Microsoft Microsoft Certifications MD-101 Questions & Answers

• Question 21:

  HOTSPOT

  Your network contains an Active Directory domain. The domain contains the users shown in the following table.

  

  You have a server named Server that runs Windows Server 2019 and has the Windows Deployment Services role installed. Server1 contains an x86 boot image and three Windows 10 install images. The install images are shown in the following table.

  

  You purchase a computer named Computer1 that is compatible with the 64-bit version of Windows 10.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  User1 is a member of Group1. User1 does not have any permission to Image1.

  Box 2: Yes

  User1 has read permissions to Image2 through Group1.

  Box 3: Yes

  User2 has read permissions to Image3 through Group2.

• Question 22:

  HOTSPOT

  You have a Microsoft 365 E5 tenant that connects to Microsoft Defender for Endpoint.

  You have devices enrolled in Microsoft Intune as shown in the following table.

  

  You plan to use risk levels in Microsoft Defender for Endpoint to identify whether a device is compliant. Noncompliant devices must be blocked from accessing corporate resources.

  You need to identify which devices can be onboarded to Microsoft Defender for Endpoint, and which Endpoint security policies must be configured.

  What should you identify? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Device 1, Device2, Device 3, and Device 4 Supported Windows versions include Windows 8.1 and Windows 10 Other supported operating systems Android iOS Linux macOS Box 2: Device configuration profile, device compliance policy, and conditional access policy We need all three policies. Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint. This connection lets Microsoft Defender for Endpoint collect data about machine risk from supported devices you manage with Intune. Use a device configuration profile to onboard devices with Microsoft Defender for Endpoint. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level. Use a device compliance policy to set the level of risk you want to allow. Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as noncompliant. Use a conditional access policy to block users from accessing corporate resources from devices that are noncompliant.

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile

• Question 23:

  HOTSPOT

  You have a Microsoft Intune subscription that has the following device compliance policy settings:

  1.

  Mark devices with no compliance policy assigned as: Compliant

  2.

  Compliance status validity period (days): 14

  On January 1, you enroll Windows 10 devices in Intune as shown in the following table.

  

  On January 4, you create the following two device compliance policies:

  1.

  Name: Policy1

  2.

  Platform: Windows 10 and later

  3.

  Require BitLocker: Require

  4.

  Mark device noncompliant: 5 days after noncompliance

  5.

  Scope (Tags): Tag1

  6.

  Name: Policy2

  7.

  Platform: Windows 10 and later

  8.

  Firewall: Require

  9.

  Mark device noncompliant: Immediately 10.Scope (Tags): Tag2 On January 5, you assign Policy1 and Policy2 to Group1.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  Policy1 and Policy2 apply to Group1 which Device1 is a member of. Device1 does not meet the firewall requirement in Policy2 so the device will immediately be marked as non-compliant.

  Box 2: No

  For the same reason as Box1.

  Box 3: Yes

  Policy1 and Policy2 apply to Group1. Device2 is not a member of Group1 so the policies don't apply.

  The Scope (tags) have nothing to do with whether the policy is applied or not. The tags are used in RBAC.

• Question 24:

  HOTSPOT

  You have two Windows 10 devices enrolled in Microsoft Intune as shown in the following table.

  

  The Compliance policy settings are configured as shown in the following exhibit.

  

  On August 1, you create a compliance policy as shown in the following exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  Device1 belongs to Group2. Group2 has not been assigned a compliance policy. Devices with no compliance policy assigned as Not Compliant. Device1 gets a 3 day grace period, but at August 4 is it marked as Non-compliant.

  Box 2: Yes

  Device1 belongs to Group2. Group2 has not been assigned a compliance policy. Devices with no compliance policy assigned as Not Compliant. Device1 gets a 3 day grace period, so at August 2 it is compliant.

  Box 3: No

  Device2 has BitLocker Disabled. The Windows 10 compliance policy applies to Group1 which includes Device1. At August 4 Device is marked noncompliant. 5 days later, at August 9th it is retired.

  Note:

  *

  Retire the noncompliant device: This action removes all company data off the device and removes the device from Intune management.

  *

  By default, each compliance policy includes the action for noncompliance of Mark device noncompliant with a schedule of zero days (0). The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the

  device as noncompliant.

  By configuring Actions for noncompliance you gain flexibility to decide what to do about noncompliant devices, and when to do it. For example, you might choose to not block the device immediately, and give the user a grace period to become

  compliant.

  Compliance status validity period (days):

  Specify a period in which devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, the device is treated as noncompliant.

  Reference: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance

• Question 25:

  HOTSPOT

  

  You have a Microsoft 365 tenant that uses Microsoft Intune and contains the devices shown in the following table.

  In Endpoint security, you need to configure a disk encryption policy for each device.

  Which encryption type should you use for each device, and which role-based access control (RBAC) role in Intune should you use to manage the encryption keys?

  To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 26:

  HOTSPOT

  You have a Microsoft Deployment Toolkit (MDT) deployment share named Share1.

  You add Windows 10 images to Share1 as shown in the following table.

  

  Which images can be used in the Standard Client Task Sequence, and which images can be used in the Standard Client Upgrade Task Sequence? NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Image1, Image2, Image3, Image4, and Image5.

  All images.

  Standard Client Task Sequence Standard Client task sequence. The most frequently used task sequence. Used for creating reference images and for deploying clients in production.

  Box 2: Image1, Image2, Image3, and Image4 only.

  Exclude image5 with applications.

  Standard Client Upgrade Task Sequence

  Standard Client Upgrade task sequence. A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings,

  applications, and drivers.

  Reference:

  https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit

• Question 27:

  HOTSPOT

  You have 100 computers that run Windows 10. You have no servers. All the computers are joined to Microsoft Azure Active Directory (Azure AD).

  The computers have different update settings, and some computers are configured for manual updates.

  You need to configure Windows Update. The solution must meet the following requirements:

  1.

  The configuration must be managed from a central location.

  2.

  Internet traffic must be minimized.

  3.

  Costs must be minimized.

  How should you configure Windows Update? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Windows Server Update Services (WSUS)

  Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft

  Update to computers on your network.

  Windows Server Update Services is a built-in server role that includes the following enhancements:

  Can be added and removed by using the Server Manager

  Includes Windows PowerShell cmdlets to manage the most important administrative tasks in WSUS

  Etc.

  Box 2: A Group Policy object In an Active Directory environment, you can use Group Policy to define how computers and users can interact with Windows Update to obtain automatic updates from Windows Server Update Services (WSUS).

  Box 3: BranchCache -

  BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own

  network request. Windows Server Update Services (WSUS) and Microsoft Endpoint

  Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.

  Reference:

  https://docs.microsoft.com/en-us/windows/deployment/update/waas-branchcache

  https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates

• Question 28:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains a user named User1. You need to perform the following tasks for User1:

  1.

  Set the Usage location to Canada.

  2.

  Configure the Phone and Email authentication contact info for self-service password reset (SSPR).

  Which two settings should you configure in the Azure Active Directory admin center? To answer, select the appropriate settings in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 29:

  HOTSPOT

  You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the devices shown in the following table.

  

  Contoso.com contains the Azure Active Directory groups shown in the following table.

  

  You add a Windows Autopilot deployment profile. The profile is configured as shown in the following exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  Device1 has no Mobile device Management (MDM) configured.

  Note: Device1 is running Windows 8.1, and is registered, but not joined.

  Device1 is in Group1.

  Profile1 is assigned to Group1.

  Box 2: No

  Device2 has no Mobile device Management (MDM) configured.

  Note: Device2 is running Windows 10, and is joined.

  Device2 is in Group2.

  Group2 is in Group1.

  Profile1 is assigned to Group1.

  Box 3: Yes

  Device3 has Mobile device Management (MDM) configured.

  Device3 is running Windows 10, and is joined

  Device1 is in Group1.

  Profile1 is assigned to Group1.

  Mobile device management (MDM) enrollment: Once your Windows 10 device joins Azure AD, Autopilot ensures your device is automatically enrolled with MDMs such as Microsoft Intune. This program can automatically push configurations,

  policies and settings to the device, and install Office 365 and other business apps without you having to get IT admins to manually sort the device. Intune can also apply the latest updates from Windows Update for Business.

  Reference:

  https://xo.xello.com.au/blog/windows-autopilot

• Question 30:

  HOTSPOT

  You have devices enrolled in Microsoft Intune as shown in the following table.

  

  Intune includes the device compliance policies shown in the following table.

  

  The device compliance policies have the assignments shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  Device1 is in Group1. Policy1 is assigned to Group1. Policy2 is also assigned to Group1. Device1 is compliant to Policy1, but not compliant to Policy2 (fails on

  Secure Boot).

  By default, each device compliance policy includes the action to mark a device as noncompliant if it fails to meet a policy rule.

  Box 2: Yes

  Device2 is in Group2. Policy2 is assigned to Group2. Device2 is compliant to Policy2 (Secure boot met).

  Box 3: Yes

  Device3 is in Group 3. Policy3 and Policy4 are assigned to Group3. Policy3 is for Windows 10 so it is disregarded. Device3 is compliant to Policy4.

  Reference:

  https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started