MD-102 Exam Simulation

MD-102 Exam Simulation https://www.kaplanlearn.com/education/test/print/81333036?testId=25...
Quick Quiz July 10, 2023 Test ID: 257380418
Question #1 of 45 Question ID: 1561430
As a Windows 10 administrator for Verigon Corporation, you have been tasked with configuring a few hundred
laptops purchased from several resellers. You have chosen to use Windows Autopilot and Intune to simplify
configuration. The laptops have not been registered by the resellers. All Autopilot service prerequisites have been
configured.
What is the first step in deploying these laptops?
A) Enroll the laptops in Intune
B) Collect the hardware ID from each laptop
C) At an administrative command prompt, run sysprep /generalize /oobe
D) Create an Autopilot device group
E) Connect each laptop to the Internet
Explanation
You must first collect the hardware ID from each laptop. You can do this with a script from the PowerShell Gallery or
use System Center Configuration Manager. You can use the Get-WindowsAutoPilotInfo.ps1 script from the
PowerShell Gallery and run it on each computer:
md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
You must not connect each laptop to the Internet. This would cause the laptop to download an empty profile that
would have to be removed. Collect the hardware ID first.
You cannot enroll the laptops in Intune until you have a CSV file containing their hardware IDs.
You will want to create an Autopilot device group, but this can only be done after you have added the devices.
You would not, at an administrative command prompt, run sysprep /generalize /oobe. This process would only
be relevant to Autopilot when attempting to clear a stored profile.
1 sur 77 2023-07-10, 17:55

Objective:
Deploy Windows client
Sub-Objective:
Plan and implement a Windows client deployment by using Windows Autopilot
References:
Manually register devices with Windows Autopilot | Microsoft Learn
Overview of Windows Autopilot | Microsoft Learn
Verigon Corporation has configured Windows Intune for its Mobile Device Management (MDM) solution. All
Windows 10 devices are domain-joined and Azure AD-registered. Verigon has Azure AD Premium. They want these
corporate devices to be automatically enrolled in Intune.
What would be a step in implementing this solution?
A) Configure MDM auto-discovery using an email address
B) Configure an MFA (multi-factor authentication) registration policy
C) Create a GPO to enable automatic MDM enrollment
D) Configure Hybrid Azure AD join in Azure Active Directory Connect
E) Use the Windows Imaging and Configuration Designer (ICD) tool to create a
provisioning package
Explanation
You will need to create a GPO to enable automatic MDM enrollment. This is the Hybrid AD join method which is
appropriate for this scenario. The GPO setting is a computer policy under Administrative Templates > Windows
Components > MDM.
You would not use the Windows Imaging and Configuration Designer (ICD) tool to create a provisioning package.
This tool would be used if you were doing a bulk enrollment of computers, such as in a school setting, not automatic
enrollment per device.
You do not need to configure a multi-factor authentication (MFA) registration policy to achieve the goals of this
scenario.
You do not need to configure Hybrid Azure AD join in Azure Active Directory Connect. The scenario indicates that
the devices in question are already joined and Azure AD-registered.
2 sur 77 2023-07-10, 17:55

You will not need to configure MDM auto-discovery using an email address. With Azure AD Join, the discovery URL
is passed down to the device from Azure.
Objective:
Manage, maintain, and protect devices
Sub-Objective:
Manage the device lifecycle in Intune
References:
Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal - Windows Client Management |
Microsoft Learn
Step 5 – Enroll devices in Microsoft Intune | Microsoft Learn
Windows 10, Azure AD and Microsoft Intune: Automatic MDM enrollment powered by the cloud! - Microsoft
Community Hub
You are the cybersecurity admin for the Nutex Corporation.
You want to secure corporate data on your endpoint MDM-enrolled client devices and prevent users from copying
and pasting corporate data when using applications in order to prevent data leakage.
Which of the following options will achieve this objective using Microsoft Endpoint Manager?
A) Create a Windows 10 compliance policy that requires BitLocker encryption.
B) Create an Endpoint Security profile that enables full disk encryption.
C) Create an app protection policy.
D) Create an app configuration policy.
Explanation
You would choose to create an app protection policy. You can prevent app data leakage by creating an app
protection policy for enterprise-enhanced data protection. Mobile Application Management (MAM) app protection
policies protect data with an application and allow you to manage the data. An app protection policy (APP) can be a
rule that is enforced when corporate data is moved or accessed by the user. You could have an APP that prohibits a
set of actions when a user is inside an app. Once an APP has been applied to an application, it can be managed in
Intune.
3 sur 77 2023-07-10, 17:55

You would not choose to create an app configuration policy. App configuration policies are used to deploy desired
application settings and cannot prevent app data leakage.
You would not choose to create a Windows 10 compliance policy that requires BitLocker encryption. While BitLocker
can protect data at rest, it cannot prevent app data leakage.
You would not choose to create an Endpoint Security profile that enables full disk encryption. While enabling full disk
encryption can protect data at rest, it does not prevent app data leakage.
Objective:
Manage applications
Sub-Objective:
Plan and implement app protection and app configuration policies
References:
Create and deploy app protection policies - Microsoft Intune | Microsoft Learn
You are the enterprise admin for Verigon. The company has recently enrolled more than 2,000 Windows 10 laptops
with Microsoft Endpoint Manager.
As security is a top priority in the company, you want to deploy best-practice configurations to all devices and
application settings as quickly as possible.
Using the Endpoint Security node, click on the tool that will achieve this objective.
4 sur 77 2023-07-10, 17:55

A) 292,709,574,745
5 sur 77 2023-07-10, 17:55

B) 292,756,574,786
C) 292,473,574,509
D) 292,381,574,415
E) 292,339,574,370
F) 292,633,574,665
Explanation
You would choose the following:
6 sur 77 2023-07-10, 17:55

Security baselines are pre-configured groups of Windows settings that help you apply a known group of settings and
7 sur 77 2023-07-10, 17:55

default values that the relevant security teams recommend.
All the other answers are incorrect because they do not deploy configurations.
While Security tasks are used to remediate endpoint weaknesses identified by Defender's vulnerability
management, they deliver and enforce settings.
Device compliance is used to create policies that establish the conditions by which devices and users can access
the company’s network and resources.
Conditional access is used to create policies that enforce which devices and apps can access your corporate
resources.
Attack surface reduction is used to create policies that help reduce your attack surfaces by integrating with Endpoint
antivirus.
Antivirus, Disk encryption, firewalls, Endpoint protections, and Account protection focus on specific aspects of
device security and do not include best practices.
Objective:
Sub-Objective:
Implement endpoint protection for all supported device platforms
References:
Manage endpoint security in Microsoft Intune | Microsoft Learn
You have been implementing security baselines in Intune for a few weeks. You need to see a report of which
computers running Windows 10 are currently not meeting the security baselines being enforced.
How long does it take to get baseline-related information into the Security Baseline monitoring reports?
A) 48 hours
B) 6 hours
C) 2 hours
D) 24 hours
Explanation
8 sur 77 2023-07-10, 17:55

When implementing Security Baseline Monitoring, Intune changes take six hours to appear in the reports. When first
implementing the system, it will take 24 hours for the data to appear, but in this question the system has been in
place for a few weeks and the existing data will already show there.
Two2 hours is not enough time for baseline data to be shown in the overview reports.
The changes to Security Baseline data will show up way before a 48-hour time period has elapsed.
Objective:
Sub-Objective:
References:
Check the success or failure of security baselines in Microsoft Intune | Microsoft Learn
The Nutex Corporation has multiple branches worldwide. You manage 10,000 workstations that run with a Windows
11 Pro license. You want to upgrade the current license from Windows 11 Pro to Windows 11 Enterprise with no
keys or reboots.
Which of the following options should you choose?
A) Subscription activation
B) Provisioning packages
C) In-place upgrade
D) Windows Autopilot
Explanation
Windows 11 Enterprise E3 and Windows 11 Enterprise E5 are available as online services via subscription. You can
deploy Windows 11 Enterprise in your organization with no keys or reboots. If you were running Windows 10 version
1703 or later, you could upgrade from a Windows 11 Pro license to a Windows 11 Enterprise license. Product key-
based Windows 11 Enterprise licenses can be transitioned to Windows 11 Enterprise subscriptions.
You cannot use subscription services to upgrade from Windows 10 to Windows 11.
You would not use Windows Autopilot for a Windows 11 Enterprise license upgrade. Windows Autopilot uses various
technologies to set up and preconfigure new devices. It can be used to repurpose, recover, and reset devices.
9 sur 77 2023-07-10, 17:55

Windows Autopilot helps IT administrators and reduces the time IT spends on deploying, managing, and retiring
devices. It also minimizes the amount of infrastructure required to maintain the devices and maximizes ease of use
for all types of end users.
You would not use provisioning packages for a Windows 11 Enterprise license upgrade. Windows provisioning is
best suited for small to medium-sized deployments that range from ten to a few hundred. A provisioning package is
a container for a collection of configuration settings. You should use Windows Configuration Designer to create a
provisioning package. Windows Configuration Designer is an app in the Microsoft store.
You would not use an in-place upgrade for the Windows 11 Enterprise license upgrade in the given scenario. An in-
place upgrade is used to upgrade an earlier version of Windows to a new version. It automatically preserves all
data, settings, applications, and drivers. The in-place upgrade supports manual or automatic rolling back to the
previous OS in case you encounter issues either during or after the deployment.
Objective:
Sub-Objective:
Prepare for a Windows client deployment
References:
Microsoft Learn > Microsoft 365 > Windows > Deployment > Windows subscription activation
Learn > Windows > Deployment > What's new in Windows client deployment
Verigon Corporation will be using Microsoft Intune to control access to Office 365 applications for all their locations.
You need to ensure that all Finance group members can access Excel Online from their Windows 10 laptops only
via Multi-Factor Authentication (MFA).
Which required settings in your access policy must you configure? (Choose all that apply.)
10 sur 77 2023-07-10, 17:55

11 sur 77 2023-07-10, 17:55

A) 21,174,414,219
B) 25,382,414,450
C) 413,363,27,302
D) 25,469,417,534
E) 26,824,413,896
F) 26,623,418,691
Explanation
You will have to give the policy a name.
12 sur 77 2023-07-10, 17:55

You will want to configure Users and Groups in the Assignment section. Here you can choose the Finance group.
13 sur 77 2023-07-10, 17:55

You will want to configure the Cloud Apps section to include the desired Office 365 applications. This is where you
would choose Excel Online.
You will want to configure Conditions in the Assignment section. This is where you can add the desired device
platform.
14 sur 77 2023-07-10, 17:55

You will want to configure the Grant portion of the Access Control section. This is where you require MFA.
15 sur 77 2023-07-10, 17:55

Note that you will also want to configure the Session section of Access controls.
Finally, you need to enable the policy.
Objective:
Manage identity and compliance
Sub-Objective:
Implement compliance policies for all supported device platforms by using Intune
References:
What is Conditional Access in Azure Active Directory? - Microsoft Entra | Microsoft Learn
How to configure Microsoft Intune / Azure AD Conditional Access to Microsoft Office 365 Exchange Online
You are a system administrator for Verigon Inc. Your organization has an Azure Active Directory (Azure AD)
environment with a number of departments, including Sales, Finance, and HR. The departments have workstations
with different configurations, as shown in the table below.
Department Memory CPU TPM Module

Sales 8 GB Intel i5 TPM 1.2
Finance 8 GB Intel i5 TPM 2.0
HR 4 GB Intel i5 TPM 2.0
You are planning to configure Windows 11 Enterprise on all of the workstations assigned to these departments.
Which of the workstations can be configured using Windows Autopilot self-deploying mode?
A) Finance and HR workstations
B) Finance workstations only
C) Sales workstations only
D) Sales, Finance, and HR workstations
Explanation
In the given scenario, Finance and HR workstations can be configured using Windows Autopilot self-deploying
mode. TPM 2.0 is the requirement for self-deploying mode. TPM 2.0 is used to authenticate the device into the
organization's Azure AD tenant. Devices without TPM 2.0 cannot be used with this mode. TPM attestation must also
be supported by the devices. The TPM provider provides the HTTPS URL for the TPM attestation process.
16 sur 77 2023-07-10, 17:55

When attempting self-deploying mode on a device that does not have TPM 2.0, the process will fail when verifying
the device. The self-deploying mode works with Windows 10 version 1903 or later.
You cannot configure Sales workstations using self-deploying mode because their workstations do not have TPM
2.0, and TPM 1.2 will not work with self-deploying mode.
With Windows Autopilot's self-deploying mode, you can deploy a device with little or no user interaction. Self-
deploying mode performs the following:
Joins the device to Azure AD.
Enrolls the device in Intune using Azure AD for automatic MDM enrollment.
Makes sure that all applications, certificates, network profiles, and policies are provisioned on the device.
Prevents access until the device is fully provisioned.
Objective:
Sub-Objective:
References:
Microsoft Learn > Microsoft Intune > Solutions > Windows Autopilot self-deploying mode (Public Preview)
Microsoft Learn > Microsoft Intune > Solutions > Overview of Windows Autopilot
Microsoft Learn > Microsoft Intune > Solutions > Windows Autopilot: What's new
You have a computer named Win11Sales1 that has Windows 11 installed. You need to ensure that a script called
SetupComplete.ps1 will run after installing a Feature Update.
Question A: Which file should you modify on Win11Sales1?
Question B Which parameter should you use to deploy the PowerShell script?
{UCMS id=6251933430972416 type=Activity}
Explanation
You should choose the following:
17 sur 77 2023-07-10, 17:55

The Setupconfig.ini can be used control the update process. You can use the POSTOOBE parameter in the
SetupConfig.ini file to run a CMD file after the Feature Update has been installed. You can create a command file
named RunAfterSetup.cmd that runs a PowerShell script file called SetupComplete.ps1 in the C:\ProgramData
\FeatureUpdate folder.
PowerShell.exe -ExecutionPolicy Bypass -File C:\ProgramData\FeatureUpdate\SetupComplete.ps1

-WindowStyle Hidden
You can use the POSTOOBE parameter in the SetupConfig.ini file runs the RunAfterSetup.cmd file.
[SetupConfig]
NoReboot
ShowOobe=None
Telemetry=Enable
InstallDrivers=
ReflectDrivers=
POSTOOBE=C:\ProgramData\FeatureUpdate\RunAfterSetup.cmd
You would not use the Autounattend.xml file. This file is an answer file to install Windows. This file can be placed on
the root of a USB flash drive with the Windows media to install Windows on a new PC.
You would not use the boot.ini file. This file was used with Windows XP and Windows Server 2003, configuring NT-
based operating systems' boot options.
You would not use the boot loader parameter or the operating systems parameter. The boot loader
parameter specifies how long the boot menu for an NT-based system appears on the screen and the default choice
for the boot menu. The operating systems parameter sets the different operating systems loaded on the device.
These parameters are used with the boot.ini file.
Objective:
18 sur 77 2023-07-10, 17:55

Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Running custom actions during a Windows 10 Feature Update with Configuration Manager - MSEndpointMgr
Windows Setup Automation Overview | Microsoft Learn
You have recently joined the Nutex Corporation as the Microsoft Intune Administrator. Microsoft Intune manages the
email accounts and apps on the employees’ mobile devices. Some employees use Android Enterprise licenses,
while new hires do not have these licenses. All mobile devices are managed by Intune.
After a new app was made available through a Managed Google Play account and an app assignment, existing and
new employees cannot find it on their mobile devices. You are tasked with investigating the cause of the issue and
recommending a suitable fix.
Which of the following are the probable causes of this issue? (Choose all that apply.)
A) App assignment is not yet configured for the new users.
B) App assignment is set to Available for enrolled devices.
C) App has new app permissions that are not yet configured as part of the
app configuration policy.
D) App assignment is set to Required.
E) App assignment is set to Uninstall.
Explanation
The following are the probable causes of this issue:
App assignment is set to Uninstall.

App assignment is not yet configured for the new users.
App has new app permissions that are not yet configured as part of the app configuration policy.
If the app has new app permissions that are not yet configured as part of the app configuration policy, users may not
be able to find it on their mobile devices. When an app is added to Intune as a Managed Google Play app, the
Approval Settings can be set to revoke the app approval to Intune when new app permissions are added. In such
cases, the app is no longer seen in the Play Store without re-approval. You would revisit the app and review and
19 sur 77 2023-07-10, 17:55

approve the new app permissions.
If an app assignment is not yet configured for new users, they may not be able to find the app on their mobile
devices. The app assignment can be assigned to groups of users. In this scenario, it is possible that the wrong
group was targeted in the assignment. Apps are not installed on devices and app configuration policies do not take
effect without an app assignment. A new app assignment must be created with the Available with or without
enrollment option for new users.
If an app assignment is set to Uninstall, users will not find the app installed on their mobile devices. When this
option is selected for an existing assignment, the app is uninstalled from the devices in the selected groups if the
existing assignment was used to install the app via an “Available for enrolled devices” or “Required” option.
If an app assignment is set to Available for enrolled devices and the app assignment is set to the correct group of
users, the app will appear on a user’s mobile device. When an app assignment is set to Available for enrolled
devices, the Android device needs to be enrolled in Intune, which is true in this scenario. The users’ devices will
need to be enrolled in Intune using Android Enterprise licenses, and the app must be assigned to new users, or a
new app assignment must be created with the Available with or without enrollment option for new users.
If an app assignment is set to Required, the app will be automatically installed on all enrolled devices of the users in
the groups selected for app assignment. The users’ devices will need to be enrolled in Intune using Android
Enterprise licenses, and the app must be assigned to new users.
The following table displays options that are available to assign apps to devices and users:
Devices enrolled with Devices not enrolled with

Options for assigning apps to users and devices
Intune Intune
Assign apps as Available Yes Yes
Assign apps as Required Yes No
Uninstall apps Yes No
Assign to users Yes Yes
Assign to devices Yes No
Assign wrapped apps or apps that incorporate the Intune
Yes Yes
SDK
Receive app updates from Intune Yes No
End users install available apps from the Company Portal
Yes No
app
End users install available apps from the web-based
Yes Yes
company portal
Objective:
Manage applications
20 sur 77 2023-07-10, 17:55

Sub-Objective:
References:
Microsoft Learn > Microsoft Intune > Intune service > Apps > Assign apps to groups with Microsoft Intune
CodeTwo > Microsoft 365 & Exchange Admin's Blog > How to deploy and configure Microsoft Outlook for Android
via Intune: A complete guide
You have computers that run Windows 10 Pro. The computers are joined to an Azure Active Directory (Azure AD)
named nutex.com and enrolled in Microsoft Intune.
You need to configure a password reset link on the login screen.
What steps should you take?
Explanation
You can configure a rest password link using Intune by creating a device configuration policy in Intune. Once in the
Azure portal, you can click on Device configuration > Profiles > Create Profile, set the platform as Windows 10 and
later, and set the profile type as Custom. You will have to set the OMA-URL to ./Vendor/MSFT/Policy/Config
/Authentication/AllowAadPasswordReset with a value of 1.
You should not configure a device enrollment policy. A device enrollment policy specifies how a device can be
enrolled in Intune. You can use a device enrollment policy to restrict the devices from enrolling by platform, such as
Android, Windows, or iOS. You can also specify settings on enrollment, such as if reset is required, whether user
21 sur 77 2023-07-10, 17:55

affinity is used, or if the device is locked.
A device compliance policy allows devices to meet compliance requirements. With a device compliance policy, you
can define rules and settings for compliance for security settings, such as:
The device has not been rooted.

The device has minimum version of the operating system.
The device to be under or at a specific threat level.
Users must use a password to access company data on mobile device.
Objective:
Sub-Objective:
Manage device configuration for all supported device platforms by using Intune
References:
Self-service password reset for Windows devices - Azure Active Directory - Microsoft Entra | Microsoft Learn
Device features and settings in Microsoft Intune | Microsoft Learn
Your company's network consists of Windows 10, Windows 11, Windows Server 2019 and Windows Server 2022
computers. Several of the Windows 10 computers are used as kiosks by guests and are connected to an isolated
network segment. This isolated network segment is the only network that these computers have access to. On these
computers, the network is named Network2 and is configured as a Public network.
Recently you have noticed that users are changing the network location type on these computers to Private network.
You must ensure that this network is always configured as a Public network. In addition, you need to prevent users
from changing the location type.
You decide to implement a Group Policy. On one of the kiosk computers, you open the Computer Configuration /
Policies / Windows Settings / Security Settings / Network List Manager Policies section in the local security
policy.
What should you configure? Click the image to select the correct option.
22 sur 77 2023-07-10, 17:55

A) 142,274,27,257
B) 134,199,29,179
C) 135,221,20,203
D) 188,319,28,302
E) 133,176,31,155
F) 186,297,30,278
Explanation
You should open the Network1 policy. On the Network Location tab, select the Public Location Type setting and
the User cannot change location setting, and click Apply. This will ensure that Network1 is always configured as
a Public network and that users cannot change the location type. An example of the Network Location tab is
shown in the following exhibit:
23 sur 77 2023-07-10, 17:55

You can also configure the network name and prevent users from changing the name on the Network Name tab, as
shown in the following exhibit:
24 sur 77 2023-07-10, 17:55

Finally, you can configure the icon settings on the Network Icon tab, as shown in the following exhibit:
25 sur 77 2023-07-10, 17:55

You should not open the Unidentified Networks policy, select the Public Location Type setting and the User
cannot change location setting, and click Apply. This would configure the default settings for any unidentified
networks on the Windows 10 computer. The Unidentified Networks policy is shown in the following exhibit:
You should not open the Identifying Networks policy, select the Public Location Type setting, and click Apply. This
will configure the temporary settings for any networks that are identified on the Windows 10 computer. The
Identifying Networks policy is shown in the following exhibit:
26 sur 77 2023-07-10, 17:55

You should not open the All Networks policy, select the User cannot change location setting, and click Apply.
The All Networks policy is shown in the following exhibit:
27 sur 77 2023-07-10, 17:55

This can be used to allow users to change the network name, network location, and network icon for all currently
configured networks on a Windows 10 computer. This policy affects all the networks on the computer.
Objective:
Sub-Objective:
References:
Network List Manager policies (Windows 10) | Microsoft Learn
Network List Manager Policies | Microsoft Learn
Change the network location type in Windows 8 - WinCert
Windows 8 Private Network | Also Public Network Settings (computerperformance.co.uk)
28 sur 77 2023-07-10, 17:55

As a security administrator for Verigon Corporation, you are responsible for the security of Office 365 applications.
You are considering Azure AD conditional access policies based on many factors. Some users should access only
specific cloud apps from home, and others should only have access when in the home office, for example.
What steps should be part of your planning process? (Choose all that apply.)
A) Define a response
B) Create a test plan
C) Define users and groups access condition
D) Require Multi-Factor Authentication (MFA)
E) Select all cloud apps
Explanation
You will want to define a response. A response specifies the action to take when a condition is met, such as blocking
or granting access based on a certain requirement. A response is a required component of a conditional access
policy.
You will need to define users and groups access conditions. In this scenario, one condition would be when the users
are in the home office location, for example.
You should create and implement a test plan. You need to ensure that your conditional access policies are giving the
expected results before you impact the users.
You may choose to require Multi-Factor Authentication (MFA), but it is not a requirement for a successful conditional
access policy, nor is it asked for in this scenario.
You would not select all cloud apps because the requirement here is that some users should only have access to
specific cloud applications.
Objective:
Sub-Objective:
References:
Plan an Azure Active Directory Conditional Access deployment - Microsoft Entra | Microsoft Learn
Conditions in Conditional Access policy - Azure Active Directory - Microsoft Entra | Microsoft Learn
29 sur 77 2023-07-10, 17:55

You are an enterprise admin for the Verigon Corporation. You are currently deploying Windows 10 for all your
desktops using Lite Touch Installation. You are having problems during the deployment process.
You decide to review the logs to aid in identifying the problem. Which of the following options represent MDT
deployment logs? (Choose two.)
A) The Task Sequencer transactions log
B) The Remote Installation Services log
C) The User State Migration Toolkit Capture log
D) The aggregated MDT log
E) The Task Scheduler History logs
Explanation
You would choose the aggregated MDT log, BDD.log, and the Task Sequencer transactions log, SMSTS.log,
because both are MDT deployment log files.
BDD.log is the aggregated MDT Deployment log file that is copied to a network location at the end of the
deployment and can be used to troubleshoot Lite Touch installations.
SMSTS.log is created by the Task Sequencer and describes all Task Sequencer transactions.
You would not choose the User State Migration Toolkit Capture log. The log file, USMTCapture.log, is used to
troubleshoot user state migrations, not Lite Touch installations.
You would not choose the Task Scheduler History log because these files are used to troubleshoot scheduled
background tasks on any Windows machine and are not associated with Lite Touch Installation deployments.
You would not choose the Remote Installation Services log. Remote Installation Services is a legacy Microsoft
deployment tool that has been replaced by Windows Deployment Services and did not support Lite Touch
Installation deployments.
Objective:
Sub-Objective:
Plan and implement a Windows client deployment by using the Microsoft Deployment Toolkit (MDT)
References:
30 sur 77 2023-07-10, 17:55

Troubleshoot MDT - Configuration Manager | Microsoft Learn
Troubleshoot MDT Deployments with log files - Tech Thoughts
Dreamsuites Incorporated wants to ensure that the corporate data stored in Office 365 remains secure when Office
365 is accessed from mobile devices. Not all devices that access Office 365 are company owned.
What action could be taken to offer this protection?
A) Run Mpcmdrun.exe
B) Use Intune to create a Mobile Application Management policy
C) Create an iOS email profile
D) Create a device compliance policy
E) Implement Intune MDM
Explanation
You should use Intune to create a Mobile Application Management policy. To do so, choose Client apps > App
protection policies > Create Policy in the Intune portal. This allows you to deploy security policies to the apps
themselves, as opposed to the device. These policies only work for Office 365 applications that connect to Office
365 services. Note that devices do not have to be managed by any MDM solution to implement Mobile Application
Management (MAM) via Intune.
You do not need to implement Intune MDM. Intune provides both mobile device management (MDM) and mobile
application management (MAM). In this scenario, not all devices are company owned. You are required to protect
the Office 365 apps.
You do not need to create an iOS email profile. The scenario does not indicate the type of mobile OS being used by
the devices, and you need to protect Office 365 applications.
You would not run Mpcmdrun.exe. This is a command-line tool used to manage Windows Defender Antivirus.
You do not need to create a device compliance policy. The scenario is focused on Office 365 applications, not
device management.
Windows Information Protection (WIP) is another technology that can protect laptops, but is more directly focused
on the data. It uses other Microsoft Information protection technologies to protect files that a sensitivity label.
Objective:
31 sur 77 2023-07-10, 17:55

Sub-Objective:
References:
Create and deploy app protection policies - Microsoft Intune | Microsoft Learn
Enabling Intune: Part 1 – Intune Mobile Application Management Only | Microsoft Learn
Manage BYOD with Intune MAM Without Enrollment - (allthingscloud.blog)
You plan to implement Microsoft Defender for Endpoint to detect and investigate threats. You want to be able to use
the following features of Microsoft Defender for Endpoint:
Attack surface reduction

Identify attacker tools, techniques, and procedures
Generate alerts when attackers are observed.
Which of the following licensing, hardware, and software requirements are required to onboard devices to Microsoft
Defender for Endpoint? Choose all that apply.
A) Access to Defender for Endpoint is supported through the Microsoft Explorer

browser
B) Access to Defender for Endpoint is supported through the Safari browser
C) Access to Defender for Endpoint is supported through the Microsoft Edge

browser
D) Eligible licensed users may use Microsoft Defender for Endpoint on up to five
concurrent devices
E) Eligible licensed users may use Microsoft Defender for Endpoint on up to 10

concurrent devices
F) Requires a Windows 10 Education A5 license
G) Access to Defender for Endpoint is supported through the Chrome browser
H) Requires a Windows 10 Enterprise E5 license
Explanation
Microsoft Defender for Endpoint is supported on a Windows 10 Enterprise E5 and Windows 10 Enterprise A5
32 sur 77 2023-07-10, 17:55

license. It is also supported on the following licenses:
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5

Microsoft 365 A5 (M365 A5)
Microsoft 365 E5 Security
Microsoft 365 A5 Security
Microsoft Defender for Endpoint
Any licensed user can use Microsoft Defender for Endpoint on up to five concurrent devices, not 10 concurrent
devices.
Access to Defender for Endpoint is supported through the Google Chrome browser and Microsoft Edge browser.
Access to Defender for Endpoint is not supported through the Safari browser or Internet Explorer. Microsoft will no
longer support Internet Explorer after 6/15/2022.
Objective:
Sub-Objective:
References:
Minimum requirements for Microsoft Defender for Endpoint | Microsoft Learn
Your company has purchased another company. The purchased company’s computer inventory runs Windows 10
and will be assigned to new users in your organization using Windows Autopilot.
Which four actions should be performed in sequence in Windows Autopilot?
Explanation
You should choose the following actions:
1. Run the Get-WindowsAutoPilotInfo.ps1 PowerShell script.

2. Upload the CSV inventory file.
3. Employee logs in with email and password.
4. Windows Intune pushes apps to user.
33 sur 77 2023-07-10, 17:55

You will first need to register the devices by creating a profile and assigning the devices. You can use the Get-
WindowsAutoPilotInfo.ps1 PowerShell script to create a CSV file that will contain an inventory list of the
computers. The CSV file will need to have three headings with the following:
Column A: Device Serial Number

Column B: Windows Product ID
Column C: Hardware Hash
This file must be a CSV file, not a JSON file.
You can create multiple CSV files if need be. You can upload the CSV files via AzCopy to storage, such as Azure
Blob Storage, but you will need to combine the multiple files into a single CSV file. This single CSV file has to be
uploaded to Autopilot and Deployment Profiles must be assigned.
The device can then be delivered to the end user. The IT department does not need to touch the device, it can go
straight to the end user. When the user receives the device, they will log in with their email address and password.
The end user will choose the appropriate language, keyboard, and locale, and will need to connect to either a
wireless or wired network, or both. Once the user connects to the network, Autopilot will finish the setup tasks,
including privacy settings, Cortana settings, and other OOBE settings. Once the OOBE settings have finished,
Windows Intune will push any configured apps to the device.
You should not run the AzureInventory_V2.ps1 script. This script is used to create a CSV of the objects in Azure.
You should not have the user select Cortana and Privacy settings. Windows Autopilot takes care of those decisions
and other OOBE user prompts during auto-enrollment.
Objective:
Sub-Objective:
References:
Gather Windows 10 Autopilot info in Azure Blob Storage during wipe and reload – Modern IT – Cloud – Workplace
(oliverkieselbach.com)
Overview of Windows Autopilot | Microsoft Learn
Create device groups for Windows Autopilot - Microsoft Intune - Microsoft Intune | Microsoft Learn
Windows Autopilot Reset | Microsoft Learn
34 sur 77 2023-07-10, 17:55

You plan to use Windows Autopilot to add several Windows 10 devices to Azure AD. These devices will be joined
automatically to Azure AD.
What information is required from the device?
A) Computer name and MAC address
B) IP address and MAC address
C) Computer name and license key
D) Device serial number and hardware hash
E) Computer name and IP address
Explanation
In the Azure Portal or the Azure Active Directory administrative center, you can choose Device Enrollment and
import a CSV file that contains a list of devices that you want to add. The file should contain serial numbers,
hardware hashes, Windows Product IDs, and optional order IDs. You can only have a maximum of 175 rows in the
CSV file.
All other answers are incorrect. Computer name, MAC address, and IP address are not needed in the CSV file.
Objective:
Sub-Objective:
35 sur 77 2023-07-10, 17:55

References:
Create device groups for Windows Autopilot - Microsoft Intune - Microsoft Intune | Microsoft Learn
You have recently joined the Nutex Corporation as the Microsoft Intune administrator. Microsoft Intune is used to
manage the office email accounts and apps on the employees’ mobile devices. Some employees use Android
Enterprise licenses, but new hires do not have these licenses. You are asked to develop a plan to implement app
configuration policies for all employees.
Which of the following statements about app configuration policies available with Microsoft Intune are TRUE?
(Choose all that apply.)
A) App configuration policies can only be applied to mobile devices enrolled in

Intune.
B) An app configuration policy must always complement an equivalent app

protection policy.
C) Configuration settings in an app configuration policy can be overridden

by users.
D) App configuration policies allow organizations to adopt apps easily and

quickly.
Explanation
The following statements are true:
App configuration policies allow organizations to adopt apps easily and quickly.
Configuration settings in an app configuration policy can be overridden by users, especially when the setting is
related to a user preference.
App configuration policies help organizations eliminate app setup problems by auto-configuring apps when the users
install them on their devices. For apps with app configuration policies, users do not need to take action. App
configuration policies also reduce help desk calls from users for issues related to app settings.
If a configuration setting in an app configuration policy is related to a user preference, then the user can override the
preference. This may depend on the app and the related configuration setting. For example, with Outlook for iOS
and Android, users can override the Focused Inbox app configuration setting. Depending on the app, configuration
settings can also be set to be overridden by users.
36 sur 77 2023-07-10, 17:55

App configuration policies can be applied to mobile devices whether they are enrolled in Intune or not. The
configuration in an app configuration policy can be delivered through the Mobile Device Management (MDM) OS
channel on enrolled devices ( which includes the Managed App Configuration channel for iOS or the Android in the
Enterprise channel for Android) or through the Mobile Application Management (MAM) channel. To create and apply
an app configuration policy to enrolled devices, select Managed devices as the Device enrollment type for the
policy. To create and apply an app configuration policy to other devices, select Managed apps as the Device
enrollment type for the policy and use an Intune app protection policy to protect app data.
An app configuration policy does not have to be complemented by an equivalent app protection policy. App
configuration policies are defined and applied at the level of an app. App protection policies can be defined and
applied to all apps on all devices, apps on devices of selected OSes, public apps, and custom apps. App
configuration and app protection policies can be applied at different stages of the app lifecycle in Intune.
Objective:
Manage applications
Sub-Objective:
References:
Microsoft Learn > Microsoft Intune > Intune service > Apps > App configuration policies for Microsoft Intune > Apps
that support app configuration
Microsoft Learn > Microsoft Intune > Intune service > Apps > How to create and assign app protection policies
Microsoft Learn > Microsoft Intune > Intune service > Apps > Overview of the app lifecycle in Microsoft Intune
You are the administrator for the Verigon Corporation. Verigon has purchased another company, Metroil, and will
integrate the company into the Verigon domain. You have installed Windows 11 on several computers. Windows 7 is
stored in the c:\Windows.old directory. You have attached an external drive to each computer.
You want to perform an offline migration of all user state settings. You want to make sure that the user settings for all
metroil domain users who logged on the computer under the previous version of Windows will NOT appear on the
new installation of Windows 11.
What commands should you run? (Choose two.)
A) scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml /v:13

/offlinewindir:c:\windows.old /ue:*\* /ui:*
37 sur 77 2023-07-10, 17:55

B) loadstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml /v:13

/offlinewindir:c:\windows.old /ue:*\* /ui:*
C) scanstate /i:migapp.xml /i:miguser.xml /offlinewindir:c:\windows.old /ue:*\* /ui:*
D) scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml /v:13

/offlinewindir:c:\windows.old /ue:metroil\*
E) loadstate /i:migapp.xml /i:miguser.xml /offlinewindir:c:\windows.old /ue:*\* /ui:*
F) loadstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml /v:13

/offlinewindir:c:\windows.old /ue:metroil\*
Explanation
You should run the following commands:
scanstate /i:migapp.xml /i:miguser.xml /offlinewindir:c:\windows.old /ue:*\* /ui:*
loadstate /i:migapp.xml /i:miguser.xml /offlinewindir:c:\windows.old /ue:*\* /ui:*
You can run the scanstate command on a computer that is offline by booting the computer to the Windows
Preinstallation Environment (Windows PE). If the computer already has Windows 10 installed, but has a previous
version of Windows stored in another directory, you can use scanstate to retrieve the user state settings from a
previous Windows directory and store the information. After all applications are reinstalled, you should run loadstate
to restore any personal files and user state settings.
You can use the /i: parameter to specify MigApp.xml, MigSys.xml, MigUser.xml, or any custom .xml file. The
MigApp.xml file is used to control which application settings are migrated. The applications specified in this file can
be included or excluded from the migration. The MigUser.xml file is used to identify which user folders, files, file
types, and desktop settings are migrated. The MigSys.xml file was typically only used for Windows XP targets, and
contains information that controls operating systems and browser settings to be migrated.
The Config.xml file is a custom file that is created by using the /genconfig special switch with the scanstate
command. You can use this option to generate a custom configuration file that meets organizational requirements.
You can use the Config.xml file to exclude certain operating-system settings.
You should run scanstate on a computer to retrieve the user state settings from a previous Windows directory. You
can specify either the /offlinewindir: or /offlinewinold: parameters.
/offlinewindir: – This specifies the offline Windows directory to retrieve the user state from. You must specify
the correct path, such as C:\WINDOWS.OLD or C:\WINDOWS.001
/offlinewinold: – This parameter is intended to be used only if the offline Windows directory is set to
WINDOWS.OLD.
You can specify which users to include in a migration. You can use the following parameters to include or exclude
users.
38 sur 77 2023-07-10, 17:55

/all: – Migrates all user accounts that are on the computer. This is the default option. This parameter cannot be
used with the /genconfig parameter.
/ui: – Migrates users that you include. This parameter cannot be used with the /genconfigparameter
parameter.
/ue: – Allows you to exclude users from being migrated. This parameter cannot be used with the /genconfig
parameter.
You can use /ue:*\* /ui:* to exclude all domain users and include only local (non-domain) users.
You should not run the following scanstate commands:
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml /v:13 /offlinewindir:c:\windows.old /ue:metroil\*
or
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml /v:13 /offlinewindir:c:\windows.old /ue:*\* /ui:*
In these statements, the /genconfig parameter and the /ue parameter are used together. These parameters cannot
be used together.
You should not run the following loadstate commands:
loadstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml /v:13 /offlinewindir:c:\windows.old /ue:*\* /ui:*
or
loadstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml /v:13 /offlinewindir:c:\windows.old /ue:metroil\*
In these statements, the /genconfig parameter and the /ue parameter are used together. These parameters cannot
be used together.
Objective:
Sub-Objective:
References:
Microsoft Learn > Microsoft 365 > Windows > Deployment > User State Migration Tool (USMT) Overview
Microsoft Learn > Microsoft 365 > Windows > Deployment > Config.xml File
Microsoft Learn > Microsoft 365 > Windows > Deployment > User State Migration Tool (USMT) command-line
syntax
39 sur 77 2023-07-10, 17:55

You have recently joined the Nutex Corporation as the Microsoft 365 Administrator. Nutex is a startup company in
the IT Services sector. You are tasked with developing a strategy to deploy and manage the Microsoft 365 apps.
You plan to use the Microsoft 365 Apps admin center to accomplish this.
Which of the following statements about the servicing profile feature in Microsoft 365 Apps admin center are TRUE?
(Choose all that apply.)
A) Servicing profiles can be configured to deploy and update Microsoft 365

apps on endpoints.
B) Servicing profiles can be configured to roll out updates in different

phases.
C) Servicing profiles cannot roll back versions.
D) An app configuration deployed using Microsoft Endpoint Manager takes

precedence over a servicing profile on an endpoint.
E) Devices that use Microsoft 365 apps must be part of the inventory of the
Microsoft 365 Apps admin center.
Explanation
Devices that use Microsoft 365 apps must be part of the Microsoft 365 Apps admin center inventory.
Servicing profiles can be configured to roll out updates in different phases.
Devices that use Microsoft 365 apps must be part of the inventory in the Microsoft 365 Apps admin center inventory
are a prerequisite for applying a servicing profile to a device. From the admin center Inventory page, you can also
get insights into Office builds, Office Update channels, and Office add-ins on endpoints.
Servicing profiles can include up to three rollout waves (at the time of writing), with each wave specifying the Azure
AD groups that get the updates and the duration between the rollouts.
Servicing profiles on a device take precedence over app configurations deployed using tools such as the Office
Deployment Tool or Microsoft Endpoint Manager, not the other way around.
The servicing profile can be configured to roll back versions. A rollback can be triggered at the level of devices or
Azure AD groups. With a rollback scheduled, the target endpoint is automatically rolled back to the previous version
when connected to the Internet. Endpoints rolled back will stay on the previous version until the next version of
Monthly Enterprise Channel is released.
The servicing profile cannot be configured to deploy Microsoft 365 apps on endpoints. In the Microsoft 365 Apps
admin center, apps are deployed using the Office Customization Tool and are updated using servicing profiles. The
40 sur 77 2023-07-10, 17:55

Office Customization Tool can be configured to install the updates automatically.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Microsoft Learn > Microsoft 365 > Deploy Office > Microsoft 365 Apps admin center > Overview of inventory in the
Microsoft 365 Apps admin center
Microsoft Learn > Microsoft 365 > Deploy Office > Microsoft 365 Apps admin center > Overview of servicing profile
in the Microsoft 365 Apps admin center
Microsoft Learn > Microsoft 365 > Deploy Office > Overview of the Microsoft 365 Apps admin center
You are an enterprise admin for the Verigon Company.
You are preparing for a large-scale deployment of Windows 10 devices using Autopilot and Intune. You have already
configured Microsoft Intune for auto-enrollment. You have also registered the devices within Intune and assigned
them to a device group.
Click on the correct page within the Microsoft Endpoint Manager admin center to begin the next step in the
enrollment process in order to complete the deployment.
41 sur 77 2023-07-10, 17:55

A) 885,652,1322,765
B) 419,292,856,428
C) 419,791,857,904
D) 419,652,861,763
Explanation
The next step in the deployment process is to create a Windows Autopilot profile. To do so, go to Devices > Device
enrollment | Enroll devices > Windows enrollment > Windows Autopilot Deployment Program | and select
Deployment Profiles.
42 sur 77 2023-07-10, 17:55

You would not choose the Intune Connector for Active Directory. This option configures a device to be on-premises
and Active AD joined.
You would not choose Devices. This option will not complete the deployment process, it allows you to manage
devices in Windows Autopilot.
You would not choose Automatic Enrollment. This option allows Windows devices to join or register with Azure
Active Directory.
Objective:
Sub-Objective:
References:
Demonstrate Autopilot deployment - Windows Deployment | Microsoft Learn
43 sur 77 2023-07-10, 17:55

You are the administrator for the Metroil Corporation. Your company has purchased 40 new laptops. You plan to give
the 40 new laptops to Sales employees who have been promoted. You also plan to hire 40 new employees in the
Payroll department. The old laptops formerly used by the Sales employees will be reallocated to the new Payroll
employees. All new and existing laptops will have Windows 11 installed.
You are installing Windows 11 on the new laptops. Which command should you run ONLY on the new computers to
restore the user accounts and settings for the Sales employees?
Explanation
Acceptable answer(s) for field 1:
loadstate
loadstate.exe
The loadstate command loads the saved user accounts and settings to the computers. This command should be
run on the new computers after you run the scanstate command on the old computers to obtain the user accounts
and settings. The scanstate command obtains the user accounts and settings from computers. This command
should be run on the old computers.
Objective:
Sub-Objective:
References:
Microsoft Learn > Microsoft 365 > Windows > Deployment > User State Migration Tool (USMT) command-line
syntax
Microsoft Learn > Microsoft 365 > Windows > Deployment > Windows 10 deployment scenarios and tools
Microsoft Tech Community > Windows > Tools to support Windows 11 deployment
Microsoft Learn > Microsoft 365 > Windows > Deployment > LoadState syntax
Microsoft Learn > Microsoft 365 > Windows > Deployment > ScanState syntax
44 sur 77 2023-07-10, 17:55

You are the project manager for a large scale PC refresh migration involving up to 5,000 machines. The machines
will run Windows 10 Pro as well as Office applications. One of the objectives of the project is to migrate existing user
accounts, user files, and application settings. The project has a tight deadline so you need to streamline the process
as much as possible.
Which of the following tools will achieve the stated objective?
A) PCmover Express
B) Readiness Toolkit for Office add-ins and VBA
C) Microsoft Deployment Toolkit
D) User State Migration Tool
Explanation
You would choose the User State Migration Tool. This tool is used to streamline and simplify user state migrations
during large deployments of Windows operating systems.
You would not choose PCmover Express. While it can be used to migrate user states, it is used only when migrating
a few computers. PCmover Express is third-party software created for Microsoft by Laplink.
You would not choose the Readiness Toolkit for Office add-ins and VBA. It is used to assess application
compatibility with Windows 10, not perform user state migrations.
You would not choose the Microsoft Deployment Toolkit because it is used to create task sequences to deploy new
installs of Windows 10, not perform user state migrations.
Objective:
Sub-Objective:
Prepare for a Windows client deployment
References:
User State Migration Tool (USMT) Overview (Windows 10) - Windows Deployment | Microsoft Learn
Nutex, Inc. has a hybrid Active Directory (AD) environment. All devices are Windows operating system based.
Microsoft Intune has been configured.
45 sur 77 2023-07-10, 17:55

Below are the details for the devices that you want to enroll in Endpoint analytics via Intune.
Device Name Operating System Microsoft Intune Enrolled Azure AD or Hybrid AD joined
DevicePC1 Windows 8.1 No Yes
DevicePC2 Windows 10 version 1903 Yes Yes
DevicePC3 Windows 11 Yes Yes
DevicePC4 Windows 10 version 1708 Yes Yes
DevicePC5 Windows 11 Yes No
Which of the following devices can be enrolled in Endpoint analytics via Intune? (Choose all that apply.)
A) DevicePC2
B) DevicePC4
C) DevicePC5
D) DevicePC1
E) DevicePC3
Explanation
In the given scenario, you would be able to enroll DevicePC2 and DevicePC3 in Endpoint analytics via Intune. There
are Intune, endpoint, licensing, and endpoint analytics prerequisites for the enrollment.
Intune device requirements are:
Running Windows 10 version 1903 or later

Running Windows Pro, Pro Education, Enterprise, or Education editions
Azure AD joined or hybrid Azure AD joined
Running the Connected User Experiences and Telemetry service to send required functional data to Microsoft
public cloud
Workplace joined or Azure AD registered devices are not supported.
Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint manager.
The Intune Service Administrator role is required to start gathering data for endpoint analytics. After data-gathering
begins, it can be viewed by read-only roles. The following additional permissions are used for Endpoint analytics:
The Azure AD Reports Reader role

Read permission with the Help Desk Operator or Endpoint Security Manager Intune roles
Specific role permissions:
For read-only users: Read permission under the Endpoint Analytics, Organization, or School
Administrator categories
For Intune administrators: all permissions
46 sur 77 2023-07-10, 17:55

You can onboard Intune-managed devices from the Endpoint analytics portal by visiting the URL https://aka.ms
/endpointanalytics.
You cannot enroll DevicePC1 and DevicePC4 devices to Endpoint analytics via Microsoft Intune because they do
not run Windows 10 version 1903 or later. You cannot enroll DevicePC5 because it is not Azure AD joined or hybrid
Azure AD joined.
Objective:
Sub-Objective:
Monitor devices
References:
Microsoft Learn > Microsoft Intune > Solutions > Quickstart: Enroll Intune devices into Endpoint analytics
Microsoft Learn > Microsoft Intune > Solutions > What is Endpoint analytics?
You are an enterprise admin for the Verigon Corporation.
You want to deploy security and critical updates for your MDM-enrolled Windows 10 laptops that are being used by
company employees.
Which of the following options will best achieve this objective?
A) Enroll the laptops in the Windows Insider Program for Business Channel.
B) Create a Windows 10 update rings profile in Microsoft Endpoint Manager.
C) Create and populate a Windows 10 update ring using Windows Server Update
Services.
D) Create a Windows 10 feature updates policy in Microsoft Endpoint

Manager.
Explanation
You would choose to create a Windows 10 update rings profile in Microsoft Endpoint Manager. A Windows 10
update ring profile is configured in Microsoft Endpoint Manager to deploy quality updates and includes both security
and critical updates. It is a policy of update settings that configures when the updates get installed. Update rings are
supported for operating systems that run Windows 10 version 1607 or later.
47 sur 77 2023-07-10, 17:55

You would not choose to create a Windows 10 feature updates policy in Microsoft Endpoint Manager. Windows 10
feature updates introduce new features and functionality to Windows 10 and do not involve security or critical
updates.
You would not choose to create and populate a Windows 10 update ring using Windows Server Update Services
(WSUS). WSUS is not used to update MDM-enrolled machines. It is used in conjunction with Group Policy to update
domain-joined machines.
You would not choose to enroll the laptops in the Windows Insider Program for Business Channel because this is
not used to deploy security and critical updates. It is used to validate feature updates in advance of their release.
Objective:
Sub-Objective:
Manage device updates for all supported device platforms by using Intune
References:
Learn about using Windows Update for Business in Microsoft Intune | Microsoft Learn
Windows client updates, channels, and tools - Windows Deployment | Microsoft Learn
You have computers running Windows 7 that are domain-joined to the on-premises domain named nutex.com. You
need to convert these computers to Azure Active Directory-joined computers running Windows 10 by using
Windows Autopilot.
Choose the appropriate steps and place them in the correct order.
Explanation
You should choose the following order of steps:
1. Run Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

2. Run Install-Module AzureAD -Force
3. Run Install-Module WindowsAutopilotIntune -Force
4. Run Connect-AutopilotIntune -user <credentials>.onmicrosoft.com
5. Run Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot
\AutopilotConfigurationFile.json -Encoding ASCII
48 sur 77 2023-07-10, 17:55

6. Create a package containing the JSON file

7. Create a target collection and an Autopilot task sequence
8. Deploy Content to Distribution Points and deploy the OS with Autopilot Task Sequence
9. Run C:\Windows\CCM\SCClient.exe
You should ensure that the latest Windows Management Framework is downloaded and installed on the Windows 7
computers.
Run the following PowerShell commands to ensure that the Windows Autopilot is installed:
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

Install-Module AzureAD -Force
Install-Module WindowsAutopilotIntune -Force
You will then have to provide administrative credentials for Intune:
Connect-AutopilotIntune -user <credentials>.onmicrosoft.com
You must retrieve and display the Autopilot profile available in the specified Intune tenant in JSON format. You
should save the Autopilot profile in the JSON file format. The file has to be named AutopilotConfigurationFile.json
and must be encoded as ASCII/ANSI. Any other file name, such as unattend.json, will cause the process to fail.
You can use the Get-AutopilotProfile cmdlet to retrieve the Autopilot profile:
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot

\AutopilotConfigurationFile.json -Encoding ASCII
You can have multiple JSON profiles. Each file must be named AutopilotConfigurationFile.json, but can be stored
in a different directory from the other profiles. If you use a name other than AutopilotConfigurationFile.json,
Windows 10 OOBE will not follow the Autopilot experience.
Next, you should create a package containing the JSON file. You will use Configuration Manager to create a
package that specifies the name of the package and the source folder containing the
AutopilotConfigurationFile.json file.
If you have not created an existing collection, you will need to create a target collection. This collection must have a
rule to add the target test Windows 7 devices to the new collection.
Next, create an Autopilot for existing devices’ Task Sequence using a boot image for Windows 10 1803 or later. You
should configure Autopilot to join a workgroup, not a domain. Autopilot uses the System Preparation Tool (sysprep)
when the Prepare Windows for capture task executes. This sysprep will fail if the target machine is joined to a
domain.
Next, you will deploy the content to distribution points. The distribution point must contain all content required for the
task sequence. You should then deploy the OS with Autopilot Task sequence.
Run C:\Windows\CCM\SCClient.exe on the client computers. This action will open Software Center and allow you
49 sur 77 2023-07-10, 17:55

to upgrade the operating system on the computer. Content will be downloaded via the Task Sequence. The
computer will be rebooted, the drives will be formatted, and Windows 10 will be installed. The computer will be
prepared for Autopilot once the task sequence has completed. The device will boot into OOBE and provide an
Autopilot experience.
Objective:
Sub-Objective:
References:
Windows Autopilot for existing devices | Microsoft Learn
Speeding up Windows Autopilot for existing devices | Microsoft Learn
You have recently joined the Nutex Corporation as the Microsoft Intune Administrator. The email accounts and apps
on the employees’ mobile devices are managed from Microsoft Intune. Some employees use Android Enterprise
licenses. New hires do not have their licenses yet. You are tasked with creating app configuration policies for all
employees.
Which of the following statements about implementing app configuration policies are TRUE? (Choose all that apply.)
A) Configuration settings for a policy can be created using the configuration

designer or JSON.
B) Only devices using Android 9.0 or higher are supported for management
using the Managed apps-type app configuration policy.
C) Auto-updates to apps is a setting that must be explicitly enabled in an app

configuration policy.
D) When new app permissions are added to an app, users are prompted to
provide consent for the permissions.
Explanation
Configuration settings for a policy can be created using the configuration designer or JSON.
Only devices using Android 9.0 or higher are supported for management using the Managed apps type app
50 sur 77 2023-07-10, 17:55

The configuration designer can be used to create configuration settings for a policy. Managed Google Play apps that
support configuration settings can be configured using the configuration designer; otherwise, you must use the
JSON Editor to enter the values.
You must run at least Android 9.0 to have apps managed in an app configuration policy. If you want to manage
devices that use a version prior to 9.0, you must enroll them in Intune and use a Managed devices-type app
When new app permissions are added to an app, users are not prompted to provide consent for the permissions.
There are two settings for app permissions: Approval Settings at the time of adding the app as a Managed Google
Play app and Permissions at the time of setting the app permissions in the app configuration policy. Approval
Settings can be set to Keep approved when the app requests new permissions (app usage is not disrupted) and
Revoke app approval when the app requests new permissions (app usage is disrupted). App permissions are
Prompt (ask user consent), Auto grant, and Auto deny.
You cannot enable auto-updates to apps in an app configuration policy. The Update setting of an app depends on
the type of app you add to Intune. Store apps, web apps, and built-in Microsoft apps are updated automatically. You
will need to check the update for new app permissions and configuration settings if you want to configure them in
the app configuration policy.
Objective:
Manage applications
Sub-Objective:
References:
Microsoft Learn > Microsoft Intune > Intune service > Apps > Add app configuration policies for managed Android
Enterprise devices
CodeTwo > Microsoft 365 & Exchange Admin's Blog > How to deploy and configure Microsoft Outlook for Android
via Intune: A complete guide
Microsoft Learn > Microsoft Intune > Intune service > Apps > Add apps to Microsoft Intune > App types in Microsoft
Intune
Manage apps in your organization > Manage public apps > Manage app permissions
51 sur 77 2023-07-10, 17:55

The Nutex Corporation has a domain environment running on Windows Server 2019. All workstations in the
organization use Windows 11. You have recently moved to a hybrid Azure Active Directory (Azure AD) environment
and procured a Microsoft Intune subscription.
You are configuring Windows Autopilot user-driven mode to join devices to an on-premises AD domain. What should
you do after the device has been registered with Windows Autopilot?
A) Install the Intune Connector for Active Directory on a Windows Server 2012 R2
or later computer.
B) Install the Intune Connector for Active Directory on a Ubuntu 20.04 or later
computer.
C) Create an Autopilot deployment profile specifying Hybrid Azure AD

joined.
D) Create an Autopilot deployment profile specifying Azure AD joined.
E) Install the Intune Connector for Active Directory on a Windows 11 computer.
Explanation
In the given scenario, you should create an Autopilot deployment profile specifying Hybrid Azure AD joined to join
the devices to Azure AD.
In the Create Profile blade for user-driven mode, there is an option under Join to Azure AD as named Hybrid
Azure AD joined. You should select this option from the drop-down list of options as shown in the exhibit.
Once you have created the Autopilot deployment profile, you should install the Intune Connector for Active Directory
on a computer running Windows Server 2016 or higher. The Intune Connector for Active Directory communicates
with your on-premises domain controller during the Windows Autopilot process. The Intune Connector for Active
Directory does not run on a Linux based server such as Ubuntu or Red Hat.
You would not create an Autopilot deployment profile specifying Azure AD joined as the method by which you
would like to join devices to Azure AD. This scenario talks about a hybrid environment. You should select the Azure
AD joined method when you have only the Azure AD environment.
You would not install the Intune Connector for Active Directory on a computer running Windows 11. You should
52 sur 77 2023-07-10, 17:55

install the Intune connection for Active Directory once you have created an Autopilot deployment profile. However,
the connector should be created on a computer running Windows Server 2016 or later, not on Windows 11 or any
other client operating system.
Objective:
Sub-Objective:
References:
Microsoft Tech Community > Windows IT Pro Blog > Windows Autopilot: Hybrid Azure AD join and automatic
registration
Microsoft Learn > Microsoft Intune > Solutions > Configure Autopilot profiles
Microsoft Learn > Microsoft Intune > Solutions > Windows Autopilot user-driven mode
The Nutex Corporation has an Azure AD environment. All users are licensed for Office 365. As a laptop
administrator, you plan to ship Windows 10 Enterprise laptops to all new employees. The laptops are configured
such that all the users need to do is complete the setup during their first-run experience (FRX).
When the new employee turns on the computer, they will see a Getting Ready message, and then they will be
prompted to configure the region, including country, language, and keyboard. Next, they MUST accept the terms of
the Microsoft Software License agreement.
What are the next steps required so that the devices join Azure AD during the FRX process? (Choose all steps that
apply and place them in the correct order on the right.)
Explanation
53 sur 77 2023-07-10, 17:55

1. Have the users choose This device belongs to my organization.

2. Have the users log in with their Office 365 usernames and passwords.
When the new employee turns on the computer, they will see a Getting Ready message, and then they will be
prompted to configure the proper region including country, language, and keyboard. Next, they MUST accept the
terms of the Microsoft Software License agreement.
You should instruct the users to choose This device belongs to my organization. This will take them to the Office
365 credentials page.
You must have the users log in with their Office 365 usernames and passwords. This is all that is required of the end
user to have the device join Azure AD.
You should not have users choose Set up Windows with a local account. That would only be applicable for non-
joined devices. It is difficult to "undo" this selection if it is made in error.
You do not need synchronize users with Azure AD Connect, unless this is a hybrid environment, which is not stated
in the scenario.
You do not need to implement certificate-based authentication. You cannot use certificate-based authentication to
join devices to Azure AD.
Objective:
Sub-Objective:
Manage identity
References:
Join a new Windows 10 device with Azure AD during the out of box experience - Microsoft Entra | Microsoft Learn
Plan your Azure Active Directory join deployment - Microsoft Entra | Microsoft Learn
Question #31 of 45
54 sur 77 2023-07-10, 17:55

Question ID: 1564880
Dreamsuites Incorporated has adopted Microsoft Intune to manage access on their Windows 10 devices. As a
security administrator, you have been asked to prevent all devices from using JavaScript on certain sites in
Microsoft Edge. You begin your setup by creating a device profile.
What options will you configure, at a minimum? (Choose all that apply.)
A) The Profile Type property
B) The Platform property
C) The Device Configuration Setup property
D) The Settings property
E) The Scope Tag property
Explanation
You will need to configure the Platform property. You can configure the following platforms for your devices:
Android
Android enterprise
iOS
macOS
Windows 10 and later
Windows 8.1 and later
For this scenario, you would choose Windows 10 and later.
You will need to configure the Profile Type property. This list changes based on the platform chosen.
You will not need to configure the Device Configuration Setup property. This property would allow you to add a
certificate authority, which is not indicated in the scenario. To create a new profile, you would choose the Manage
option of Device Configuration.
You will not need to configure the Settings property for this scenario. These settings relate to usage of the device
itself, such as connecting to the App Store or allowing Bluetooth connectivity.
You will not need to configure the Scope Tag property for this scenario. Scope tags assign and filter policies to
specific groups.
Objective:
Sub-Objective:
55 sur 77 2023-07-10, 17:55

References:
Create device profiles in Microsoft Intune | Microsoft Learn
Assign device profiles in Microsoft Intune | Microsoft Learn
You are an enterprise admin for the Verigon Company.
You are preparing a PC refresh for 200 computers. You are configuring your MDT server for a Lite Touch
deployment strategy due to the large number of client machines involved.
Which of the following types of repository should you use to distribute the necessary setup files and scripts?
A) Create a bootable image using MDT offline deployment media.
B) Create a web-based share in Azure blob storage.
C) Create a deployment share on the MDT server.
D) Create a configuration profile using Microsoft Endpoint Manager.
Explanation
You would choose to create a deployment share on the MDT server. A deployment share is a folder on the server
that is shared and contains all the setup files and scripts needed for the deployment solution. It is required for Lite
Touch deployments.
You would not choose to create a bootable image using MDT offline deployment media. Offline MDT deployment
media should only be used for small environments that have no open connections to the MDT server.
You would not choose to create a configuration profile using Microsoft Endpoint Manager. MDT does not integrate
with MDM solutions such as Microsoft Endpoint Manager, so they cannot be used to distribute the required
deployment files.
You would not choose to create a web-based share in Azure blob storage because you cannot use Azure blob
storage to distribute files used in an MDT deployment.
Objective:
Sub-Objective:
56 sur 77 2023-07-10, 17:55

References:
Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) - Windows Deployment | Microsoft Learn
Deploy a Windows 10 image using MDT (Windows 10) - Windows Deployment | Microsoft Learn
You plan to use Intune to provision devices with certificates to access servers and services on your Azure Active
Directory. You want to deploy the trusted root certificate to the provisioned devices. You have 25 Android
devices, 25 iPad devices, and 93 Windows 11 devices.
Question A: What type of template should configure for your configuration profile?
Question B: How many certificate profiles should you create?
Drag the answer to the appropriate question?
Explanation
You should create a configuration profile for every platform. In this scenario, you will need three configuration
profiles, one for the Android devices, one for the Windows 11 devices, and one for the iPad devices.
57 sur 77 2023-07-10, 17:55

You should choose the Trusted certificate template after you choose Templates as your Profile Type.
When you choose Trusted certificate, you can specify that the certificate will be stored in either the Computer
certificate store for a Root certificate or a certificate from an intermediate to the Root CA. You can also store the
certificate in the User certificate store.
58 sur 77 2023-07-10, 17:55

You should not choose a SCEP certificate as the template. A Simple Certificate Enrollment Protocol (SCEP)
certificate enables certificate-based authentication for resources but does not deploy a root CA to your devices.
You should not choose PKCS imported certificate as the template. This template configures an imported public key
pair (PKCS) certificate to enable email encryption through S/MIME in your email profiles.
Objective:
Sub-Objective:
References:
Create trusted certificate profiles in Microsoft Intune | Microsoft Learn
Configure infrastructure to support SCEP certificate profiles with Microsoft Intune | Microsoft Learn
Create trusted certificate profiles in Microsoft Intune | Microsoft Learn
You are a system administrator for your organization. They have an Azure AD environment. All workstations in your
organization are running the Windows 11 operating system and joined to Azure AD, and all devices are registered
with Microsoft Intune.
You are configuring a compliance policy to protect your organization’s resources from devices that are non-
compliant with your organization’s security policies. You have created a notification message template that will be
used to send an email to users when their device is non-compliant.
While configuring a compliance policy, which of the following Actions of noncompliance should you configure to
remove all company data from the device and remove the device from Intune management?
A) Remotely lock the noncompliant device
B) Send push notification to end user
C) Send email to users
D) Retire the noncompliant device
Explanation
In the given scenario, you should configure Actions of noncompliance and select your Action to “Retire the
noncompliant device”. Then you would enter 0 days under Configure a Schedule for the grace period.
59 sur 77 2023-07-10, 17:55

To add Actions of noncompliance, you should follow these steps:
1. Log in to Microsoft Endpoint Manager admin center.

2. Select Devices > Compliance policies > Policies, choose one of your policies, and then select Properties.
3. Select Actions for noncompliance > Add.
4. Select your Action: Retire the noncompliant device. Selecting this option will remove all company data from
the device and remove the device from Microsoft Intune management.
5. Configure a Schedule: Enter the number of days (0 to 365) after noncompliance to trigger the action on the
users' devices.
6. When finished, select Add > OK to save your changes.
Selecting the Action to “Send email to users” will not work in the given scenario. This option will only send a
notification email when the device is non-compliant. It can be configured with other Actions of noncompliance.
Configuring this option alone will not ensure company data is removed from the device and the device is removed
from Intune management.
Selecting the Action to “Remotely lock the noncompliant device” will not work in the given scenario. This option
will only lock the device when the device is non-compliant. It can be configured with other Actions of
noncompliance. Configuring this option alone will not ensure company data is removed from the device and the
device is removed from the Intune management.
Selecting the Action to “Send push notification to end user” will not work in the given scenario. This option will
send a notification about non-compliance to a device through the company portal app or Intune app on the device.
This option can be configured with other Actions of noncompliance. Configuring this option alone will not ensure
company data is removed from the device and the device is removed from Intune management.
Objective:
Sub-Objective:
References:
Microsoft Learn > Microsoft Intune > Intune service > Protect > Configure actions for noncompliant devices in Intune
You have an Azure tenant named Nutex.com. The tenant users are synchronized from the on-premises Active
Directory named Nutex.com. You need to elevate a user with the UPN name deborah@nutex.com to become a
local administrator on a Windows 11 device named Win-Nutex5.
60 sur 77 2023-07-10, 17:55

You type the following at the command prompt.
Drag the missing commands or parameters to the appropriate letter.
Explanation
You should type the following:
net localgroup administrators /add "Nutex\Deborah"
The net localgroup command allows you to add users to a group. In this scenario, you add a user to the
Administrators local group on the Windows 11 device named Win-Nutex5. Since the tenant user,
deborah@nutex.com, is synchronized from the on-premise Active Directory, you will use the /add parameter and
specify “Nutex\deborah” as the account. If the tenant user was created in Azure AD and not in an on-premise
Active Directory, you use the /add parameter and specify “AzureAD\ deborah@nutex.com” as the account. In this
scenario, the tenant users are synchronized from the on-premise Active Directory and not created in Azure AD.
You would not use the net user command. This command allows you to create, delete, or modify a user account but
not change the group affiliation of a user.
You would not use the net use command. This command is used to map drives to shared volumes.
You should not use the /add parameter and specify 'Win-Nutex5\Deborah' as the account. This parameter would
specify a local account named Deborah on the Windows 11 device as a member of the local Administrators group
instead of an Active Directory user from the Nutex domain.
Objective:
Sub-Objective:
Manage identity
References:
How to manage local administrators on Azure AD joined devices - Microsoft Entra | Microsoft Learn
You have computers that run Windows 10 Cloud. The computers are joined to Microsoft Azure Active Directory
61 sur 77 2023-07-10, 17:55

(Azure AD) and enrolled in Microsoft Intune. You need to perform the following:
Upgrade the computers to Windows 10 Enterprise

Create a WiFi profile
Block JavaScript on certain sites in Microsoft Edge
What should you configure in Intune?
A) A device configuration profile
B) A device enrollment policy
C) A device compliance policy
D) A device cleanup rule
Explanation
You should set a device configuration profile. A device configuration profile allows you to do the following:
Perform edition upgrades, such as going from the Cloud edition to the Enterprise Edition or going from the Pro
Edition to the Enterprise edition
Manage software updates, even when the updates are installed
Allow or prevent access to Bluetooth on the device
Set up a VPN or WiFi profile
Use a profile template that blocks JavaScript on certain sites in Microsoft Edge.
You should not configure a device enrollment policy. A device enrollment policy specifies how a device can be
enrolled. You can use a device enrollment policy to restrict the devices from enrolling by platform such as Android,
Windows or iOS. You can also specify settings on enrollment such as if reset is required, whether user affinity is
used, or device is locked.
You should not use a device cleanup rule. A clean up rule can be used to specify what to do with a device when it is
no longer needed such as wiping the device or retiring the device.
A device compliance policy allows devices to meet compliance requirements. With a device compliance policy, you
can define rules and settings for compliance for security settings, such as:
The device has not been rooted.

The device has minimum version of the operating system.
The device to be under or at a specific threat level.
Users must use a password to access company data on mobile device.
Objective:
62 sur 77 2023-07-10, 17:55

Sub-Objective:
References:
Device features and settings in Microsoft Intune | Microsoft Learn
You manage 100 computers that run Windows 10 for the Nutex Corporation. All of the computers are enrolled in
Microsoft Intune. You manage the servicing channel settings of the computers by using Intune. You need to view
detailed information on the following:
Device status for the update ring

User status for the update ring
You need to review the servicing status of a computer.
Click the exhibit to choose the correct option that will allow you to do this.
63 sur 77 2023-07-10, 17:55

A) 19,735,178,769
B) 13,369,193,395
64 sur 77 2023-07-10, 17:55

C) 22,206,178,234
D) 12,496,203,523
E) 16,663,178,690
F) 19,800,177,825
G) 20,238,176,265
H) 13,528,203,558
I) 19,591,171,615
J) 21,769,180,799
K) 12,562,204,583
L) 17,273,185,297
M) 13,336,191,362
N) 12,465,199,490
O) 12,400,195,425
P) 12,433,198,456
Q) 16,303,188,330
Explanation
You should choose Software Updates. From there, you can choose Windows 10 Update Rings. In the Monitoring
section, you can view detailed information about the update ring for the Device Status and User Status.
Objective:
Sub-Objective:
References:
Use Windows Update for Business reports for Windows Updates in Microsoft Intune - Microsoft Intune | Microsoft
Learn
65 sur 77 2023-07-10, 17:55

You are the remote desktop administrator for the nutex.com domain. You have several RemoteApps that users
need to run on their mobile devices.
Which of the following are TRUE regarding remote desktop clients?
A) You must run at least the iOS 4.x operating system on an iPad to run the
remote desktop client.
B) You must run at least the iOS 5.x operating system on an iPad to run the
C) You must run at least Android 4.1.x (Jelly Bean) operating system on an
Android device to run the remote desktop client.
D) You must run at least Android 3.2.6 (Honeycomb) operating system on an

E) You must run at least the iOS 6.x operating system on an iPad to run the
F) You must run at least Android 4.0.4 (Ice Cream Sandwich) operating
system on an Android device to run the remote desktop client.
G) You must run at least the Android 2.3.7 (Gingerbread) operating system on an
Explanation
The Remote Desktop client can be used on Android devices, iOS devices, Windows phones, and Windows clients.
You must run at least the iOS 6.x operating system on an iPad or any iOS device to run the Remote Desktop client.
You must run at least Android 4.1.x (Jelly Bean) operating system on an Android device to run the Remote Desktop
client.
All other answers are incorrect.
Objective:
Sub-Objective:
Configure remote management
References:
Microsoft Learn > Windows Server > Remote desktop services > Remote Desktop clients for Remote Desktop
Services and remote PCs
66 sur 77 2023-07-10, 17:55

Microsoft Learn > Windows Server > Remote desktop services > Get started with the Android client
The security team of the Nutex Corporation has noticed that there is a security flaw in the Google Chrome browser.
The security team proposes to use a third-party ADMX file. You need to ensure that the policy information that can
fix the flaw can be ingested into the Windows 10 device by using OMA-URI. The ingested ADMX files will be
processed into MDM policies.
You want the ADMX files to modify the registry of the computers that are managed by Intune. What should you
configure in Intune?
Explanation
You would need to down load the necessary ADMX templates to update the registry. If you are trying to replace an
existing ADMX file instead of creating a new ADMX file, you should delete any profiles that have the existing ADMX
settings. You would then add the ADMX templates and any associated ADML files by importing them into Intune.
You can use the Intune admin center import them by choosing Devices > Configuration profiles > Import ADMX >
Import:
You will then need to create a profile that will be used by the Windows clients. You should choose Windows 10 or
later as the platform. You should choose Import Administrative templates as the profile.
67 sur 77 2023-07-10, 17:55

You should not choose Device Restriction as the profile type because the ADMX file is not a restriction but a
custom add-on.
You should not choose Device Compliance from the Intune menu. Adding a custom ADMX is not a compliance
issue, but rather a configuration issue.
You should not choose Devices from the Intune menu. From the Devices panel, you can choose to perform actions
on devices enrolled in Intune such as retire or wipe a device. You cannot use the Devices panel to add a custom
ADMX.
Objective:
Sub-Objective:
References:
Import custom and third party partner ADMX templates in Microsoft Intune | Microsoft Learn
Understanding ADMX policies - Windows Client Management | Microsoft Learn
Deep dive ingesting third-party ADMX-files – All about Microsoft Intune (petervanderwoude.nl)
Intune: Deploying ADMX-Backed policies using Microsoft Intune | Microsoft Learn
Use ADMX templates on Windows 10/11 devices in Microsoft Intune | Microsoft Learn
68 sur 77 2023-07-10, 17:55

The Nutex Corporation has several devices that are running Windows 10 version 1709 or later. You need to restore
the devices to the factory default settings by wiping the devices.
What is retained during the wipe and what is not retained during the wipe?
Move the objects from the column on the left to the appropriate column on the right.
Explanation
The Wipe action is intended to reset a device to its factory default settings. When a wipe is performed the following
actions take place:
Retained during a wipe Not retained

User accounts associated with the device User files
Machine state (domain join, Azure AD-join) User-installed apps (store and Win32 apps)
Mobile device management (MDM) enrollment Non-default device settings
OEM-installed apps (store and Win32 apps)
User profile
User data outside of the user profile
User autologon
When a wipe is performed you can set the Retain enrollment state and user account and the Remove from
Intune Management option. The following displays the effects of these options with the Wipe action:
Retain enrollment
Wipe Removed from
state and user Description
action Intune management
account
Removes all user accounts, data, MDM policies, and
Wipe Not checked Yes settings. Resets the operating system to its default state and
settings.
Removes all MDM Policies. Retains user accounts and data.
Wipe Checked No Resets user settings back to default. Resets the operating
system to its default state and settings.
Objective:
Sub-Objective:
69 sur 77 2023-07-10, 17:55

References:
Retire or wipe devices using Microsoft Intune | Microsoft Learn
Reset Windows 10 devices with Microsoft Intune | Microsoft Learn
You have recently joined the Nutex Corporation as the Microsoft 365 Administrator. Nutex is a growing company in
the IT Services sector with over 100 employees. They use Microsoft Intune to manage all employees’ endpoints.
The IT Administration team has recently discovered a shadow IT and initiated the deployment of the licensed
version of the Microsoft 365 apps on the endpoints using Intune. Some employees cannot use the licensed version
of the Microsoft 365 apps deployed from Intune.
Which of the following are probable causes of this issue? (Choose all that apply.)
A) Existing apps are running on the endpoints.
B) The endpoints are not enrolled in Intune.
C) The app assignment is missing some endpoints.
D) There are multiple app assignments with different sets of apps in the
suites.
E) The Remove MSI feature was used to remove existing apps.
Explanation
The following are reasons why some employees cannot use the licensed version of the Microsoft 365 apps
deployed from Intune:
There are multiple app assignments with different sets of apps in the suites.
The app assignment is missing some endpoints.
Existing apps are running on the endpoints.
Multiple app assignments from Intune are not additive. The last assignment will clean up the existing assignment
and install the apps. In this case, the last assignment could be using fewer apps than in the former assignment since
the later app assignment overwrites pre-existing installed app assignments.
To remove a shadow IT from endpoints, the Intune App suite should typically be set to remove existing apps from
the endpoint. Unless the Microsoft Software Installer (MSI) Office apps are manually removed, the app assignment
will not initiate the deployment of apps from Intune. To manually remove existing apps, you would use the Remove
70 sur 77 2023-07-10, 17:55

MSI feature. This feature can remove all Office (MSI) apps from a device.
A prerequisite for Intune app assignments to work is that the existing Microsoft apps on the endpoints must not be in
use. In such cases, the installation may fail.
The app assignment could be missing some endpoints. Check the app assignment and add another assignment for
the affected users.
Endpoints being enrolled in Intune is a prerequisite to deploying the Microsoft 365 Apps suite from Intune. In this
scenario, it cannot be the cause of the issue as all endpoints are managed by Intune.
Objective:
Manage applications
Sub-Objective:
Deploy and update apps for all supported device platforms
References:
Microsoft Learn > Microsoft Intune > Intune service > Apps > Add Microsoft 365 Apps to Windows 10/11 devices
with Microsoft Intune
Verigon Corporation is transitioning from the traditional configuration manager (SCCM) and local Active Directory
(AD) to the new "modern" IT. They plan to ultimately move to Intune and Azure AD. As a migration consultant, you
have been asked to suggest the next steps in this co-management goal. All laptops are already running Windows 10
and Office 365.
What steps would you recommend to bridge the transition? (Choose all that apply.)
A) Enable co-management in Configuration Manager
B) Deploy essential security updates using Windows Server Update Services

(WSUS)
C) Stop managing configuration policies through Group Policy
D) Deploy corporate images using Autopilot
E) Use the Windows Update for Business Service component of Windows

Analytics
Explanation
71 sur 77 2023-07-10, 17:55

You want to enable co-management in Configuration Manager, then you can slowly transition workloads as needed.
Co-Management allows you to attach a Configuration Manager deployment to the Microsoft 365 cloud utilizing
Microsoft Intune, mobile device management (MDM), and Configure Management agents.
You will want to begin deploying corporate images using Autopilot. Autopilot can join devices to Azure AD or AD via
hybrid Azure AD join, can customize OOBE content, and create as well as auto-assign device-to-configuration
groups based on the device’s profile.
You will want to use the Windows Update for Business Service component of Windows Analytics to deploy and
manage Windows updates.
You want to stop managing configuration policies through Group Policy. You will use the policies in Intune instead.
Microsoft offers a free tool called Microsoft Migration Analysis Tool (MMAT) that can compare Group Policies for a
target computer and cross-reference them against a built-in list of MDM policies.
You do not want to deploy essential security updates using Windows Server Update Services (WSUS). You want to
move to Windows Update for Business. Windows Update for Business can be configured using Intune and offers a
peer-to-peer distribution technology.
Objective:
Sub-Objective:
References:
Co-management for Windows devices - Configuration Manager | Microsoft Learn
Modern Windows 10 management strategies, using Configuration Manager and Microsoft Intune - YouTube
Enable co-management - Configuration Manager | Microsoft Learn
Users in the PC Support group in the IT department enroll devices for employees in the Nutex Corporation. When
the PC Support group accesses the Microsoft Intune company portal, that text appears at the bottom of the sign-in
page. You want to ensure that when the PC Support group visits the sign-in page they view the new legal statement
that the HR department has released.
Which menu option should you choose to configure this? (Click the image to select the correct option.)
72 sur 77 2023-07-10, 17:55

A) 34,92,215,125
B) 33,133,216,162
C) 38,247,215,275
D) 34,210,214,238
E) 38,284,211,313
F) 38,322,212,351
G) 34,170,217,200
Explanation
You should choose the Company branding option. The Company branding option is typically used for adding the
company name and logo that appears during the Out-of-Box Experience (OOBE) in Windows Autopilot. With the
Company branding option, you can configure the following:
A background image for the page. The image is limited to 1920x1080 pixels.
A banner logo, which can be the company or department logo.
A Username hint to help users who may have forgotten their username.
Sign-in page text. This text can contain additional information such as a legal statement or a phone number or
73 sur 77 2023-07-10, 17:55

email address for the help desk.
All other options are incorrect because you cannot specify the sign-in text on the Company Portal.
74 sur 77 2023-07-10, 17:55

Objective:
Sub-Objective:
References:
Add branding to your organization's sign-in page - Azure AD - Microsoft Entra | Microsoft Learn
INTUNE - Intune and Autopilot Part 3 - Preparing your environment | Microsoft Learn
You are the remote desktop administrator for the nutex.com domain. You need to copy the list of RemoteApp
programs and deployment settings from one Remote Desktop Session Host (RD Session Host) server to another
RD Session Host server. This server is not part of a server farm.
What must you do to ensure that all users can use the RemoteApp programs on the new server? (Choose all that
apply.)
A) Create new .rdp files for the new RD Session Host server.
B) Manually update the RemoteApp Programs list on the new RD Session

Host server.
C) Manually update the deployment settings on the new RD Session Host server.
D) Disable WMI access to target RD Session Host server.
E) Create Windows Installer packages for the new RD Session Host server.
Explanation
After you export the RemoteApp programs and deployment settings from one RD Session Host server to another,
you will have to create new .rdp files or Windows Installer packages on each RD Session Host server. This step is
not necessary if the server is a member of an RD Session Host server farm. If this is the case, then the files would
be created, but you would need to manually copy the files to the new RD Session Host server farms.
You do not need to manually update the RemoteApp Programs list on the new RD Session Host server. The
RemoteApp Program list is included in the configuration settings that are exported from the RemoteApp Manager.
You do need to manually update the deployment settings on the new RD Session Host server. The deployment
settings are included in the configuration settings that are exported from the RemoteApp Manager.
75 sur 77 2023-07-10, 17:55

Objective:
Sub-Objective:
Configure remote management
References:
TechNet > Windows Server 2008 R2 > Content By Category > Installed Help > Remote Desktop Services >
RemoteApp Manager > Configuring RemoteApp Programs > Manage the RemoteApp Programs List > Export or
Import Configuration
Microsoft Learn > Windows > Windows Package Manager
Importing one or more Remote Desktop Files (.rdp Files)
You manage devices that run Windows 10 with Azure Active Directory Premium. You need to enable two-factor
authentication on the devices without the use of third-party applications. Users already enter a user ID and
password to log in to their devices.
What other factor(s) should you use? (Choose all that apply.)
A) RSA keys
B) Retinal scan
C) Facial recognition
D) Fingerprint recognition
Explanation
You should use fingerprint recognition or facial recognition. Both two-factor authentication types are supported by
Windows Hello for Business using Azure AD Premium. You can use a user ID and password as the first
authentication factor and a biometric recognition as a second authentication factor.
If your device is joined to a domain, the device itself becomes one of the two factors required for authentication.
You should not use a retinal scan or RSA keys. These options are not supported by Windows 10 or Azure AD
Premium without a third-party application.
Objective:
76 sur 77 2023-07-10, 17:55

Sub-Objective:
Manage identity
References:
Microsoft Learn > Microsoft 365 > Windows > Security > Windows Hello for Business Deployment Prerequisite
Overview
Microsoft Inside Track > Implementing strong user authentication with Windows Hello for Business
77 sur 77 2023-07-10, 17:55

MD-102 Exam Simulation

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MD-102 Exam Simulation

Uploaded by

Copyright:

Available Formats

MD-102 Exam Simulation https://www.kaplanlearn.com/education/test/print/81333036?testId=25...

Quick Quiz July 10, 2023 Test ID: 257380418

Question #1 of 45 Question ID: 1561430

What is the first step in deploying these laptops?

A) Enroll the laptops in Intune

B) Collect the hardware ID from each laptop

C) At an administrative command prompt, run sysprep /generalize /oobe

D) Create an Autopilot device group

E) Connect each laptop to the Internet

1 sur 77 2023-07-10, 17:55

Manually register devices with Windows Autopilot | Microsoft Learn

Overview of Windows Autopilot | Microsoft Learn

Question #2 of 45 Question ID: 1561481

What would be a step in implementing this solution?

A) Configure MDM auto-discovery using an email address

B) Configure an MFA (multi-factor authentication) registration policy

C) Create a GPO to enable automatic MDM enrollment

D) Configure Hybrid Azure AD join in Azure Active Directory Connect

2 sur 77 2023-07-10, 17:55

Step 5 – Enroll devices in Microsoft Intune | Microsoft Learn

Question #3 of 45 Question ID: 1561536

You are the cybersecurity admin for the Nutex Corporation.

A) Create a Windows 10 compliance policy that requires BitLocker encryption.

B) Create an Endpoint Security profile that enables full disk encryption.

C) Create an app protection policy.

D) Create an app configuration policy.

3 sur 77 2023-07-10, 17:55

Question #4 of 45 Question ID: 1561515

4 sur 77 2023-07-10, 17:55

5 sur 77 2023-07-10, 17:55

You would choose the following:

6 sur 77 2023-07-10, 17:55

7 sur 77 2023-07-10, 17:55

default values that the relevant security teams recommend.

Manage endpoint security in Microsoft Intune | Microsoft Learn

Question #5 of 45 Question ID: 1561514

8 sur 77 2023-07-10, 17:55

Question #6 of 45 Question ID: 1561427

Which of the following options should you choose?

9 sur 77 2023-07-10, 17:55

Question #7 of 45 Question ID: 1561471

10 sur 77 2023-07-10, 17:55

11 sur 77 2023-07-10, 17:55

You will have to give the policy a name.

12 sur 77 2023-07-10, 17:55

13 sur 77 2023-07-10, 17:55

14 sur 77 2023-07-10, 17:55

15 sur 77 2023-07-10, 17:55

Finally, you need to enable the policy.

Question #8 of 45 Question ID: 1561437

Department Memory CPU TPM Module

A) Finance and HR workstations

B) Finance workstations only

C) Sales workstations only

D) Sales, Finance, and HR workstations

16 sur 77 2023-07-10, 17:55

Joins the device to Azure AD.

Prevents access until the device is fully provisioned.

Question #9 of 45 Question ID: 1564882

Question A: Which file should you modify on Win11Sales1?

{UCMS id=6251933430972416 type=Activity}

You should choose the following:

17 sur 77 2023-07-10, 17:55