Microsoft Microsoft Certifications MD-101 Questions & Answers

• Question 31:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

  

  You have the devices shown in the following table.

  

  You have a Conditional Access policy named CAPolicy1 that has the following settings: Assignments

  -Users or workload identities: Group1

  -Cloud apps or actions: All cloud apps

  Conditions

  -Device platforms: include: Windows, Android

  -Grant access controls: Require multi-factor authentication

  You have a Conditional Access named CAPolicy2 that has the following settings:

  Assignments

  -Users or workload identities: Group2

  -Cloud apps or actions: All cloud apps

  Conditions

  -Device platforms: Android

  -Access controls: Block access

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 32:

  HOTSPOT

  You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

  

  You have a computer named Computer1 that runs Windows 10. Computer1 is in a workgroup and has the local users shown in the following table.

  

  UserA joins Computer1 to Azure AD by using [email protected].

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  Users may join devices to Azure AD: This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is All.

  Box 2: Yes

  [email protected] is a Azure AD security administrator

  Security Administrator

  Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Azure Active Directory Identity Protection, Azure

  Active Directory Authentication, Azure Information Protection, and Office 365 Security and Compliance Center.

  This includes:

  * Microsoft Defender for Endpoint

  Assign roles

  Manage machine groups

  Configure endpoint threat detection and automated remediation

  View, investigate, and respond to alerts

  View machines/device inventory

  Box 3: No

  [email protected] is a Azure AD Cloud device administrator.

  Cloud Device Administrator

  Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-administrator

• Question 33:

  HOTSPOT

  You have a Microsoft 365 E5 subscription.

  You create an app protection policy for Android devices named Policy1 as shown in the following exhibit.

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Install the Intune Company Portal app on the device

  On Android, Android devices will prompt to install the Intune Company Portal app regardless of which Device type is chosen.

  Bix 2: Devices only

  For Android devices, unmanaged devices are devices where Intune MDM management has not been detected. This includes devices managed by third-party

  MDM vendors.

  Reference:

  https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies#app-protection-policies-for-iosipados-and-android-apps

• Question 34:

  HOTSPOT

  You have the MDM Security Baseline profile shown in the MDM exhibit. (Click the MDM tab.)

  

  You have the ASR Endpoint Security profile shown in the ASR exhibit. (Click the ASR tab.)

  

  You plan to deploy both profiles to devices enrolled in Microsoft Intune.

  You need to identify how the following settings will be configured on the devices:

  1.

  Block Office applications from creating executable content

  2.

  Block Win32 API calls from Office macro

  Currently, the settings are disabled locally on each device.

  What are the effective settings on the devices? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Audit mode

  According to the ASR Endpoint Security profile and to the MDM Security Baseline profile

  Block Office applications from creating executable content is set to Audit mode.

  Box 2: Disable

  Block Win32 API calls from Office macro: According to MDM Security Baseline profile it is set to disable. According to the ASR Endpoint Security profile it is set to

  Audit mode.

  The profiles are merged. The Baseline profile overrides the Endpoint Security profile.

  Note:

  When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don't conflict are added to the superset policy that applies to a device.

  Attack surface reduction rule merge behavior is as follows:

  Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface Reduction Rules.

  MDM Security Baseline profile ASR Endpoint Security profile.

  Reference:

  https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy

• Question 35:

  HOTSPOT

  You have the device configuration profile shown in the following exhibit.

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: can access any URL.

  Public Browsing (InPrivate): Runs a limited multi-tab version of Microsoft Edge. Users can browse publicly, or end their browsing session.

  Box 2: a single Microsoft Edge instance that has multiple tabs

  Single app, full-screen kiosk runs only one app on the device, such as a web browser or Store app.

  Reference:

  https://docs.microsoft.com/en-us/mem/intune/configuration/kiosk-settings-windows

• Question 36:

  HOTSPOT

  You have an Azure Active Directory (Azure AD) tenant named contoso.com.

  You plan to create a Conditional Access policy to block users that have a high sign-in risk level.

  You need to identify the required license, and what to use to identify the sign-in risk level.

  The solution must minimize costs.

  To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Azure AD Premium Plan 2

  You will need an Azure AD Premium P1 license to get access to the Microsoft Office 365 conditional access policy feature.

  However, need Azure AD Premium Plan 2 to sign-in risk.

  Box 2: Azure AD Identity Protection

  A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Organizations with Azure AD Premium P2 licenses can create Conditional Access policies incorporating Azure AD Identity

  Protection sign-in risk detections.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk

  https://blog.mydock365.com/what-is-conditional-access-in-microsoft-365

• Question 37:

  HOTSPOT

  You have a Microsoft 365 tenant and an internal certification authority (CA).

  You need to use Microsoft Intune to deploy the root CA certificate to managed devices.

  Which type of Intune policy and profile should you use? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Configuration profile Create a trusted certificate profile.

  Box 2: Trusted certificate When using Intune to provision devices with certificates to access your corporate resources and network, use a trusted certificate profile to deploy the trusted root certificate to those devices. Trusted root certificates establish a trust from the device to your root or intermediate (issuing) CA from which the other certificates are issued.

  Reference: https://docs.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root

• Question 38:

  HOTSPOT

  You have a Microsoft 365 subscription that contains the devices shown in the following table.

  

  You plan to enroll the devices in Microsoft Intune.

  How often will the compliance policy check-ins run after each device is enrolled in Intune?

  To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Every three minutes for 15 minutes, then every 15 minutes for two hours, and then around every eight hours If devices recently enroll, then the compliance, non-compliance, and configuration check-in runs more frequently. The check-ins are estimated at: Windows 10: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours

  

  Box 2: Every 15 minutes for one hour, and then every eight hours iOS/iPadOS: Every 15 minutes for 1 hour, and then around every 8 hours

  Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot

• Question 39:

  HOTSPOT

  You have a Microsoft 365 subscription that uses Microsoft Intune and contains 100 Windows 10 devices.

  You need to create Intune configuration profiles to perform the following actions on the devices:

  1.

  Deploy a custom Start layout.

  2.

  Rename the local Administrator account.

  Which profile template should you use for each action? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Device restriction

  Customize Start Menu Custom and Taskbar

  Here is a quick step-by-step guide to help you to deploy the prepared XML file. This Intune policy helps to customize the start menu and taskbar for Windows 10 devices.

  Logon to Microsoft Endpoint Manager Portal.

  Navigate to Devices -> Windows -> Configuration Profiles.

  Select Platform -> Windows 10 and later.

  Select Profile Type -> Template.

  Search with device and select Device Restrictions.

  Click on Create button.

  Box 2: Identity protection Use an Identity protection profile to manage Windows Hello for Business on groups of devices in Microsoft Intune. Windows Hello for Business is a method for signing in to Windows devices by replacing passwords, smart cards, and virtual

  smart cards. Intune includes built-in settings so Administrators can configure and use Windows Hello for Business.

  Incorrect:

  *

  Delivery Optimization settings for your Windows devices to reduce bandwidth consumption when those devices download applications and updates. Configure Delivery Optimization as part of your device configuration profiles.

  *

  With Intune, you can use device configuration profiles to manage common Endpoint protection security features on devices, including:

  Firewall

  BitLocker

  Allowing and blocking apps Microsoft Defender and encryption

  For example, you can create an Endpoint protection profile that only allows macOS users to install apps from the Mac App Store. Or, enable Windows

  SmartScreen when running apps on Windows 10/11 devices.

  Reference:

  https://www.anoopcnair.com/start-menu-taskbar-custom-layout-intune-cloudpc/ https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-configure

• Question 40:

  HOTSPOT

  You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1. User1 has a user principal name (UPN) of user1 @contoso.com.

  You join a Windows 10 device named Client1 to contoso.com.

  You need to add User1 to the local Administrators group of Client1.

  How should you complete the command? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: net localgroup

  Add user to group from command line (CMD)

  Windows provides command line utilities to manager user groups. In this post, learn how to use the command net localgroup to add user to a group from command prompt'

  For example to add a user 'John' to administrators group, we can run the below command. net localgroup administrators John /add

  Box 2: Contoso

  The domain of the user is Contoso.

  Reference:

  https://www.windows-commandline.com/add-user-to-group-from-command-line/