Practice Free MD-102 Exam Online Questions
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share named DS1.
You import a Windows 11 image to DS1.
You have an executable installer for an application named App1.
You need to ensure that App1 will be installed for all the task sequences that deploy the image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Add App1 to DS1
First add the application in the MDT console.
Step 2: Identify the GUID of App1.
Install an application when deploying Windows
Step 3: Modify CustomSettings.ini
It is possible in the CustomSettings.ini file, to check the default program to add the following line:
ApplicationsXXX ={GUID-APPLICATION}
or to force the installation of the application box checked and grayed out:
MandatoryApplicationsXXX ={GUID-APPLICATION}
XXX = numerical value from 000 to 999
Reference: https://rdr-it.com/en/mdt-installation-of-applications-when-deploying-windows/
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share named DS1.
You import a Windows 11 image to DS1.
You have an executable installer for an application named App1.
You need to ensure that App1 will be installed for all the task sequences that deploy the image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Add App1 to DS1
First add the application in the MDT console.
Step 2: Identify the GUID of App1.
Install an application when deploying Windows
Step 3: Modify CustomSettings.ini
It is possible in the CustomSettings.ini file, to check the default program to add the following line:
ApplicationsXXX ={GUID-APPLICATION}
or to force the installation of the application box checked and grayed out:
MandatoryApplicationsXXX ={GUID-APPLICATION}
XXX = numerical value from 000 to 999
Reference: https://rdr-it.com/en/mdt-installation-of-applications-when-deploying-windows/
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You need to ensure that the startup performance of managed Windows 11 devices is captured and available for review in the Intune admin center.
What should you configure?
E. the Azure Monitor agent
F. a device compliance policy
G. a Conditional Access policy
H. an Intune data collection policy
Explanation:
What is the Azure Monitor Agent?
Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud.
Incorrect:
Not D:
An Intune data collection policy collections user experience data.
Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
You have a Microsoft 365 subscription that contains 500 computers that run Windows 11. The computers are Microsoft Entra joined and are enrolled in Microsoft Intune.
You plan to manage Microsoft Defender for Endpoint on the computers. You need to prevent users from disabling Microsoft Defender for Endpoint.
What should you do?
E. From the Microsoft Intune admin center, create an attack surface reduction (ASR) policy.
F. From the Microsoft Intune admin center, create an account protection policy.
G. From the Microsoft Defender portal, enable tamper protection.
H. From the Microsoft Intune admin center, create a device compliance policy.
Explanation:
Correct:
F. From the Microsoft 365 Defender portal, enable tamper protection. [Preferred]
G. From the Microsoft Intune admin center, create a device compliance policy. [Worse option]
Incorrect:
F: From the Microsoft Entra admin center, create a Conditional Access policy.
G: From the Microsoft Intune admin center, create an account protection policy.
H: From the Microsoft Intune admin center, create an attack surface reduction (ASR) policy.
Note:
From the Microsoft Intune admin center, create an account protection policy.
How do I configure or manage tamper protection?
You can use Microsoft Intune and other methods to configure or manage tamper protection, as listed in the following table:
* Use the Microsoft Defender portal.
Turn tamper protection on (or off), tenant wide.
* Etc.
—
What is tamper protection?
Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities.
Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules. Tamper protection is an important part of built-in protection.
What happens when tamper protection is turned on?
When tamper protection is turned on, these tamper-protected settings can’t be changed:
Virus and threat protection remains enabled.
Real-time protection remains turned on.
Behavior monitoring remains turned on.
Antivirus protection, including IOfficeAntivirus (IOAV) remains enabled.
Cloud protection remains enabled.
Security intelligence updates occur.
Automatic actions are taken on detected threats.
Notifications are visible in the Windows Security app on Windows devices.
Archived files are scanned.
* From the Microsoft Intune admin center, create a device compliance policy.
Manage endpoint security policies on devices onboarded to Microsoft Defender for Endpoint
When you use Microsoft Defender for Endpoint, you can deploy endpoint security policies from Microsoft Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. This capability is known as Defender for Endpoint security settings management.
When you manage devices through security settings management:
C: You can use the Microsoft Intune admin center or the Microsoft 365 Defender portal to configure policies for endpoint security for Defender for Endpoint and assign those policies to Microsoft Entra ID groups. The Defender portal includes the user interface for device views, policy management, and reports for security settings management.
D: Etc.
Configure Intune
In the Microsoft Intune admin center, your account need permissions equal to Endpoint Security Manager built-in Role based access control (RBAC) role.
* Sign in to the Microsoft Intune admin center.
* Select Endpoint security > Microsoft Defender for Endpoint, and set Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations to On.
When you set this option to On, all devices in the platform scope for Microsoft Defender for Endpoint that aren’t managed by Microsoft Intune qualify to onboard to Microsoft Defender for Endpoint.
Incorrect:
* From the Microsoft Entra admin center, create a Conditional Access policy.
Use a conditional access policy to block users from accessing corporate resources from devices that are noncompliant.
Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-
settings-with-tamper-protection
https://learn.microsoft.com/en-us/mem/intune/apps/apps-inc-exl-assignments
HOTSPOT
You have a Microsoft Entra tenant named contoso.com.
You have the devices shown in the following table.
Which devices can be Microsoft Entra joined, and which devices can be registered in contoso.com? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:
Explanation:
Box 1: Device1 and Device2 only
Azure AD joined
Review supported devices
Hybrid Azure AD join supports a broad range of Windows devices. Because the configuration for devices running older versions of Windows requires other steps, the supported devices are grouped into two categories:
Windows current devices
Windows 11
Windows 10
Windows Server 2016
Windows Server 2019
Box 2: Device, Device2, Device3, and Device4
Registered in contoso.com
Azure AD registered devices
The goal of Azure AD registered – also known as Workplace joined – devices is to provide your users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization’s resources using a personal device.
Operating Systems: ++Windows 10 or newer, iOS, Android, macOS, Ubuntu 20.04/22.04 LTS
Reference: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Intune to manage devices.
You need to assess device performance during startup and identify any device models that take longer than average to start.
What should you use to assess the device performance, and which portal should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:
Explanation:
Box 1: Endpoint analytics
Microsoft Intune Endpoint analytics: Startup performance
The startup performance score helps IT get users from power-on to productivity quickly, without lengthy boot and sign-in delays.
Startup score
The Startup performance score helps IT get users from power-on to productivity quickly, without lengthy boot and sign-in delays. The Startup score is a number between 0 and 100. This score is a weighted average of Boot score and the Sign-in score.
Box 2: Microsoft Intune admin center
Endpoint management at Microsoft
Microsoft Intune is a single, integrated endpoint management platform for managing all your endpoints. The Microsoft Intune admin center integrates Microsoft Configuration Manager and Microsoft Intune.
Reference: https://learn.microsoft.com/en-us/mem/analytics/startup-performance
https://learn.microsoft.com/en-us/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Intune to manage devices.
You need to assess device performance during startup and identify any device models that take longer than average to start.
What should you use to assess the device performance, and which portal should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:
Explanation:
Box 1: Endpoint analytics
Microsoft Intune Endpoint analytics: Startup performance
The startup performance score helps IT get users from power-on to productivity quickly, without lengthy boot and sign-in delays.
Startup score
The Startup performance score helps IT get users from power-on to productivity quickly, without lengthy boot and sign-in delays. The Startup score is a number between 0 and 100. This score is a weighted average of Boot score and the Sign-in score.
Box 2: Microsoft Intune admin center
Endpoint management at Microsoft
Microsoft Intune is a single, integrated endpoint management platform for managing all your endpoints. The Microsoft Intune admin center integrates Microsoft Configuration Manager and Microsoft Intune.
Reference: https://learn.microsoft.com/en-us/mem/analytics/startup-performance
https://learn.microsoft.com/en-us/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with a Microsoft Entra tenant by using Microsoft Entra Connect.
You use Microsoft Intune and Configuration Manager to manage devices.
You need to recommend a deployment plan for new Windows 11 devices. The solution must meet the following requirements:
Devices for the marketing department must be joined to the AD DS domain only. The IT department will install complex applications on the devices at build time, before giving the devices to the marketing
department users.
Devices for the sales department must be Microsoft Entra joined. The devices will be shipped directly from the manufacturer to the homes of the sales department users. Administrative effort must be minimized.
Which deployment method should you recommend for each department? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth point.
Hot Area:
Explanation:
Box 1: Windows Autopilot with OEM registration
Devices for the sales department must be Azure AD joined. The devices will be shipped directly from the manufacturer to the homes of the sales department users. Administrative effort must be minimized.
When you purchase devices from an OEM, that OEM can automatically register the devices with the Windows Autopilot.
Box 2: Configuration Manager
Devices for the marketing department must be joined to the AD DS domain only. The IT department will install complex applications on the devices at build time, before giving the devices to the marketing department users.
Configuration Manager is part of the Microsoft Intune family of products.
The Microsoft Intune family of products is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing.
Configuration Manager also uses:
* Active Directory Domain Services and Azure Active Directory for security, service location, configuration, and to discover the users and devices that you want to manage.
Software Center is an application that’s installed when you install the Configuration Manager client on a Windows device. Users use Software Center to request and install software that you deploy. Software Center lets users do the following actions:
Browse for and install applications, software updates, and new OS versions View their software request history
View device compliance against your organization’s policies
You can also show custom tabs in Software Center to meet additional business requirements.
Reference: https://learn.microsoft.com/en-us/mem/autopilot/oem-registration
https://learn.microsoft.com/en-us/mem/configmgr/core/understand/introduction
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with a Microsoft Entra tenant by using Microsoft Entra Connect.
You use Microsoft Intune and Configuration Manager to manage devices.
You need to recommend a deployment plan for new Windows 11 devices. The solution must meet the following requirements:
Devices for the marketing department must be joined to the AD DS domain only. The IT department will install complex applications on the devices at build time, before giving the devices to the marketing
department users.
Devices for the sales department must be Microsoft Entra joined. The devices will be shipped directly from the manufacturer to the homes of the sales department users. Administrative effort must be minimized.
Which deployment method should you recommend for each department? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth point.
Hot Area:
Explanation:
Box 1: Windows Autopilot with OEM registration
Devices for the sales department must be Azure AD joined. The devices will be shipped directly from the manufacturer to the homes of the sales department users. Administrative effort must be minimized.
When you purchase devices from an OEM, that OEM can automatically register the devices with the Windows Autopilot.
Box 2: Configuration Manager
Devices for the marketing department must be joined to the AD DS domain only. The IT department will install complex applications on the devices at build time, before giving the devices to the marketing department users.
Configuration Manager is part of the Microsoft Intune family of products.
The Microsoft Intune family of products is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing.
Configuration Manager also uses:
* Active Directory Domain Services and Azure Active Directory for security, service location, configuration, and to discover the users and devices that you want to manage.
Software Center is an application that’s installed when you install the Configuration Manager client on a Windows device. Users use Software Center to request and install software that you deploy. Software Center lets users do the following actions:
Browse for and install applications, software updates, and new OS versions View their software request history
View device compliance against your organization’s policies
You can also show custom tabs in Software Center to meet additional business requirements.
Reference: https://learn.microsoft.com/en-us/mem/autopilot/oem-registration
https://learn.microsoft.com/en-us/mem/configmgr/core/understand/introduction
HOTSPOT
You have a Microsoft 365 subscription.
Users have iOS devices that are not enrolled in Microsoft Intune.
You create an app protection policy for the Microsoft Outlook app as shown in the exhibit. (Click the Exhibit tab.)
You need to configure the policy to meet the following requirements:
Prevent the users from using the Outlook app if the operating system version is less than 12.0.0.
Require the users to use an alphanumeric passcode to access the Outlook app.
What should you configure in an app protection policy for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:
Explanation:
Box 1: Conditional launch
Configure conditional launch settings to set sign-in security requirements for your access protection policy.
By default, several settings are provided with pre-configured values and actions. You can delete some of these, like the Min OS version. You can also select additional settings from the Select one dropdown.
Note: There are three categories of policy settings: Data relocation, Access requirements, and Conditional launch.
Box 2. Access requirements
Access requirements include:
PIN for access: Select Require to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context. The PIN is applied when working either online or offline.
You can configure the PIN strength using the settings available under the PIN for access section.
Reference: https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios