MD-101.examcollection.premium.exam.

157q

Number: MD-101
Passing Score: 800
Time Limit: 120 min
File Version: 10.0

MD-101

Managing Modern Desktops

Version 10.0

9729F35A67F73FB4F4596D0C36FF13FC
Deploy and Update Operating Systems

Testlet 1

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.

To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

General Overview

Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales,
marketing, research, human resources (HR), development, and IT departments.

Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.

Existing Environment

Current Business Model

The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.

Litware has a Microsoft System Center 2012 R2 Configuration Manager deployment.

During discovery, the company discovers a process where users are emailing bank account information of its
customers to internal and external recipients.

Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD).
The functional level of the forest and the domain is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.

Litware has the computers shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
The development department uses projects in Azure DevOps to build applications.

Most of the employees in the sales department are contractors. Each contractor is assigned a computer that
runs Windows 10. At the end of each contract, the computer is assigned to a different contractor. Currently, the
computers are re-provisioned manually by the IT department.

Problem Statements
Litware identifies the following issues on the network:

Employees in the Los Angeles office report slow Internet performance when updates are downloading. The
employees also report that the updates frequently consume considerable resources when they are installed.
The Update settings are configured as shown in the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being
shared externally.
Re-provisioning the sales department computers is too time consuming.

Requirements

Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers.

Whenever possible, Litware wants to minimize hardware and software costs.

Device Management Requirements

Litware identifies the following device management requirements:

Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications
to untrusted applications.

Technical Requirements
Litware identifies the following technical requirements for the planned deployment:

Re-provision the sales department computers by using Windows AutoPilot.

Ensure that the projects in Azure DevOps can be accessed from the corporate network only.
Ensure that users can sign in to the Azure AD-joined computers by using a PIN. The PIN must expire every
30 days.
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using
Windows AutoPilot.

Exhibits

Updates

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 1
You need to capture the required information for the sales department computers to meet the technical
requirements.

Which Windows PowerShell command should you run first?

A. Install-Module WindowsAutoPilotIntune
B. Install-Script Get-WindowsAutoPilotInfo
C. Import-AutoPilotCSV
D. Get-WindowsAutoPilotInfo

Correct Answer: A
Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices

QUESTION 2
HOTSPOT

You need to resolve the performance issues in the Los Angeles office.

How should you configure the update settings? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Note: The default maximum difference from start time has been increased to 18 hours in Windows 10, version
1703. It was previously 12 hours.

Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization
https://2pintsoftware.com/delivery-optimization-dl-mode/

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-activehoursend

QUESTION 3
What should you configure to meet the technical requirements for the Azure AD-joined computers?

A. Windows Hello for Business from the Microsoft Intune blade in the Azure portal.
B. The Accounts options in an endpoint protection profile.
C. The Password Policy settings in a Group Policy object (GPO).
D. A password policy from the Microsoft Office 365 portal.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-
organization

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 4
HOTSPOT

You need to meet the OOBE requirements for Windows AutoPilot.

Which two settings should you configure from the Azure Active Directory blade? To answer, select the
appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)

9729F35A67F73FB4F4596D0C36FF13FC
Explanation

Explanation/Reference:
From the scenario:
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using
Windows AutoPilot.

Reference:
https://blogs.technet.microsoft.com/mniehaus/2017/12/22/windows-autopilot-azure-ad-branding/

QUESTION 5
HOTSPOT

You need to meet the technical requirements for Windows AutoPilot.

Which two settings should you configure from the Azure Active Directory blade? To answer, select the
appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

https://docs.microsoft.com/en-za/azure/active-directory/fundamentals/customize-branding#add-company-
branding-to-your-directory

9729F35A67F73FB4F4596D0C36FF13FC
Deploy and Update Operating Systems

Testlet 2

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.

To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

Overview
Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.

Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.

Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.

The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from
home.

Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active
Directory (Azure AD).

All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.

The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are
managed by using Microsoft Intune.

The naming convention for the computers is the department acronym, followed by a hyphen, and then four
numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.

9729F35A67F73FB4F4596D0C36FF13FC
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer
account is in the Computers OU of its respective department.

Intune Configuration

The domain has the users shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
Requirements

Planned Changes
Contoso plans to implement the following changes:

Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled
and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.

Technical Requirements
Contoso must meet the following technical requirements:

Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices
that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.

QUESTION 1
HOTSPOT

You need to meet the technical requirements for the new HR department computers.

How should you configure the provisioning package? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-accounts

QUESTION 2
You need to prepare for the deployment of the Phoenix office computers.

What should you do first?

A. Extract the hardware ID information of each computer to a CSV file and upload the file from the Devices
settings in Microsoft Store for Business.
B. Extract the serial number information of each computer to a XML file and upload the file from the Microsoft
Intune blade in the Azure portal.
C. Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft

9729F35A67F73FB4F4596D0C36FF13FC
 Intune blade in the Azure portal.
D. Extract the hardware ID information of each computer to an XLSX file and upload the file from the Devices
settings in Microsoft Store for Business.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
To manage devices through Microsoft Store for Business and Education, you'll need a .csv file that contains
specific information about the devices. You should be able to get this from your Microsoft account contact, or
the store where you purchased the devices. Upload the .csv file to Microsoft Store to add the devices.

Reference:
https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices

9729F35A67F73FB4F4596D0C36FF13FC
Deploy and Update Operating Systems

Question Set 3

QUESTION 1
You manage 1,000 computers that run Windows 10. All the computers are enrolled in Microsoft Intune. You
manage the servicing channel settings of the computers by using Intune.

You need to review the servicing status of a computer.

What should you do?

A. From Device configuration - Profiles, view the device status.

B. From Device compliance, view the device compliance.
C. From Software updates, view the audit logs.
D. From Software updates, view the Per update ring deployment state.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/windows-update-compliance-reports

QUESTION 2
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company uses Windows Autopilot to configure the computer settings of computers issued to users.

A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.

You plan to transfer the computer to a user named User2.

You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting
and to agree to the license agreement.

Solution: You perform a remote Windows AutoPilot Reset.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset-remote

QUESTION 3

9729F35A67F73FB4F4596D0C36FF13FC
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company uses Windows Autopilot to configure the computer settings of computers issued to users.

A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.

You plan to transfer the computer to a user named User2.

You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting
and to agree to the license agreement.

Solution: You create a new Windows AutoPilot user-driven deployment profile.

Does this meet the goal?

A. Yes
B. No

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven

QUESTION 4
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company uses Windows Autopilot to configure the computer settings of computers issued to users.

A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.

You plan to transfer the computer to a user named User2.

You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting
and to agree to the license agreement.

Solution: You create a new Windows AutoPilot self-deploying deployment profile.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying

QUESTION 5
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a
maintenance window.

Solution: In Group policy, from the Maintenance Scheduler settings, you configure Automatic Maintenance
Random Delay.

Does this meet the goal?

A. Yes
B. No

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

QUESTION 6
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a
maintenance window.

Solution: In Group policy, from the Windows Update settings, you enable Configure Automatic Updates,
select 4-Auto download and schedule the install, and then enter a time.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 7
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a
maintenance window.

Solution: In Group policy, from the Maintenance Scheduler settings, you configure Automatic Maintenance
Activation Boundary.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

QUESTION 8
DRAG DROP

Your company has a computer named Computer1 that runs Windows 10.

Computer1 was used by a user who left the company.

You plan to repurpose Computer1 and assign the computer to a new user. You need to redeploy Computer1 by
using Windows AutoPilot.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

QUESTION 9
HOTSPOT

Your company has an infrastructure that has the following:

A Microsoft 365 tenant

An Active Directory forest
Microsoft Intune
A Key Management Service (KMS) server
A Windows Deployment Services (WDS) server
A Microsoft Azure Active Directory (Azure AD) Premium tenant

The company purchases 100 new computers that run Windows 10.

You need to ensure that the new computers are joined automatically to Azure AD by using Windows Autopilot.

What should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot

QUESTION 10
Your company purchases new computers that run Windows 10. The computers have cameras that support
Windows Hello for Business.

You configure the Windows Hello for Business Group Policy settings as shown in the following exhibit.

What are two valid methods a user can use to sign in? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Facial recognition
B. A smartwatch that is Bluetooth-enabled
C. A PIN

9729F35A67F73FB4F4596D0C36FF13FC
D. A USB key

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://community.windows.com/en-us/stories/windows-sign-in-options

https://fossbytes.com/how-to-unlock-windows-10/

QUESTION 11
You have 10 computers that run Windows 8.1 and have the following configurations:

A single MBR disk

A disabled TPM chip
Disabled hardware virtualization
UEFI firmware running in BIOS mode
Enabled Data Execution Prevention (DEP)

You plan to upgrade the computers to Windows 10.

You need to ensure that the computers can use Secure Boot.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Convert the MBR disk to a GPT disk

B. Enable the TPM chip.
C. Disable DEP
D. Enable hardware virtualization
E. Convert the firmware from BIOS to UEFI.

Correct Answer: AE
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-
mode

QUESTION 12
Your network contains an Active Directory domain. The domain contains 2,000 computers that run Windows
10.

You implement hybrid Microsoft Azure Active Directory (Azure AD) and Microsoft Intune.

You need to automatically register all the existing computers to Azure AD and enroll the computers in Intune.
The solution must minimize administrative effort.

What should you use?

A. An Autodiscover address record.

B. A Windows AutoPilot deployment profile.

9729F35A67F73FB4F4596D0C36FF13FC
C. An Autodiscover service connection point (SCP).
D. A Group Policy object (GPO).

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Autopilot-Hybrid-Azure-AD-join-and-
automatic/ba-p/286126

QUESTION 13
HOTSPOT

Your network contains an Active Directory domain. The domain contains computers that run Windows 10 and
are enrolled in Microsoft Intune. Updates are deployed by using Windows Update for Business.

Users in a group named Group1 must meet the following requirements:

Update installations must occur any day only between 00:00 and 05:00.
Updates must be downloaded from Microsoft and from other company computers that already downloaded
the updates.

You need to configure the Windows 10 Update Rings in Intune to meet the requirements.

Which two settings should you modify? To answer, select the appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://github.com/MicrosoftDocs/IntuneDocs/blob/master/intune/windows-update-settings.md

https://docs.microsoft.com/en-us/intune/delivery-optimization-windows#move-from-existing-update-rings-to-
delivery-optimization

QUESTION 14
Your network contains an Active Directory domain named contoso.com.

You create a provisioning package named Package1 as shown in the following exhibit.

9729F35A67F73FB4F4596D0C36FF13FC
What is the maximum number of devices on which you can run Package1 successfully?

A. 1
B. 10
C. 25
D. unlimited

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The device name uses a single random number (applied by %RAND:1%). This allows for 10 unique values (0 –
9).

QUESTION 15
HOTSPOT

You have computers that run Windows 10 and are configured by using Windows Autopilot.

A user performs the following tasks on a computer named Computer1:

Creates a VPN connection to the corporate network

Installs a Microsoft Store app named App1
Connects to a Wi-Fi network

You perform a Windows Autopilot Reset on Computer1.

What will be the state of the computer when the user signs in? To answer, select the appropriate options in the

9729F35A67F73FB4F4596D0C36FF13FC
answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:

9729F35A67F73FB4F4596D0C36FF13FC
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

QUESTION 16
HOTSPOT

Your network contains an Active Directory domain named constoso.com that is synced to Microsoft Azure
Active Directory (Azure AD). All computers are enrolled in Microsoft Intune.

The domain contains the computers shown in the following table.

You are evaluating which Intune actions you can use to reset the computers to run Windows 10 Enterprise with
the latest update.

Which computers can you reset by using each action? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-fresh-start

https://docs.microsoft.com/en-us/intune/devices-wipe

QUESTION 17
You have the 64-bit computers shown in the following table.

You plan to perform an in-place upgrade to the 64-bit version of Windows 10.

Which computers can you upgrade to the 64-bit version of Windows 10 in their current state?

A. Computer2 and Computer4 only

B. Computer4 only
C. Computer3 and Computer4 only
D. Computer1, Computer2, Computer3 and Computer4
E. Computer2, Computer3, and Computer4 only

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios

QUESTION 18
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(AD) and enrolled in Microsoft Intune.

You need to enable self-service password reset on the sign-in screen.

Which settings should you configure from the Microsoft Intune blade?

A. Device configuration
B. Device compliance
C. Device enrollment
D. Conditional access

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

QUESTION 19
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company uses Windows Update for Business.

The research department has several computers that have specialized hardware and software installed.

You need to prevent the video drivers from being updated automatically by using Windows Update.

Solution: From the Device Installation and Restrictions settings in a Group Policy object (GPO), you enable
Prevent installation of devices using drivers that match these device setup classes, and then you enter
the device GUID.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
References:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-
CC-000024

QUESTION 20
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company uses Windows Update for Business.

The research department has several computers that have specialized hardware and software installed.

You need to prevent the video drivers from being updated automatically by using Windows Update.

Solution: From the Settings app, you clear the Give me updates for other Microsoft products when I
update Windows check box.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
References:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-
CC-000024

QUESTION 21
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company uses Windows Update for Business.

The research department has several computers that have specialized hardware and software installed.

You need to prevent the video drivers from being updated automatically by using Windows Update.

Solution: From the Device Installation settings in a Group Policy object (GPO), you enable Specify search order
for device driver source locations, and then you select Do not search Windows Update.

Does this meet the goal?

A. Yes
B. No

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-
CC-000024

QUESTION 22
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You need to ensure that feature and quality updates install automatically during a maintenance window.

Solution: In Group policy, from the Windows Update settings, you enable Configure Automatic Updates,
select 3 – Auto download and notify for Install, and then enter a time.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

QUESTION 23
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).

You plan to replace the computers with new computers that run Windows 10. The new computers will be joined
to Azure AD.

You need to ensure that the desktop background, the favorites, and the browsing history are available on the
new computers.

Solution: You configure Enterprise State Roaming.

Does this meet the goal?

A. Yes

9729F35A67F73FB4F4596D0C36FF13FC
B. No

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-
reference

QUESTION 24
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).

You plan to replace the computers with new computers that run Windows 10. The new computers will be joined
to Azure AD.

You need to ensure that the desktop background, the favorites, and the browsing history are available on the
new computers.

Solution: You configure roaming user profiles.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles

QUESTION 25
You have a Microsoft Azure subscription that contains an Azure Log Analytics workspace.

You deploy a new computer named Computer1 that runs Windows 10. Computer1 is in a workgroup.

You need to ensure that you can use Log Analytics to query events from Computer1.

What should you do on Computer1?

A. Configure the commercial ID

B. Join Azure Active Directory (Azure AD)
C. Create an event subscription
D. Install the Microsoft Monitoring Agent

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

QUESTION 26
Your company has a Microsoft Azure Active Directory (Azure AD) tenant.

The company has a Volume Licensing Agreement and uses a product key to activate Windows 10.

You plan to deploy Windows 10 Pro to 200 new computers by using the Microsoft Deployment Toolkit (MDT)
and Windows Deployment Services (WDS).

You need to ensure that the new computers will be configured to have the correct product key during the
installation.

What should you configure?

A. a WDS boot image

B. an MDT task sequence
C. the Device settings in Azure AD
D. a Windows AutoPilot deployment profile

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-
mdt#a-href-idsec08astep-8-deploy-the-windows-10-client-image

QUESTION 27
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). The domain contains 500 laptops that run Windows 8.1 Professional. The users of the laptops work from
home.

Your company uses Microsoft Intune, the Microsoft Deployment Toolkit (MDT), and Windows Configuration
Designer to manage client computers.

The company purchases 500 licenses for Windows 10 Enterprise.

You verify that the hardware and applications on the laptops are compatible with Windows 10.

The users will bring their laptop to the office, where the IT department will deploy Windows 10 to the laptops
while the users wait.

You need to recommend a deployment method for the laptops that will retain their installed applications. The
solution must minimize how long it takes to perform the deployment.

What should you include in the recommendation?

A. an in-place upgrade
B. a clean installation by using a Windows Configuration Designer provisioning package
C. Windows AutoPilot

9729F35A67F73FB4F4596D0C36FF13FC
D. a clean installation and the User State Migration Tool (USMT)

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios#in-place-upgrade

QUESTION 28
You have a computer named Computer5 that has Windows 10 installed.

You create a Windows PowerShell script named config.ps1.

You need to ensure that config.ps1 runs after feature updates are installed on Computer5.

Which file should you modify on Computer5?

A. Unattend.xml
B. Unattend.bat
C. SetupConfig.ini
D. LiteTouch.wsf

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
References:
https://www.joseespitia.com/2017/06/01/how-to-run-a-post-script-after-a-windows-10-feature-upgrade/

QUESTION 29
HOTSPOT

You use Microsoft Intune to manage Windows updates.

You have computers that run Windows 10. The computers are in a workgroup and are enrolled in Intune. The
computers are configured as shown in the following table.

On each computer, the Select when Quality Updates are received Group Policy setting is configured as shown
in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
You have Windows 10 update rings in Intune as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:

QUESTION 30
Your network contains an Active Directory forest. The forest contains a single domain and three sites named
Site1, Site2, and Site3. Each site is associated to two subnets. Site1 contains two subnets named SubnetA and
SubnetB.

All the client computers in the forest run Windows 10. Delivery Optimization is enabled.

You have a computer named Computer1 that is in SubnetA.

9729F35A67F73FB4F4596D0C36FF13FC
From which hosts will Computer1 download updates?

A. the computers in Site1 only

B. any computer in the domain
C. the computers in SubnetA only
D. any computer on the network

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Delivery Optimization allows updates from other clients that connect to the Internet using the same public IP as
the target client (NAT).

References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization

QUESTION 31
HOTSPOT

Your network contains an Active Directory domain. The domain contains 1,200 computers that run Windows
8.1.

You deploy an Upgrade Readiness solution in Microsoft Azure and configure the computers to report to
Upgrade Readiness.

From Upgrade Readiness, you open a table view of the applications.

You need to filter the view to show only applications that can run successfully on Windows 10.

How should you configure the filter in Upgrade Readiness? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Explanation:

References:
https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-resolve-issues

QUESTION 32
HOTSPOT

9729F35A67F73FB4F4596D0C36FF13FC
You have two computers that run Windows 10. The computers are enrolled in Microsoft Intune as shown in the
following table.

Windows 10 update rings are defined in Intune as shown in the following table.

You assign the update rings as shown in the following table.

What is the effect of the configurations on Computer1 and Computer2? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Explanation:

Computer1 and Computer2 are members of Group1. Ring1 is applied to Group1.

Note: The term "Exclude" is misleading. It means that the ring is not applied to that group, rather than that
group being blocked.

References:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-wufb-intune

https://allthingscloud.blog/configure-windows-update-business-using-microsoft-intune/

QUESTION 33
Your company standardizes on Windows 10 Enterprise for all users.

Some users purchase their own computer from a retail store. The computers run Windows 10 Pro.

You need to recommend a solution to upgrade the computers to Windows 10 Enterprise, join the computers to
Microsoft Azure Active Directory (Azure AD), and install several Microsoft Store apps. The solution must meet
the following requirements:

Ensure that any applications installed by the users are retained.

Minimize user intervention.

What is the best recommendation to achieve the goal? More than one answer choice may achieve the goal.

9729F35A67F73FB4F4596D0C36FF13FC
Select the BEST answer.

A. Microsoft Deployment ToolKit (MDT)

B. Windows Deployment Services (WDS)
C. a Windows Configuration Designer provisioning package
D. Windows AutoPilot

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization
settings. You can apply the provisioning package to a device running Windows 10.

Incorrect Answers:
A: Microsoft Deployment Toolkit (MDT) allows you to automate the deployment of Windows operating systems
in your organization. It is not used to upgrade to Windows 10 Enterprise.
B: Windows Deployment Services (WDS) is the revised version of Remote Installation Services (RIS). WDS
enables the deployment of Windows operating systems. You can use it to set up new computers using
network-based installations. It is not used to upgrade to Windows 10 Enterprise.
D: Windows Autopilot is a user-driven mode designed to minimize intervention of the IT administrator.

References:
https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-edition-upgrades

https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package

QUESTION 34
You install a feature update on a computer that runs Windows 10.

How many days do you have to roll back the update?

A. 5
B. 10
C. 14
D. 30

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Microsoft has changed the time period associated with operating system rollbacks with Windows 10 version
1607, decreasing it to 10 days. Previously, Windows 10 had a 30-day rollback period.

References:
https://redmondmag.com/articles/2016/08/04/microsoft-shortens-windows-10-rollback-period.aspx

QUESTION 35
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these

9729F35A67F73FB4F4596D0C36FF13FC
questions will not appear in the review screen.

Your company uses Windows Update for Business.

The research department has several computers that have specialized hardware and software installed.

You need to prevent the video drivers from being updated automatically by using Windows Update.

Solution: From the Windows Update settings in a Group Policy object (GPO), you enable Do not include
drivers with Windows Updates.

Does this meet the goal?

A. Yes
B. No

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-
CC-000024

QUESTION 36
HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains 500 computers
that run Windows 7. Some of the computers are used by multiple users.

You plan to refresh the operating system of the computers to Windows 10.

You need to retain the personalization settings to applications before you refresh the computers. The solution
must minimize network bandwidth and network storage space.

Which command should you run on the computers? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-scanstate-syntax#how-to-use-ui-and-ue

QUESTION 37
HOTSPOT

You have a hybrid Microsoft Azure Active Directory (Azure AD) tenant.

You configure a Windows Autopilot deployment profile as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

9729F35A67F73FB4F4596D0C36FF13FC
Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot

QUESTION 38
DRAG DROP

You have 100 computers that run Windows 8.1.

You plan to deploy Windows 10 to the computers by performing a wipe and load installation.

You need to recommend a method to retain the user settings and the user data.

Which three actions should you recommend be performed in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:

9729F35A67F73FB4F4596D0C36FF13FC
References:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios

http://itproguru.com/expert/2016/01/step-by-step-how-to-migrate-users-and-user-data-from-xp-vista-windows-
7-or-8-to-windows-10-using-microsoft-tool-usmt-user-state-migration-toolkit/

QUESTION 39
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company uses Windows Autopilot to configure the computer settings of computers issued to users.

A user named User1 has a computer named Computer1 that runs Windows 10.

User1 leaves the company.

You plan to transfer the computer to a user named User2.

You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting
and to agree to the license agreement.

Solution: You perform a local Windows Autopilot Reset.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

QUESTION 40
You have a Microsoft 365 subscription.

A remote user purchases a laptop from a retail store. The laptop is intended for company use and has
Windows 10 Pro edition installed.

You need to configure the laptop to meet the following requirements:

Modify the layout of the Start menu

Upgrade Windows 10 to Windows 10 Enterprise
Join the laptop to a Microsoft Azure Active Directory (Azure AD) domain named contoso.com

The solution must minimize how long it takes for the user to apply the configurations.

What should you do?

A. Create a custom Windows image (.wim) file that contains an image of Windows 10 Enterprise and upload
the file to a Microsoft
B. Create a provisioning package (.ppkg) file and email the file to the user

9729F35A67F73FB4F4596D0C36FF13FC
C. Create a Windows To Go workspace and ship the workspace to the user
D. Create a Sysprep Unattend (.xml) file and email the file to the user

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-packages

QUESTION 41
You have a Microsoft 365 subscription. All devices run Windows 10.

You need to prevent users from enrolling the devices in the Windows Insider Program.

What should you configure from Microsoft 365 Device Management? Each correct answer presents part of the
solution.

NOTE: Each correct selection is worth one point.

A. a Windows 10 security baseline

B. an app configuration policy
C. a custom device configuration profile
D. a Windows 10 update ring
E. a device restrictions device configuration profile

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 42
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD).

Existing on-premises computers are managed by using Microsoft Endpoint Configuration Manager. You
configure contoso.com for co-management.

You deploy 100 new devices that run Windows 10. The devices are joined to Azure AD and enrolled in
Microsoft Intune.

You need to ensure that the devices are co-managed.

What should you create in Intune first?

A. a conditional access policy

B. a device compliance policy
C. an app for the Endpoint Configuration Manager client
D. a device configuration profile
E. an app configuration policy

Correct Answer: C
Section: (none)

9729F35A67F73FB4F4596D0C36FF13FC
Explanation

Explanation/Reference:
Explanation:
For new internet-based devices, you need to create an app in Intune. Deploy this app to Windows 10 devices
that aren't already Configuration Manager clients. This scenario is when you have new Windows 10 devices
that join Azure AD and automatically enroll to Intune. You install the Configuration Manager client to reach a
co-management state.

Reference:
https://docs.microsoft.com/en-us/configmgr/comanage/how-to-prepare-win10

QUESTION 43
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD).

The Active Directory domain contains 200 computers that run Windows 10. The computers are managed by
using Microsoft System Center Configuration Manager (Current Branch).

You need to pilot co-management for only five of the computers.

What should you create first?

A. a domain local distribution group in Active Directory

B. an Intune Connector for Active Directory
C. a device collection in Configuration Manager
D. a dynamic device group in Azure AD

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Pilot Intune setting switches the associated workload only for the devices in the pilot collection.

Note: When you enable co-management, you'll assign a collection as a Pilot group. This is a group that
contains a small number of clients to test your co-management configurations. We recommend you create a
suitable collection before you start the procedure. Then you can select that collection without exiting the
procedure to do so.

References:
https://docs.microsoft.com/en-us/configmgr/comanage/tutorial-co-manage-new-devices

QUESTION 44
HOTSPOT

You network contains an Active Directory domain. The domain contains 200 computers that run Windows 8.1.
You have a Microsoft Azure subscription.

You plan to upgrade the computers to Windows 10.

You need to generate an Upgrade Readiness report for the computers.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:

QUESTION 45
You have a Microsoft 365 subscription.

You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).

9729F35A67F73FB4F4596D0C36FF13FC
You plan to replace the computers with new computers that run Windows 10. The new computers will be joined
to Azure AD.

You need to ensure that the desktop background, the favorites, and the browsing history are available on the
new computers.

What should you use?

A. Folder Redirection
B. The Microsoft SharePoint Migration Tool
C. Enterprise State Roaming
D. Roaming user profiles

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-
reference

QUESTION 46
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a computer named Computer1 that runs Windows 10.

You save a provisioning package named Package1 to a folder named C:\Folder1.

You need to apply Package1 to Computer1.

Solution: From the Settings app, you select Access work or school, and then you select Add or remove a
provisioning package.

Does this meet the goal?

A. Yes
B. No

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
To install a provisioning package, navigate to Settings > Accounts > Access work or school > Add or remove a
provisioning package > Add a package, and select the package to install.

Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package

QUESTION 47

9729F35A67F73FB4F4596D0C36FF13FC
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a computer named Computer1 that runs Windows 10.

You save a provisioning package named Package1 to a folder named C:\Folder1.

You need to apply Package1 to Computer1.

Solution: From File Explorer, you go to C:\Folder1, and then you double-click the Package1.ppkg file.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
To install a provisioning package, navigate to Settings > Accounts > Access work or school > Add or remove a
provisioning package > Add a package, and select the package to install.

Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package

QUESTION 48
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a computer named Computer1 that runs Windows 10.

You save a provisioning package named Package1 to a folder named C:\Folder1.

You need to apply Package1 to Computer1.

Solution: At a command prompt, you change the current folder to C:\Folder1, and then you run the
RegSvr32.exe Package1.ppkg command.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
Explanation:
To install a provisioning package, navigate to Settings > Accounts > Access work or school > Add or remove a
provisioning package > Add a package, and select the package to install.

Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package

9729F35A67F73FB4F4596D0C36FF13FC
Policies and Profiles

Testlet 1

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.

To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

General Overview

Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales,
marketing, research, human resources (HR), development, and IT departments.

Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.

Existing Environment

Current Business Model

The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.

Litware has a Microsoft System Center 2012 R2 Configuration Manager deployment.

During discovery, the company discovers a process where users are emailing bank account information of its
customers to internal and external recipients.

Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD).
The functional level of the forest and the domain is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.

Litware has the computers shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
The development department uses projects in Azure DevOps to build applications.

Most of the employees in the sales department are contractors. Each contractor is assigned a computer that
runs Windows 10. At the end of each contract, the computer is assigned to a different contractor. Currently, the
computers are re-provisioned manually by the IT department.

Problem Statements
Litware identifies the following issues on the network:

Employees in the Los Angeles office report slow Internet performance when updates are downloading. The
employees also report that the updates frequently consume considerable resources when they are installed.
The Update settings are configured as shown in the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being
shared externally.
Re-provisioning the sales department computers is too time consuming.

Requirements

Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers. Whenever
possible, Litware wants to minimize hardware and software costs.

Device Management Requirements

Litware identifies the following device management requirements:

Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications
to untrusted applications.

Technical Requirements
Litware identifies the following technical requirements for the planned deployment:

Re-provision the sales department computers by using Windows AutoPilot.

Ensure that the projects in Azure DevOps can be accessed from the corporate network only.
Ensure that users can sign in to the Azure AD-joined computers by using a PIN. The PIN must expire every
30 days.
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using
Windows AutoPilot.

Exhibits

Updates

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 1
What should you use to meet the technical requirements for Azure DevOps?

A. An app protection policy

B. Windows Information Protection (WIP)
C. Conditional access
D. A device configuration profile

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?
view=azure-devops

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 2
What should you upgrade before you can configure the environment to support co-management?

A. the domain functional level

B. Configuration Manager
C. the domain controllers
D. Windows Server Update Services (WSUS)

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients

QUESTION 3
You need to meet the device management requirements for the developers.

What should you implement?

A. Enterprise State Roaming

B. folder redirection
C. home folders
D. known folder redirection in Microsoft OneDrive

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Litware identifies the following device management requirements:
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.

Enterprise State Roaming allows for the synchronization of Microsoft Edge browser setting, including favorites
and reading list, across devices.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-
reference

9729F35A67F73FB4F4596D0C36FF13FC
Policies and Profiles

Testlet 2

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.

To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

Overview
Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.

Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.

Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.

The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from
home.

Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active
Directory (Azure AD).

All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.

The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are
managed by using Microsoft Intune.

The naming convention for the computers is the department acronym, followed by a hyphen, and then four
numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.

9729F35A67F73FB4F4596D0C36FF13FC
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer
account is in the Computers OU of its respective department.

Intune Configuration

The domain has the users shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
Requirements

Planned Changes
Contoso plans to implement the following changes:

Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled
and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.

Technical Requirements
Contoso must meet the following technical requirements:

Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices
that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.

QUESTION 1
You need to meet the technical requirements for the iOS devices.

Which object should you create in Intune?

A. A compliance policy
B. An app protection policy
C. A deployment profile
D. A device configuration profile

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Scenario: Technical requirements include: Block iOS devices from sending diagnostic and usage telemetry
data.

Intune includes device restriction policies that help administrators control Android, iOS, macOS, and Windows
devices. These restrictions let you control a wide range of settings and features to protect your organization's
resources. For example, administrators can:

Allow or block the device camera

Control access to Google Play, app stores, viewing documents, and gaming

9729F35A67F73FB4F4596D0C36FF13FC
Block built-in apps, or create a list of apps that allowed or prohibited
Allow or prevent backing up files to cloud and storage accounts
Set a minimum password length, and block simple passwords

References:
https://docs.microsoft.com/en-us/intune/device-restrictions-configure

QUESTION 2
HOTSPOT

To which devices do Policy1 and Policy2 apply? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-profile-assign

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 3
HOTSPOT

What is the maximum number of devices that User1 and User2 can enroll in Intune? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:

QUESTION 4
You need to meet the technical requirements for the IT department.

What should you do first?

A. From the Azure Active Directory blade in the Azure portal, enable Seamless single sign-on.

9729F35A67F73FB4F4596D0C36FF13FC
B. From the Configuration Manager console, add an Intune subscription.
C. From the Azure Active Directory blade in the Azure portal, configure the Mobility (MDM and MAM) settings.
D. From the Microsoft Intune blade in the Azure portal, configure the Windows enrollment settings.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients

QUESTION 5
HOTSPOT

You are evaluating which devices are compliant.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 6
HOTSPOT

You create a new conditional access policy that has an assignment for Office 365 Exchange Online.

You need to configure the policy to meet the technical requirements for Group4.

Which two settings should you configure in the policy? To answer, select the appropriate settings in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Explanation:

The policy needs to be applied to Group4 so we need to configure Users and Groups.

The Access controls are set to Block access

We therefore need to exclude compliant devices.

From the scenario:

Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices
that are enrolled in Intune.

Note: When a device enrolls in Intune, the device information is updated in Azure AD to include the device
compliance status. This compliance status is used by conditional access policies to block or allow access to e-
mail and other organization resources.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions

9729F35A67F73FB4F4596D0C36FF13FC
https://docs.microsoft.com/en-us/intune/device-compliance-get-started

9729F35A67F73FB4F4596D0C36FF13FC
Policies and Profiles

Question Set 3

QUESTION 1
Your network contains an Active Directory named contoso.com. The domain contains two computers named
Computer1 and Computer2 that run Windows 10.

Folder Redirection is configured for a domain user named User1. The AppData\Roaming folder and the
Desktop folder are redirected to a network share.

User1 signs in to Computer1 and performs the following tasks:

Configures screen saver to start after five minutes of inactivity

Modifies the default save location for Microsoft Word
Creates a file named File1.docx on the desktop
Modifies the desktop background

What will be retained when User1 signs in to Computer2?

A. File1.docx and the desktop background only

B. File1.docx, the screen saver settings, the desktop background, and the default save location for Word
C. File1.docx only
D. File1.docx, the desktop background, and the default save location for Word only

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview

QUESTION 2
HOTSPOT

You have a computer named Computer1 that runs Windows 10.

Computer1 has the users shown in the following table.

User1 signs in to Computer1, creates the following files, and then signs out:

File1.docx in C:\Users\User1\Desktop
File2.docx in C:\Users\Public\Public Desktop
File3.docx in C:\Users\Default\ Desktop

User3 then signs in to Computer1 and creates a file named File4.docx in C:\Users\User3\Desktop.
User2 has never signed in to Computer1.

How many DOCX files will appear on the desktop of each user the next time each user signs in? To answer,

9729F35A67F73FB4F4596D0C36FF13FC
select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 3
Your network contains an Active Directory domain named contoso.com. The domain contains 200 computers
that run Windows 10.

Folder Redirection for the Desktop folder is configured as shown in the following exhibit.

9729F35A67F73FB4F4596D0C36FF13FC
The target is set to Server1.

You plan to use known folder redirection in Microsoft OneDrive for Business.

You need to ensure that the desktop content of users remains on their desktop when you implement known
folder redirection.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Clear the Grant the user exclusive rights to Desktop check box.
B. Change the Policy Removal setting.
C. Disable Folder Redirection.
D. Clear the Move the contents of Desktop to the new location check box.

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

QUESTION 4
HOTSPOT

You have a Microsoft 365 subscription.

All computers are enrolled in Microsoft Intune.

You have business requirements for securing your Windows 10 environment as shown in the following table.

What should you implement to meet each requirement? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://github.com/MicrosoftDocs/IntuneDocs/blob/master/intune/advanced-threat-protection.md

QUESTION 5
Your company plans to deploy tablets to 50 meeting rooms.

The tablets run Windows 10 and are managed by using Microsoft Intune. The tablets have an application
named App1.

You need to configure the tablets so that any user can use App1 without having to sign in. Users must be
prevented from using other applications on the tablets.

Which device configuration profile type should you use?

A. Kiosk
B. Endpoint protection
C. Identity protection
D. Device restrictions

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app

QUESTION 6
DRAG DROP

Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). All computers are joined to the domain and registered to Azure AD.

The network contains a Microsoft System Center Configuration Manager (Current Branch) deployment that is
configured for co-management with Microsoft Intune.

All the computers in the finance department are managed by using Configuration Manager. All the computers
in the marketing department are managed by using Intune.

9729F35A67F73FB4F4596D0C36FF13FC
You install new computers for the users in the marketing department by using the Microsoft Deployment Toolkit
(MDT).

You purchase an application named App1 that uses an MSI package.

You need to install App1 on the finance department computers and the marketing department computers.

How should you deploy App1 to each department? To answer, drag the appropriate deployment methods to the
correct departments. Each deployment method may be used once, more than once, or not at all. You may
need to drag the split bat between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/apps-add

https://docs.microsoft.com/en-us/sccm/apps/get-started/create-and-deploy-an-application

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 7
Your company has a Microsoft 365 subscription.

The company uses Microsoft Intune to manage all devices.

The company uses conditional access to restrict access to Microsoft 365 services for devices that do not
comply with the company’s security policies.

You need to identify which devices will be prevented from accessing Microsoft 365 services.

What should you use?

A. The Device Health solution in Windows Analytics.

B. Windows Defender Security Center.
C. The Device compliance blade in the Intune admin center.
D. The Conditional access blade in the Azure Active Directory admin center.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 8
HOTSPOT

You have 200 computers that run Windows 10.

You need to create a provisioning package to configure the following tasks:

Remove the Microsoft News and the Xbox Microsoft Store apps.
Add a VPN connection to the corporate network.

Which two customizations should you configure? To answer, select the appropriate customizations in the
answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-connectivityprofiles

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-
provider#applicationmanagement-applicationrestrictions

9729F35A67F73FB4F4596D0C36FF13FC
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-policies

QUESTION 9
HOTSPOT

You have a Microsoft Intune subscription.

You create the Windows Autopilot deployment profile-shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven

QUESTION 10
You need to assign the same deployment profile to all the computers that are configured by using Windows
Autopilot.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Join the computers to Microsoft Azure Active Directory (Azure AD)

B. Assign a Windows Autopilot deployment profile to a group
C. Join the computers to an on-premises Active Directory domain
D. Create a Microsoft Azure Active Directory (Azure AD) group that has dynamic membership rules and uses
the operatingSystem tag
E. Create a Group Policy object (GPO) that is linked to a domain

9729F35A67F73FB4F4596D0C36FF13FC
F. Create a Microsoft Azure Active Directory (Azure AD) group that has dynamic membership rules and uses
the ZTDID tag

Correct Answer: BF
Section: (none)
Explanation

Explanation/Reference:
References:
https://www.petervanderwoude.nl/post/automatically-assign-windows-autopilot-deployment-profile-to-windows-
autopilot-devices/

QUESTION 11
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have
computers that run Windows 10. The computers are joined to Azure AD and managed by using Microsoft
Intune.

You need to ensure that you can centrally monitor the computers by using Windows Analytics.

What should you create in Intune?

A. a device configuration profile

B. a conditional access policy
C. a device compliance policy
D. an update policy

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://www.scconfigmgr.com/2019/03/27/windows-analytics-onboarding-with-intune/

QUESTION 12
HOTSPOT

You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.

You need to set a custom image as the wallpaper and sign-in screen.

Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in
the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Explanation:

Sign-in screen, or Locked screen, image is set under Locked screen experience

Wallpaper image, or Desktop background picture, URL is set under Personalization.

References:
https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10

QUESTION 13
Your company has a System Center Configuration Manager deployment that uses hybrid mobile device
management (MDM). All Windows 10 devices are Active Directory domain-joined.

You plan to migrate from hybrid MDM to Microsoft Intune standalone.

9729F35A67F73FB4F4596D0C36FF13FC
You successfully run the Intune Data Importer tool.

You need to complete the migration.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. In Intune, add a device enrollment manager (DEM).

B. Change the tenant MDM authority to Intune.
C. Assign all users Intune licenses.
D. Create a new Intune tenant.

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-hybridmdm-to-intunesa

https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-prepare-intune

https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/change-mdm-authority

QUESTION 14
Your company has 200 computers that run Windows 10. The computers are managed by using Microsoft
Intune.

Currently, Windows updates are downloaded without using Delivery Optimization.

You need to configure the computers to use Delivery Optimization.

What should you create in Intune?

A. a device configuration profile

B. a device compliance policy
C. an app protection policy
D. a Windows 10 update ring

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/delivery-optimization-windows

QUESTION 15
You have 500 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.

You plan to distribute certificates to the computers by using Simple Certificate Enrollment Protocol (SCEP).

You have the servers shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
NDES issues certificates from the subordinate CA.

You are configuring a device profile as shown in the exhibit. (Click the Exhibit tab.)

You need to complete the SCEP profile.

On which server is the required root certificate located?

A. Server1
B. Server2
C. Server3
D. Server4

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 16
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.

You redirect Windows known folders to Microsoft OneDrive for Business.

Which folder will be included in the redirection?

A. Saved Games
B. Desktop
C. Music
D. Downloads

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

QUESTION 17
You have a Microsoft Azure Active Directory (Azure AD) tenant. All corporate devices are enrolled in Microsoft
Intune.

You have a web-based application named App1 that uses Azure AD to authenticate.

You need to prompt all users of App1 to agree to the protection of corporate data when they access App1 from
both corporate and noncorporate devices.

What should you configure?

A. Notifications in Device compliance

B. Terms and Conditions in Device enrollment
C. Terms of use in Conditional access
D. an Endpoint protection profile in Device configuration

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use

QUESTION 18
HOTSPOT

You have unrooted devices enrolled in Microsoft Intune as shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
The devices are members of a group named Group1.

In Intune, you create a device compliance location that has the following configurations:

Name: Network1
IPv4 range: 192.168.0.0/16

In Intune, you create a device compliance policy for the Android platform. The policy has following
configurations:

Name: Policy1
Device health: Rooted devices: Block
Locations: Location: Network1
Mark device noncompliant: Immediately
Assigned: Group1

In Intune device compliance policy has the following configurations:

Mark devices with no compliance policy assigned as: Compliant

Enhanced jailbreak detection: Enabled
Compliance status validity period (days): 20

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Explanation:

Reference:
https://docs.microsoft.com/en-us/intune/device-compliance-get-started

QUESTION 19
You have an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant contains Windows 10
devices that are enrolled in Microsoft Intune.

You create an Azure Log Analytics workspace and add the Device Health Solution to the workspace.

You need to create a custom device configuration profile that will enroll the Windows 10 devices in Device
Health.

Which OMA-URI should you add to the profile?

A. ./Vendor/MSFT/DMClient/Provider/MS DM Server/Push
B. ./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID
C. ./Vendor/MSFT/DMClient/Provider/MS DM Server/ManagementServerAddressList
D. ./Vendor/MSFT/DMClient/Provider/MS DM Server/Push/ChannelURI

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
References:
https://allthingscloud.blog/monitor-windows-10-updates-for-intune-mdm-enrolled-devices/

QUESTION 20
HOTSPOT

You have 100 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.

You need to configure the following device restrictions:

Block users from browsing to suspicious websites.

Scan all scripts loaded into Microsoft Edge.

9729F35A67F73FB4F4596D0C36FF13FC
Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in
the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-
defender-smartscreen-overview

QUESTION 21
HOTSPOT

You have computers that run Windows 10 as shown in the following table.

Computer2 and Computer3 are enrolled in Microsoft Intune.

In a Group Policy object (GPO) linked to the domain, you enable the Computer Configuration/Administrative

9729F35A67F73FB4F4596D0C36FF13FC
Templates/Windows Components/Search/Allow Cortana setting.

In an Intune device configuration profile, you configure the following:

Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP to a value of 1
Experience/AllowCortana to a value of 0.

Each of the following statement, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-
wins/

QUESTION 22
Your company plans to deploy Windows 10 to devices that will be configured for English use and other devices
that will be configured for Korean use.

You need to create a single multivariant provisioning package for the planned devices.

9729F35A67F73FB4F4596D0C36FF13FC
You create the provisioning package.

What should you do next to add the language settings to the package?

A. Modify the Customizations.xml file.

B. Create a file named Languages.xml that contains a header for Korean.
C. Modify the .ppkg file.
D. Create a file named Languages.xml that contains a header for English.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Follow these steps to create a provisioning package with multivariant capabilities.
1. Build a provisioning package and configure the customizations you want to apply during certain conditions.
2. After you've configured the settings, save the project.
3. Open the project folder and copy the customizations.xml file to any local location.
4. Use an XML or text editor to open the customizations.xml file.
5. Edit the customizations.xml file to create a Targets section to describe the conditions that will handle your
multivariant settings.
6. In the customizations.xml file, create a Variant section for the settings you need to customize.
7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as
one of the values for the next step.
8. Use the Windows Configuration Designer command-line interface to create a provisioning package using
the updated customizations.xml.

References:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-multivariant

QUESTION 23
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD).

You have a Microsoft 365 subscription.

You create a conditional access policy for Microsoft Exchange Online.

You need to configure the policy to prevent access to Exchange Online unless a user is connecting from a
device that is hybrid Azure AD-joined.

Which settings should you configure?

A. Locations
B. Device platforms
C. Sign-in risk
D. Device state

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions#device-state

QUESTION 24

9729F35A67F73FB4F4596D0C36FF13FC
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.

You redirect Windows known folders to Microsoft OneDrive for Business.

Which folder will be included in the redirection?

A. Saved Games
B. Documents
C. Music
D. Downloads
E. Favorites
F. AppData
G. Videos

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

QUESTION 25
You have a Microsoft 365 subscription.

You have a conditional access policy that requires multi-factor authentication (MFA) for users in a group name
Sales when the users sign in from a trusted location. The policy is configured as shown in the exhibit. (Click
the Exhibit tab.)

9729F35A67F73FB4F4596D0C36FF13FC
You create a compliance policy.

You need to ensure that the users are authenticated only if they are using a compliant device.

What should you configure in the conditional access policy?

A. a condition
B. a session control
C. a cloud app
D. a grant control

Correct Answer: A

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The device state condition can be used to exclude devices that are hybrid Azure AD joined and/or devices
marked as compliant with a Microsoft Intune compliance policy from an organization's Conditional Access
policies.

Device state is located on the Condition tab.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-
conditions#device-state

QUESTION 26
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1. User1 has the
device shown in the following table.

Enterprise State Roaming is configured for User1.

User1 signs in to Device4 and changes the desktop.

You need to identify on which devices User1 will have a changed desktop.

Which devices should you identify?

A. Device1, Device2, Device3, and Device4

B. Device4 only
C. Device2, Device3, and Device4 only
D. Device2 and Device4 only
E. Device3 and Device4 only

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The requirements of Enterprise State Roaming are:
Windows 10, with the latest updates, and a minimum Version 1511 (OS Build 10586 or later) is installed on
the device.
The device is Azure AD joined or hybrid Azure AD joined.

9729F35A67F73FB4F4596D0C36FF13FC
 Ensure that Enterprise State Roaming is enabled for the tenant in Azure AD.
The user is assigned an Azure Active Directory Premium license.
The device must be restarted and the user must sign in again to access Enterprise State Roaming features.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-troubleshooting

QUESTION 27
HOTSPOT

You have a workgroup computer named Computer1 that runs Windows 10 and has the users shown in the
following table.

Group1 is a member of Group3.

You are creating a file named Kiosk.xml that specifies a lockdown profile for a multi-app kiosk.

Kiosk.xml contains the following section.

You apply Kiosk.xml to Computer1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Explanation:

Reference:
https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps#config-for-
group-accounts

QUESTION 28
HOTSPOT

Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD). The domain contains the users shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
Enterprise State Roaming is enabled for User2.

You have the computers shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
Explanation:

The requirements of Enterprise State Roaming are:

Windows 10, with the latest updates, and a minimum Version 1511 (OS Build 10586 or later) is installed on
the device.
The device is Azure AD joined or hybrid Azure AD joined.
Ensure that Enterprise State Roaming is enabled for the tenant in Azure AD.
The user is assigned an Azure Active Directory Premium license.
The device must be restarted and the user must sign in again to access Enterprise State Roaming features.

Box 1: No
Computer2 runs Windows 8.1.
Enterprise State Roaming requires Windows 10, with the latest updates, and a minimum Version 1511 (OS
Build 10586).
Also, Enterprise State Roaming is enabled for User2, not for User1.

Box 2: No
The device must be Azure AD joined or hybrid Azure AD joined.
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD), in other words, a hybrid Azure AD.
Also, Enterprise State Roaming is enabled for User2, not for User1.

Box 3: Yes

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-troubleshooting

QUESTION 29
HOTSPOT

Your company has computers that run Windows 8.1, Windows 10, or macOS.

The company uses Microsoft Intune to manage the computers.

You need to create an Intune profile to configure Windows Hello for Business on the computers that support it.

Which platform type and profile type should you use? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Explanation:

Windows Hello for Business is a method for signing in to Windows devices by replacing passwords, smart
cards, and virtual smart cards. Intune includes built-in settings so Administrators can configure and use
Windows Hello for Business. For example, you can use these settings to:
Enable Windows Hello for Business for devices and users
Set device PIN requirements, including a minimum or maximum PIN length
Allow gestures, such as a fingerprint, that users can (or can't use) to sign in to devices

Reference:

9729F35A67F73FB4F4596D0C36FF13FC
https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-configure

QUESTION 30
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and Windows
10 Pro devices.

From Microsoft Intune, you create a device configuration profile named Profile1.

You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.

Solution: You create an Azure Active Directory group that contains only the Windows 10 Enterprise devices.
You assign Profile1 to the new group.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create

QUESTION 31
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and Windows
10 Pro devices.

From Microsoft Intune, you create a device configuration profile named Profile1.

You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.

Solution: You create a scope tag, and then you add the scope tag to the Windows 10 Enterprise devices. You
edit the settings of Profile1.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)

9729F35A67F73FB4F4596D0C36FF13FC
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create

QUESTION 32
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and Windows
10 Pro devices.

From Microsoft Intune, you create a device configuration profile named Profile1.

You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.

Solution: You configure an applicability rule for Profile1. You assign Profile1 to Group1.

Does this meet the goal?

A. Yes
B. No

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create

QUESTION 33
HOTSPOT

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1.
User1 has the devices shown in the following table.

On September 5, 2019, you create and enforce a terms of use (ToU) in contoso.com. The ToU has the
following settings:

Name: Terms1
Display name: Terms name
Require users to expand the terms of use: Off
Require users to consent on every device: On
Expire consents: On
Expire starting on: October 10, 2019
Frequency Monthly

9729F35A67F73FB4F4596D0C36FF13FC
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use#frequently-asked-
questions

QUESTION 34
HOTSPOT

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the devices shown in
the following table.

All devices contain an app named App1 and are enrolled in Microsoft Intune.

You need to prevent users from copying data from App1 and pasting the data into other apps.

9729F35A67F73FB4F4596D0C36FF13FC
Which type of policy and how many policies should you create in Intune? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies-configure-windows-10

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 35
Your company has an internal portal that uses a URL of http://contoso.com.

The network contains computers that run Windows 10. The default browser on all the computers is Microsoft
Edge.

You need to ensure that all users only use Internet Explorer to connect to the internal portal. The solution must
ensure that Microsoft Edge can be used to connect to all other websites.

What should you do from each computer?

A. From Internet Explorer, configure the Compatibility View settings

B. From the local policy, configure Enterprise Mode
C. From Microsoft Edge, configure the Advanced Site Settings
D. From the Settings app, configure the default web browser settings

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility

QUESTION 36
Your company uses Microsoft Intune.

More than 500 Android and iOS devices are enrolled in the Intune tenant.

You plan to deploy new Intune policies. Different policies will apply depending on the version of Android or iOS
installed on the device.

You need to ensure that the policies can target the devices based on their version of Android or iOS.

What should you configure first?

A. Corporate device identifiers in Intune

B. Device settings in Microsoft Azure Active Directory (Azure AD)
C. Device categories in Intune
D. Groups that have dynamic membership rules in Microsoft Azure Active Directory (Azure AD)

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/compliance-policy-create-android

https://docs.microsoft.com/en-us/intune/compliance-policy-create-ios

QUESTION 37
You have computers that run Windows 10 Pro. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.

You need to upgrade the computers to Windows 10 Enterprise.

9729F35A67F73FB4F4596D0C36FF13FC
What should you configure in Intune?

A. A device enrollment policy

B. A device cleanup rule
C. A device compliance policy
D. A device configuration profile

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/skypehybridguy/2018/09/21/intune-upgrade-windows-from-pro-to-
enterprise-automatically/

QUESTION 38
You are creating a device configuration profile in Microsoft Intune.

You need to implement an ADMX-backed policy.

Which profile type should you use?

A. Identity protection
B. Custom
C. Device restrictions
D. Device restrictions (Windows 10 Team)

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-
microsoft-intune/

QUESTION 39
HOTSPOT

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in
the following table.

Contoso.com contains the devices shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
In Intune, you create the app protection policies shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

9729F35A67F73FB4F4596D0C36FF13FC
Manage and Protect Devices

Testlet 1

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.

To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

Overview
Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.

Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.

Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.

The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from
home.

Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active
Directory (Azure AD).

All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.

The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are
managed by using Microsoft Intune.

The naming convention for the computers is the department acronym, followed by a hyphen, and then four
numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.

9729F35A67F73FB4F4596D0C36FF13FC
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer
account is in the Computers OU of its respective department.

Intune Configuration

The domain has the users shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
Requirements

Planned Changes
Contoso plans to implement the following changes:

Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled
and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.

Technical Requirements
Contoso must meet the following technical requirements:

Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices
that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.

QUESTION 1
DRAG DROP

You need to meet the technical requirements for the LEG department computers.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-azure-portal
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started

9729F35A67F73FB4F4596D0C36FF13FC
Manage and Protect Devices

Question Set 2

QUESTION 1
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). The domain contains computers that run Windows 10. The computers are enrolled in Microsoft Intune
and Windows Analytics.

Your company protects documents by using Windows Information Protection (WIP).

You need to identify non-approved apps that attempt to open corporate documents.

What should you use?

A. the Device Health solution in Windows Analytics

B. Microsoft Cloud App Security
C. Intune Data Warehouse
D. the App protection status report in Intune

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-
learning

QUESTION 2
HOTSPOT

Your company uses Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows
Defender ATP includes the machine groups shown in the following table.

You onboard a computer to Windows Defender ATP as shown in the following exhibit.

9729F35A67F73FB4F4596D0C36FF13FC
What is the effect of the Windows Defender ATP configuration? To answer, select the appropriate options in
the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 3
Your company has computers that run Windows 10. The company uses Microsoft Intune to manage the
computers.

You have an app protection policy for Microsoft Edge. You assign the policy to a group.

On a computer named Computer1, you open Microsoft Edge.

You need to verify whether Microsoft Edge on Computer1 is protected by the app protection policy.

Which column should you add in Task Manager?

A. Operating system context

B. UAC virtualization
C. Enterprise Context
D. Data Execution Prevention

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-
app-enterprise-context

https://www.itpromentor.com/win10-mam-wip/

QUESTION 4
HOTSPOT

You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.

9729F35A67F73FB4F4596D0C36FF13FC
You need to configure an Intune device configuration profile to meet the following requirements:

Prevent Microsoft Office applications from launching child processes.

Block users from transferring files over FTP.

Which two settings should you configure in Endpoint protection? To answer, select the appropriate settings in
the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10

QUESTION 5
HOTSPOT

You have a Microsoft 365 subscription.

You need to configure access to Microsoft Office 365 for unmanaged devices. The solution must meet the
following requirements:

Allow only the Microsoft Intune Managed Browser to access Office 365 web interfaces.
Ensure that when users use the Intune Managed Browser to access Office 365 web interfaces, they can
only copy data to applications that are managed by the company.

Which two settings should you configure from the Microsoft Intune blade? To answer, select the appropriate
settings in the answer area.

NOTE: Each correct selection is worth one point.

9729F35A67F73FB4F4596D0C36FF13FC
Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#application-protection-policies-
for-protected-browsers

QUESTION 6
Your company implements Microsoft Azure Active Directory (Azure AD), Microsoft 365, Microsoft Intune, and
Azure Information Protection.

The company’s security policy states the following:

Personal devices do not need to be enrolled in Intune.

Users must authenticate by using a PIN before they can access corporate email data.
Users can use their personal iOS and Android devices to access corporate cloud services.
Users must be prevented from copying corporate email data to a cloud storage service other than Microsoft
OneDrive for Business.

You need to configure a solution to enforce the security policy.

What should you create?

A. a data loss prevention (DLP) policy from the Security & Compliance admin center
B. a supervision policy from the Security & Compliance admin center
C. an app protection policy from the Intune admin center
D. a device configuration profile from the Intune admin center

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/app-protection-policy

QUESTION 7
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several
Windows 10 devices.

When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.

You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.

Solution: From the Azure Active Directory admin center, you configure the Authentication methods.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management
(MDM) enrollment. From the Device Management admin center, you configure the Windows Hello for Business
enrollment options.

References:
https://docs.microsoft.com/en-us/intune/protect/windows-hello

QUESTION 8
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several
Windows 10 devices.

When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.

You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.

Solution: From the Azure Active Directory admin center, you configure automatic mobile device management
(MDM) enrollment. From the Device Management admin center, you configure the Windows Hello for Business
enrollment options.

Does this meet the goal?

A. Yes
B. No

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Hello for Business is an alternative sign-in method that uses Active Directory or an Azure Active Directory
account to replace a password, smart card, or a virtual smart card. It lets you use a user gesture to sign in,
instead of a password. A user gesture might be a PIN, biometric authentication such as Windows Hello, or an
external device such as a fingerprint reader.

Intune integrates with Hello for Business in two ways:

An Intune policy can be created under Device enrollment. This policy targets the entire organization (tenant-
wide). It supports the Windows AutoPilot out-of-box-experience (OOBE) and is applied when a device
enrolls.
An identity protection profile can be created under Device configuration. This profile targets assigned users
and devices, and is applied during check-in.

References:
https://docs.microsoft.com/en-us/intune/protect/windows-hello

QUESTION 9

9729F35A67F73FB4F4596D0C36FF13FC
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several
Windows 10 devices.

When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.

You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.

Solution: From the Azure Active Directory admin center, you configure automatic mobile device management
(MDM) enrollment. From the Device Management admin center, you create and assign a device restrictions
profile.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management
(MDM) enrollment. From the Device Management admin center, you configure the Windows Hello for Business
enrollment options.

References:
https://docs.microsoft.com/en-us/intune/protect/windows-hello

QUESTION 10
Your company has a Microsoft Azure Active Directory (Azure AD) tenant. All users in the company are licensed
for Microsoft Intune.

You need to ensure that the users enroll their iOS device in Intune.

What should you configure first?

A. A Device Enrollment Program (DEP) token.

B. An Intune device configuration profile.
C. A Device enrollment manager (DEM) account.
D. An Apple MDM Push certificate.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 11
You use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to protect computers that
run Windows 10.

You need to assess the differences between the configuration of Microsoft Defender ATP and the Microsoft-
recommended configuration baseline.

Which tool should you use?

A. Microsoft Defender Security Center

B. Windows Analytics
C. Microsoft Defender ATP Power BI app
D. Microsoft Secure Score

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-secure-
score

QUESTION 12
Your company uses Microsoft Intune to manage devices. You need to ensure that only Android devices that
use Android work profiles can enroll in Intune.

Which two configurations should you perform in the device enrollment restrictions? Each correct answer
presents part of the solution.

NOTE: Each correct selection is worth one point.

A. From Select platforms, set Android work profile to Allow.

B. From Configure platforms, set Android Personally Owned to Block.
C. From Configure platforms, set Android Personally Owned to Allow.
D. From Select platforms, set Android to Block.

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/InTune/enrollment-restrictions-set

QUESTION 13
You have a Microsoft Azure Log Analytics workplace that collects all the event logs from the computers at your
company.

You have a computer named Computer1 than runs Windows 10. You need to view the events collected from
Computer1.

Which query should you run in Log Analytics?

A. Event
| where Computer = = "Computer1"
B. ETWEvent

9729F35A67F73FB4F4596D0C36FF13FC
 | where SourceSystem = = "Computer1"
C. ETWEvent
| where Computer = = "Computer1"
D. Event
| where SourceSystem = = "Computer1"

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

QUESTION 14
HOTSPOT

You have 1,000 computers that run Windows 10 and are members of an Active Directory domain.

You create a workspace in Microsoft Azure Log Analytics.

You need to capture the event logs from the computers to Azure.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

QUESTION 15
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.

You need to ensure that only applications that you explicitly allow can run on the computers.

What should you use?

A. Windows Defender Credential Guard

B. Windows Defender Exploit Guard
C. Windows Defender Application Guard
D. Windows Defender Application Control

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-
virtualization-based-security-and-windows-defender-application-control

QUESTION 16
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company has several Windows 10 devices that are enrolled in Microsoft Intune.

You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.

9729F35A67F73FB4F4596D0C36FF13FC
You need to enroll Computer1 in Intune.

Solution: From Computer1, you sign in to https://portal.manage.microsoft.com and use the Devices tab.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined
PC into Intune. Users enroll from Settings on the existing Windows PC.

Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods

QUESTION 17
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company has several Windows 10 devices that are enrolled in Microsoft Intune.

You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.

You need to enroll Computer1 in Intune.

Solution: You install the Company Portal app on Computer1 and use the Devices tab from the app.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined
PC into Intune. Users enroll from Settings on the existing Windows PC.

Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods

QUESTION 18
Note: This question is part of a series of questions that present the same scenario. Each question in

9729F35A67F73FB4F4596D0C36FF13FC
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company has several Windows 10 devices that are enrolled in Microsoft Intune.

You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.

You need to enroll Computer1 in Intune.

Solution: From the Settings app on Computer1, you use the Connect to work or school account settings.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined
PC into Intune. Users enroll from Settings on the existing Windows PC.

References:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods

QUESTION 19
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several
Windows 10 devices.

When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.

You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.

Solution: From the Azure Active Directory admin center, you modify the User settings and the Device settings.

Does this meet the goal?

A. Yes
B. No

Correct Answer: B
Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management
(MDM) enrollment. From the Device Management admin center, you configure the Windows Hello for Business
enrollment options.

Reference:
https://docs.microsoft.com/en-us/intune/protect/windows-hello

QUESTION 20
Your network contains an Active Directory domain named contoso.com. The domain contains computers that
run Windows 10 and are joined to the domain.

The domain is synced to Microsoft Azure Active Directory (Azure AD).

You create an Azure Log Analytics workspace and deploy the Device Health solution.

You need to enroll the computers in Windows Analytics.

Which Group Policy setting should you configure?

A. Specify intranet Microsoft update service location

B. Allow Telemetry
C. Configure the Commercial ID
D. Connected User Experiences and Telemetry

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Microsoft uses a unique commercial ID to map information from user computers to your Azure workspace.
Copy your commercial ID key from any of the Windows Analytics solutions you have added to your Windows
Portal, and then deploy it to user computers.

References:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started

QUESTION 21
DRAG DROP

You use the Antimalware Assessment solution in Microsoft Azure Log Analytics.

From the Protection Status dashboard, you discover the computers shown in the following table.

You verify that both computers are connected to the network and running.

What is a possible cause of the issue on each computer? To answer, drag the appropriate causes to the
correct computers. Each cause may be used once, more than once, or not at all. You may need to drag the

9729F35A67F73FB4F4596D0C36FF13FC
split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/ga-ie/azure/security-center/security-center-install-endpoint-protection

QUESTION 22
You have a shared computer that runs Windows 10.

The computer is infected with a virus.

You discover that a malicious TTF font was used to compromise the computer.

You need to prevent this type of threat from affecting the computer in the future.

What should you use?

9729F35A67F73FB4F4596D0C36FF13FC
A. Windows Defender Exploit Guard
B. Windows Defender Application Guard
C. Windows Defender Credential Guard
D. Windows Defender System Guard
E. Windows Defender SmartScreen

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-
defender-exploit-guard

QUESTION 23
DRAG DROP

Your company has a Microsoft Azure Active Directory (Azure AD) tenant.

The company uses Microsoft Intune to manage iOS, Android, and Windows 10 devices.

The company plans to purchase 1,000 iOS devices. Each device will be assigned to a specific user.

You need to ensure that the new iOS devices are enrolled automatically in Intune when the assigned user
signs in for the first time.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios

QUESTION 24
Your network contains an Active Directory domain. The functional level of the forest and the domain is
Windows Server 2012 R2.

The domain contains 500 computers that run Windows 10. All the computers are managed by using Microsoft
System Center 2012 R2 Configuration Manager.

You need to enable co-management.

What should you do first?

A. Deploy the Microsoft Intune client.

B. Raise the forest functional level.
C. Upgrade Configuration Manager to Current Branch.
D. Raise the domain functional level.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

9729F35A67F73FB4F4596D0C36FF13FC
Explanation:
Co-management requires Configuration Manager version 1710 or later.

References:
https://docs.microsoft.com/en-us/sccm/comanage/overview#prerequisites

QUESTION 25
HOTSPOT

Your company uses Microsoft Intune to manage Windows 10, Android, and iOS devices.

Several users purchase new iPads and Android devices.

You need to tell the users how to enroll their device in Intune.

What should you instruct the users to use for each device? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
Explanation:

The Intune Company Portal app is used to enroll Android, iOS, macOS, and Windows devices

References:
https://docs.microsoft.com/en-us/intune-user-help/enroll-device-android-company-portal

https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-ios

https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp

QUESTION 26
HOTSPOT

Your company has a Microsoft Azure Active Directory (Azure AD) tenant and computers that run Windows 10.

The company uses Microsoft Intune to manage the computers.

The Azure AD tenant has the users shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
The device type restrictions in Intune are configured as shown in the following table:

User3 is a device enrollment manager (DEM) in Intune.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
References:

9729F35A67F73FB4F4596D0C36FF13FC
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-android

QUESTION 27
HOTSPOT

Your company has computers that run Windows 10 and are Microsoft Azure Active Directory (Azure AD)-
joined.

The company purchases an Azure subscription.

You need to collect Windows events from the Windows 10 computers in Azure. The solution must enable you
to create alerts based on the collected events.

What should you create in Azure and what should you configure on the computers? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)

9729F35A67F73FB4F4596D0C36FF13FC
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent

QUESTION 28
You have a public computer named Public1 that runs Windows 10.

Users use Public1 to browse the internet by using Microsoft Edge.

You need to view events associated with website phishing attacks on Public1.

Which Event Viewer log should you view?

A. Applications and Services Logs > Microsoft\Windows > DeviceGuard > Operational
B. Applications and Services Logs > Microsoft > Windows > Security-Mitigations > User Mode
C. Applications and Services Logs > Microsoft > Windows > SmartScreen > Debug
D. Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-
defender-smartscreen-overview#viewing-windows-event-logs-for-microsoft-defender-smartscreen

QUESTION 29
You have a hybrid Microsoft Azure Active Directory (Azure AD) tenant, a Microsoft System Center
Configuration Manager (Current Branch) environment, and a Microsoft 365 subscription.

You have computers that run Windows 10 as shown in the following table.

You plan to use Microsoft 365 Device Management.

Which computers support co-management by Configuration Manager and Device Management?

A. Computer3 only
B. Computer1 and Computer2 only
C. Computer2 only
D. Computer1, Computer2, and Computer3

Correct Answer: D
Section: (none)
Explanation

9729F35A67F73FB4F4596D0C36FF13FC
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

QUESTION 30
You have a computer named Computer1 that runs Windows 10.

Computer1 is used by a user named User1.

You need to ensure that when User1 opens websites from untrusted locations by using Microsoft Edge,
Microsoft Edge runs in an isolated container.

What should you do first?

A. From Windows Features, turn on Windows Defender Application Guard.

B. From Windows Features, turn on Hyper-V Platform.
C. From Windows Security, configure the Virus & threat protection settings.
D. From Windows Security, configure the Device security settings.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-
app-guard-overview

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/
install-wd-app-guard

QUESTION 31
You have computers that run Windows 10 and are managed by using Microsoft Intune.

Users store their files in a folder named D:\Folder1.

You need to ensure that only a trusted list of applications is granted write access to D:\Folder1.

What should you configure in the device configuration profile?

A. Microsoft Defender SmartScreen

B. Microsoft Defender Exploit Guard
C. Microsoft Defender Application Guard
D. Microsoft Defender Application Control

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-
surface-against-next-generation-malware/

QUESTION 32
HOTSPOT

9729F35A67F73FB4F4596D0C36FF13FC
Your company uses Microsoft System Center Configuration Manager (Current Branch) and purchases 365
subscription.

You need to set up Desktop Analytics for Configuration Manager.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/connect-configmgr

QUESTION 33
You need to enable Windows Defender Credential Guard on computers that run Windows 10.

What should you install on the computers?

A. Hyper-V

9729F35A67F73FB4F4596D0C36FF13FC
B. Windows Defender Application Guard
C. a guarded host
D. containers

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 34
HOTSPOT

Your network contains an Active Directory domain. Active Directory is synced with Microsoft Azure Active
Directory (Azure AD).

There are 500 Active Directory domain-joined computers that run Windows 10 and are enrolled in Microsoft
Intune.

You plan to implement Windows Defender Exploit Guard.

You need to create a custom Windows Defender Exploit Guard policy, and then distribute the policy to all the
computers.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

9729F35A67F73FB4F4596D0C36FF13FC
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-
exploit-protection

QUESTION 35
You have 100 devices that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).

You need to prevent users from joining their home computer to Azure AD.

What should you do?

A. From the Device enrollment blade in the Intune admin center, modify the Enrollment restriction settings.
B. From the Devices blade in the Azure Active Directory admin center, modify the Device settings.
C. From the Device enrollment blade in the Intune admin center, modify the Device enrollment manages
settings.
D. From the Mobility (MDM and MAM) blade in the Azure Active Directory admin center, modify the Microsoft
Intune enrollment settings.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

QUESTION 36
Your company has a Microsoft 365 subscription.

A new user named Admin1 is responsible for deploying Windows 10 to computers and joining the computers to
Microsoft Azure Active Directory (Azure AD).

9729F35A67F73FB4F4596D0C36FF13FC
Admin1 successfully joins computers to Azure AD.

Several days later, Admin1 receives the following error message: “This user is not authorized to enroll. You can
try to do this again or contact your system administrator with the error code (0x801c0003).”

You need to ensure that Admin1 can join computers to Azure AD and follow the principle of least privilege.

What should you do?

A. Assign the Global administrator role to Admin1.

B. Modify the Device settings in Azure AD.
C. Assign the Cloud device administrator role to Admin1.
D. Modify the User settings in Azure AD.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

QUESTION 37
Your network contains an Active Directory domain named contoso.com. The domain contains computers that
run Windows 10 and are joined to the domain.

The domain is synced to Microsoft Azure Active Directory (Azure AD).

You create an Azure Log Analytics workspace and deploy the Update Compliance solution.

You need to enroll the computers in the Update Compliance solution.

Which Group Policy setting should you configure?

A. Specify intranet Microsoft update service location

B. Allow Telemetry
C. Configure the Commercial ID
D. Connected User Experiences and Telemetry

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Microsoft uses a unique commercial ID to map information from user computers to your Azure workspace.
Copy your commercial ID key from any of the Windows Analytics solutions you have added to your Windows
Portal, and then deploy it to user computers.

Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started

QUESTION 38
You have an Azure Active Directory (Azure AD) tenant and 100 Windows 10 devices that are Azure AD joined
and managed by using Microsoft Intune.

You need to configure Microsoft Defender Firewall and Microsoft Defender Antivirus on the devices. The
solution must minimize administrative effort.

9729F35A67F73FB4F4596D0C36FF13FC
Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Endpoint
protection settings.
B. To configure Microsoft Defender Firewall, crate a device configuration profile and configure the Device
restrictions settings.
C. To configure Microsoft Defender Firewall, create a Group Policy Object (GPO) and configure Windows
Defender Firewall with Advanced Security.
D. To configure Microsoft Defender Antivirus, create a Group Policy Object (GPO) and configure Windows
Defender Antivirus settings.
E. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Device
restrictions settings.
F. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Endpoint
protection settings.

Correct Answer: AF
Section: (none)
Explanation

Explanation/Reference:
Explanation:
F: With Intune, you can use device configuration profiles to manage common endpoint protection security
features on devices, including:
Firewall
BitLocker
Allowing and blocking apps
Microsoft Defender and encryption

Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-configure

https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy#create-an-endpoint-security-
policy

9729F35A67F73FB4F4596D0C36FF13FC
Manage Apps and Data

Testlet 1

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.

To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

General Overview

Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales,
marketing, research, human resources (HR), development, and IT departments.

Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.

Existing Environment

Current Business Model

The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.

Litware has a Microsoft System Center 2012 R2 Configuration Manager deployment.

During discovery, the company discovers a process where users are emailing bank account information of its
customers to internal and external recipients.

Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD).
The functional level of the forest and the domain is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.

Litware has the computers shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
The development department uses projects in Azure DevOps to build applications.

Most of the employees in the sales department are contractors. Each contractor is assigned a computer that
runs Windows 10. At the end of each contract, the computer is assigned to a different contractor. Currently, the
computers are re-provisioned manually by the IT department.

Problem Statements
Litware identifies the following issues on the network:

Employees in sales department computers is too time the Los Angeles office report slow Internet
performance when updates are downloading. The employees also report that the updates frequently
consume considerable resources when they are installed. The Update settings are configured as shown in
the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being
shared externally.
Re-provisioning theconsuming.

Requirements

Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers. Whenever
possible, Litware wants to minimize hardware and software costs.

Device Management Requirements

Litware identifies the following device management requirements:

Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications
to untrusted applications.

Technical Requirements
Litware identifies the following technical requirements for the planned deployment:

Re-provision the sales department computers by using Windows AutoPilot.

Ensure that the projects in Azure DevOps can be accessed from the corporate network only.
Ensure that users can sign in to the Azure AD-joined computers by using a PIN. The PIN must expire every
30 days.
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using
Windows AutoPilot.

Exhibits

Updates

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 1
HOTSPOT

You need to recommend a solution to meet the device management requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Explanation:

From the scenario:

Litware identifies the following device management requirements:

Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications
to untrusted applications.

Box 1:
Employees in the research department must be prevented from copying patented information from trusted

9729F35A67F73FB4F4596D0C36FF13FC
applications to untrusted applications. This requires an App protection policy.

App protection policies make sure that the app-layer protections are in place. For example, you can:
Require a PIN to open an app in a work context
Control the sharing of data between apps
Prevent the saving of company app data to a personal storage location

Box 2:
Employees in the sales department must be prevented from forwarding email that contains bank account
information.

Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally,
protect its documents and emails by applying labels. Labels can be applied automatically by administrators who
define rules and conditions, manually by users, or a combination where users are given recommendations.

Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy

https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection

9729F35A67F73FB4F4596D0C36FF13FC
Manage Apps and Data

Testlet 2

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.

To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

Overview
Contoso, Ltd., is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.

Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.

Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.

The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from
home.

Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active
Directory (Azure AD).

All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.

The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are
managed by using Microsoft Intune.

The naming convention for the computers is the department acronym, followed by a hyphen, and then four
numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.

Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer

9729F35A67F73FB4F4596D0C36FF13FC
account is in the Computers OU of its respective department.

Intune Configuration

The domain has the users shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

9729F35A67F73FB4F4596D0C36FF13FC
Requirements

Planned Changes
Contoso plans to implement the following changes:

Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled
and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.

Technical Requirements
Contoso must meet the following technical requirements:

Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices
that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.

QUESTION 1
You need to meet the requirements for the MKG department users.

What should you do?

A. Assign the MKG department users the Purchaser role in Microsoft Store for Business
B. Download the APPX file for App1 from Microsoft Store for Business
C. Add App1 to the private store
D. Assign the MKG department users the Basic Purchaser role in Microsoft Store for Business
E. Acquire App1 from Microsoft Store for Business

Correct Answer: E
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-from-your-private-store

9729F35A67F73FB4F4596D0C36FF13FC
Manage Apps and Data

Question Set 3

QUESTION 1
Your company has a main office and six branch offices. The branch offices connect to the main office by using
a WAN link. All offices have a local Internet connection and a Hyper-V host cluster.

The company has a Microsoft Endpoint Configuration Manager deployment. The main office is the primary site.
Each branch office has a distribution point.

All computers that run Windows 10 are managed by using both Configuration Manager and Microsoft Intune.

You plan to deploy the latest build of Microsoft Office 365 ProPlus to all the computers.

You need to minimize the amount of network traffic on the company’s Internet links for the planned
deployment.

What should you include in the deployment plan?

A. From Intune, configure app assignments for the Office 365 ProPlus suite. In each office, copy the Office
365 distribution files to a Microsoft Deployment Toolkit (MDT) deployment share.
B. From Intune, configure app assignments for the Office 365 ProPlus suite. In each office, copy the Office
365 distribution files to a Configuration Manager distribution point.
C. From Endpoint Configuration Manager, create an application deployment. Copy the Office 365 distribution
files to a Configuration Manager cloud distribution point.
D. From Endpoint Configuration Manager, create an application deployment. In each office, copy the Office
365 distribution files to a Configuration Manager distribution point.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/deployoffice/deploy-office-365-proplus-with-system-center-configuration-
manager-2012r2#distribute-the-office-365-proplus-application-to-distribution-points-in-configuration-manager

QUESTION 2
HOTSPOT

Your company has a computer named Computer1 that runs Windows 10 Pro.

The company develops a proprietary Universal Windows Platform (UWP) app named App1. App1 is signed
with a certificate from a trusted certification authority (CA).

You need to sideload App1 to Computer1.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://www.windowscentral.com/how-enable-windows-10-sideload-apps-outside-store

https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10

QUESTION 3
DRAG DROP

Your company uses Microsoft Intune. You have a Microsoft Store for Business account.

You need to ensure that you can deploy Microsoft Store for Business apps by using Intune.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Select and Place:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
References:
https://blogs.msdn.microsoft.com/teju_shyamsundar/2016/05/29/integrate-windows-store-for-business-with-
microsoft-intune/

9729F35A67F73FB4F4596D0C36FF13FC
QUESTION 4
Your company has a Microsoft 365 subscription.

All the users in the finance department own personal devices that run iOS or Android. All the devices are
enrolled in Microsoft Intune.

The finance department adds new users each month.

The company develops a mobile application named App1 for the finance department users.

You need to ensure that only the finance department users can download App1.

What should you do first?

A. Add App1 to Intune.

B. Add App1 to a Microsoft Deployment Toolkit (MDT) deployment share.
C. Add App1 to Microsoft Store for Business.
D. Add App1 to the vendor stores for iOS and Android applications.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/apps-add

QUESTION 5
HOTSPOT

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All Windows 10 devices
have apps named App1, App2 and App3 installed and are enrolled in Microsoft Intune.

You configure the following settings in Windows Information Protection (WIP):

Protected apps: App1

Exempt apps: App2
Windows Information Protection mode: Silent

App1, App2, and App3 use the same file format.

You create a file named File1 in App1.

You need to identify which apps can open File1.

What apps should you identify? To answer, select the appropriate options in the answer area,

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/
create-wip-policy-using-intune

https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/
create-wip-policy-using-intune#exempt-apps-from-wip-restrictions

QUESTION 6
You have devices enrolled in Microsoft Intune as shown in the following table.

You create an app protection policy named Policy1 that has the following settings:

9729F35A67F73FB4F4596D0C36FF13FC
 Platform: Windows 10
Protected apps: App1
Exempt apps: App2
Network boundary: Cloud resources, IPv4 ranges

You assign Policy1 to Group1 and Group2. You exclude Group3 from Policy1.

Which devices will apply Policy1?

A. Device1, Device2, Device4, and Device5

B. Device1, Device4, and Device5 only
C. Device4 and Device5 only
D. Device1, Device3, Device4 and Device5

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Policy1 is applied to all devices in Group1 and Group2. It is not applied to any devices in Group3, unless those
devices are also members of Group1 or Group2.

Note: The phrase "You exclude Group3 from Policy1" is misleading. It means that Policy1 is not applied to
Group3, rather than Group3 being blocked.

Incorrect answers:
B: Policy1 applies to Device2 as Policy1 is assigned to Group2.
C: Policy1 applies to Device1 as Policy1 is assigned to Group1. Policy1 also applies to Device2 as Policy1 is
assigned to Group2.
D: Device3 is a member of Group3 only. Policy1 is not assigned to Group3.

References:
https://docs.microsoft.com/en-us/intune/app-protection-policies

QUESTION 7
HOTSPOT

Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD).

You have a Microsoft Office 365 subscription. All computers are joined to the domain and have the latest
Microsoft OneDrive sync client (OneDrive.exe) installed.

On all the computers, you configure the OneDrive settings as shown in the following exhibit.

9729F35A67F73FB4F4596D0C36FF13FC
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
Explanation:

9729F35A67F73FB4F4596D0C36FF13FC
Box 1:
Silently move known folders to OneDrive is enabled. Known folder include:
Desktop, Documents, Pictures, Screenshots, and Camera Roll

Box 2:
OneDrive Files On-Demand enables users to view, search for, and interact with files stored in OneDrive from
within File Explorer without downloading them and taking up space on the local hard drive.

References:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

https://docs.microsoft.com/en-us/onedrive/plan-onedrive-enterprise

QUESTION 8
HOTSPOT

You have a Microsoft 365 subscription.

Users have iOS devices that are not enrolled in Microsoft 365 Device Management.

You create an app protection policy for the Microsoft Outlook app as shown in the exhibit. (Click the Exhibit
tab.)

9729F35A67F73FB4F4596D0C36FF13FC
You need to configure the policy to meet the following requirements:

Prevent the users from using the Outlook app if the operating system version is less than 12.0.0.
Require the users to use an alphanumeric passcode to access the Outlook app.

What should you configure in an app protection policy for each requirement? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

9729F35A67F73FB4F4596D0C36FF13FC
Correct Answer:

Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios

QUESTION 9

9729F35A67F73FB4F4596D0C36FF13FC
You manage a Microsoft 365 environment that has co-management enabled.

All computers run Windows 10 and are deployed by using the Microsoft Deployment Toolkit (MDT).

You need to recommend a solution to deploy Microsoft Office 365 ProPlus to new computers. The latest
version must always be installed. The solution must minimize administrative effort.

What is the best tool to use for the deployment? More than one answer choice may achieve the goal. Select
the BEST answer.

A. Microsoft Intune
B. Microsoft Deployment Toolkit
C. Office Deployment Tool (ODT)
D. a Group Policy object (GPO)
E. Microsoft System Center Configuration Manager

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
References:
https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool

QUESTION 10
You have a Microsoft 365 subscription.

You have 10 computers that run Windows 10 and are enrolled in mobile device management (MDM).

You need to deploy the Microsoft Office 365 ProPlus suite to all the computers.

What should you do?

A. From the Device Management admin center, add an app.

B. From Microsoft Azure Active Directory (Azure AD), add an app registration.
C. From Microsoft Azure Active Directory (Azure AD), add an enterprise application.
D. From the Device Management admin center, create a Windows 10 device profile.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprise-app-management#application-
management-goals

QUESTION 11
You have a Microsoft 365 subscription.

You need to deploy Microsoft Office 365 ProPlus applications to Windows 10 devices.

What should you do first?

A. From Microsoft Azure Active Directory (Azure AD), create an app registration.
B. From the Device Management admin center, create an app.

9729F35A67F73FB4F4596D0C36FF13FC
C. From the Device Management admin center, create an app configuration policy.
D. From the Device Management admin center, enable Microsoft Store for Business synchronization.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add-office365

QUESTION 12
You have Windows 10 devices that are managed by using Microsoft Intune. Intune and the Microsoft Store for
Business are integrated.

You need to deploy the Remote Desktop modern app as an automatic install to the Windows 10 devices
without user interaction.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Create an Azure Active Directory group that contains all users.

B. From the Intune portal, create a Microsoft Store app for the Remote Desktop modern app.
C. From the Intune portal assign the app to the Azure Active Directory group.
D. Create an Azure Active Directory group that contains the Windows 10 devices.
E. From the Microsoft Store for Business portal, assign a license for the app to all the users in the Azure
Active Directory group.
F. For your organization, make the app available in the Microsoft Store for Business.

Correct Answer: BCD

Section: (none)
Explanation

Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add

https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy

https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business

QUESTION 13
You have devices enrolled in Microsoft Intune as shown in the following table.

On which devices can you apply app configuration policies?

9729F35A67F73FB4F4596D0C36FF13FC
A. Device1, Device2, Device3, and Device4
B. Device2 only
C. Device3 and Device4 only
D. Device1 and Device2 only
E. Device2, Device3, and Device4 only

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
App configuration policies are only required for iOS/iPadOS or Android apps

Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview

9729F35A67F73FB4F4596D0C36FF13FC