Microsoft Microsoft 365 Certified: Endpoint Administrator Associate MD-102 Questions & Answers

• Question 1:

  You are implementing Microsoft Intune Suite.

  You enroll devices in Intune as shown in the following table.

  

  The performance of which devices can be analyzed by using Endpoint analytics?

  A. Device1 only

  B. Device1 and Device2 only

  C. Device1, Device2, and Device3 only

  D. Device1, Device2, and Device4 only

  E. Device1, Device2, Device3, and Device4

  Correct Answer: B

  Endpoint analytics Prerequisites You can enroll devices via Configuration Manager or Microsoft Intune.

  To enroll devices via Intune requires:

  *

  Intune enrolled or co-managed devices running the following: Windows 10 version 1903 or later July 2021 cumulative update or later

  *

  Pro, Pro Education, Enterprise, or Education. Home and long-term servicing channel (LTSC) aren't supported.

  *

  Windows devices must be Azure AD joined or hybrid Azure AD joined. Workplace joined or Azure AD registered devices aren't supported. Network connectivity from devices to the Microsoft public cloud.

  Note: Endpoint analytics is part of the Microsoft Adoption Score. These analytics give you insights for measuring how your organization is working and the quality of the experience you're delivering to your users. Endpoint analytics can help identify policies or hardware issues that may be slowing down devices and help you proactively make improvements before end-users generate a help desk ticket.

  Reference: https://learn.microsoft.com/en-us/mem/analytics/overview

• Question 2:

  You have 200 computers that run Windows 10. The computers are joined to Azure AD and enrolled in Microsoft Intune.

  You need to enable self-service password reset on the sign-in screen.

  Which settings should you configure from the Microsoft Intune admin center?

  A. Device configuration

  B. Device enrollment

  C. Conditional access

  D. Device compliance

  Correct Answer: A

  To enable the self service password reset option with Intune.

  Use the Azure portal to create a new configuration policy. Open Microsoft Intune, choose Device Configuration, Profiles and Create profile.

  Reference:

  https://www.inthecloud247.com/enable-self-service-password-reset-feature-on-the-windows-logon-screen/

• Question 3:

  You have a Windows 10 device named Computer1 enrolled in Microsoft Intune.

  You need to configure Computer1 as a public workstation that will run a single customer-facing, full-screen application.

  Which configuration profile type template should you use in Microsoft Intune admin center?

  A. Shared multi-user device

  B. Device restrictions

  C. Kiosk

  D. Endpoint protection

  Correct Answer: C

  On Windows 10/11 devices, you can configure these devices to run in single-app kiosk mode. On Windows 10 devices, you can configure these devices to run in multi-app kiosk mode.

  Single app, full-screen kiosk

  Runs only one app on the device, such as a web browser or Store app.

  *

  Select a kiosk mode: Choose Single app, full-screen kiosk.

  *

  Etc.

  Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/kiosk-settings-windows

• Question 4:

  You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

  You use Microsoft Intune to manage Windows 11 devices.

  You create a new policy set named Set and add five device configuration profiles for Windows 10 and later.

  You create a device compliance policy named Policy1.

  You need to ensure that when users are assigned the device configuration profiles in Set1, they are always assigned Policy1 also.

  What should you configure?

  A. the assignments of Policy1

  B. the Policy1 configurations

  C. the assignments of Set1

  D. the Set1 configurations

  Correct Answer: C

  Creating a policy set enables you to select many different objects at once, and assign them from a single place.

  You can include the following management objects in a policy set:

  Apps

  App configuration policies

  App protection policies *-> Device configuration profiles *-> Device compliance policies Windows autopilot deployment profiles Enrollment status page Settings catalog policies

  Note: Use policy sets to group collections of management objects Policy sets allow you to create a bundle of references to already existing management entities that need to be identified, targeted, and monitored as a single conceptual unit. A policy set is an assignable collection of apps, policies, and other management objects you've created. Creating a policy set enables you to select many different objects at once, and assign them from a single place. As your organization changes, you can revisit a policy set to add or remove its objects and assignments. You can use a policy set to associate and assign existing objects, such as apps, policies, and VPNs in a single package.

  Policy sets don't replace existing concepts or objects. You can continue to assign individual objects and you can also reference individual objects as part of a policy set. Therefore, any changes to those individual objects will be reflected in the policy set.

  You can use policy sets to:

  Group objects that need to be assigned together Assign your organization's minimum configuration requirements on all managed devices Assign commonly used or relevant apps to all users

  Reference: https://learn.microsoft.com/en-us/mem/intune/fundamentals/policy-sets

• Question 5:

  You have a Microsoft Intune subscription associated to an Azure AD tenant named contoso.com.

  Users use one of the following three suffixes when they sign in to the tenant: us.contoso.com, eu.contoso.com, or contoso.com.

  You need to ensure that the users are NOT required to specify the mobile device management (MDM) enrollment URL as part of the enrollment process. The solution must minimize the number of changes.

  Which DNS records do you need?

  A. one TXT record only

  B. three CNAME records

  C. three TXT records

  D. one CNAME record only

  Correct Answer: B

  To simplify enrollment, create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.

  If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use the following formats as their email/UPN:

  [email protected] [email protected] [email protected]

  Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium

• Question 6:

  You manage 1,000 computers that run Windows 10. All the computers are enrolled in Microsoft Intune. You manage the servicing channel settings of the computers by using Intune.

  You need to review the servicing status of a computer.

  What should you do?

  A. From Device configuration - Profiles, view the device status.

  B. From Software updates, view the Per update ring deployment state.

  C. From Software updates, view the audit logs.

  D. From Device compliance, view the device compliance.

  Correct Answer: B

  Reports for Update rings for Windows 10 and later policy.

  Intune offers integrated report views for the Windows update ring policies you deploy. These views display details about the update ring deployment and status:

  1) Sign in to Microsoft Endpoint Manager admin center.

  2) Select Devices > Monitor. Then under Software updates select Per update ring deployment state and choose the deployment ring to review.

  Note: Windows 10 and later update rings - Use a built-in report that's ready by default when you deploy update rings to your devices.

  Reference:

  https://docs.microsoft.com/en-us/intune/windows-update-compliance-reports

• Question 7:

  You have a workgroup computer named Client1 that runs Windows 11 and connects to a public network.

  You need to enable PowerShell remoting on Client1. The solution must ensure that PowerShell remoting connections are accepted from the local subnet only.

  Which PowerShell command should you run?

  A. Set-PSSessionConfiguration -AccessMode Local

  B. Enable-PSRemoting -SkipNetworkProfileCheck

  C. Enable-PSRemoting -Force

  D. Set-NetFirewallRule -Name “WINRM-HTTP-In-TCP-PUBLIC” -RemoteAddress Any

  Correct Answer: B

  The Enable-PSRemoting cmdlet configures the computer to receive PowerShell remote commands that are sent by using the WS-Management technology. WS-Management based PowerShell remoting is currently supported only on Windows platform.

  Syntax

  Enable-PSRemoting [-Force] [-SkipNetworkProfileCheck] [-WhatIf] [-Confirm] []

  Parameters include:

  * -SkipNetworkProfileCheck

  Indicates that this cmdlet enables remoting on client versions of the Windows operating system when the computer is on a public network. This parameter enables a firewall rule for public networks that allows remote access only from

  computers in the same local subnet.

  Reference:

  https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting

• Question 8:

  You have a Microsoft 365 subscription that contains a user named User1 and uses Microsoft Intune Suite.

  You use Microsoft Intune to manage devices that run Windows 11.

  You need to remove User1 from the local Administrators group on all enrolled devices.

  What should you configure?

  A. a device compliance policy

  B. an account protection policy

  C. an app configuration policy

  Correct Answer: B

  Account protection policy for endpoint security in Intune

  Use Intune endpoint security policies for account protection to protect the identity and accounts of your users and manage the built-in group memberships on devices.

  Manage local groups on Windows devices

  Use the Local user group membership (preview) profile to manage the users that are members of the built-in local groups on devices that run Windows 10 20H2 and later, and Windows 11 devices.

  Reference:

  https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy

• Question 9:

  Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains 100 client computers that run Windows 10.

  Currently, your company does NOT have a deployment infrastructure.

  The company purchases Windows 11 licenses through a volume licensing agreement.

  You need to recommend how to upgrade the computers to Windows 11. The solution must minimize licensing costs.

  What should you include in the recommendation?

  A. Windows Autopilot

  B. Configuration Manager

  C. subscription activation

  D. Microsoft Deployment Toolkit (MDT)

  Correct Answer: D

  Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated.

• Question 10:

  You have a computer named Computer5 that has Windows 10 installed.

  You create a Windows PowerShell script named config.ps1.

  You need to ensure that config.ps1 runs after feature updates are installed on Computer5.

  Which file should you modify on Computer5?

  A. LiteTouch.wsf

  B. SetupConfig.ini

  C. Unattend.bat

  D. Unattend.xml

  Correct Answer: B

  You can run a post script after a Windows 10 feature upgrade with SetupConfig.ini

  Reference: https://www.joseespitia.com/2017/06/01/how-to-run-a-post-script-after-a-windows-10-feature-upgrade/