IKEv2, GroupA, GroupB

Technical requirements

• Users in GroupA need the ability to deploy new computers.
• Minimize administrative effort.

iOS App Protection Policy

• Access Requirements:
  • PIN for access: Require, Type: Numeric
  • Simple PIN: Allow, Minimum PIN length: 6
  • Touch ID instead of PIN for access: Allow
  • Override biometrics timeout: Require, Timeout: 30 minutes of inactivity
  • Face ID instead of PIN for access: Block
  • PIN reset days: 0
  • App PIN: Require, Credentials for access: Require
  • Access requirements rechecked after 30 minutes of inactivity
• Conditional Launch:
  • Max PIN attempts: 5, Action: Reset PIN
  • Offline grace period: 720 minutes / 30 days
  • Jailbroken/rooted devices: Block access