Microsoft MD-102 Online Practice Questions and Exam Preparation

Microsoft MD-102 Online Questions & Answers

• Question 151:

  HOTSPOT

  You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 11.

  You need to modify the deployment share to meet the following requirements:

  1. Ensure that the user who performs the installation is prompted to set the local Administrator password

  2. Define a rule for how to name computers during the deployment.

  The solution must NOT replace the existing WinPE image.

  Which file should you modify for each requirement? To answer, select the appropriate options in the answer area,

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: CustomSettings.ini

  You can skip the entire Windows Deployment Wizard by specifying the SkipWizard property in CustomSettings.ini. To skip individual wizard pages, use the following properties:

  SkipAdminPassword

  Etc.

  Note: The CustomSettings.ini file includes for example:

  AdminPassword=pass@word1

  DomainAdmin=CONTOSO\MDT_JD

  DomainAdminPassword=pass@word1

  Some properties to use in the MDT Production rules file are as follows: DomainAdmin. The account to use when joining the machine to the domain.

  DomainAdminDomain. The domain for the join domain account.

  DomainAdminPassword. The password for the join domain account.

  Box 2: CustomSettings.ini

  Example of content in the CustomSettings.ini file:

  SkipComputerName=YES

  OSDComputerName=%ComputerName% Reference:

  https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt

  https://docs.microsoft.com/en-us/mem/configmgr/mdt/samples-guide

• Question 152:

  You have a Microsoft 365 ES subscription.

  You use Microsoft Intune to manage all devices.

  You need to prepare a Win32 app named Appl.exe for deployment.

  What should you do first?

  A. From the Microsoft Intune admin center, create an app configuration policy.
  B. Change App1.exe to the INIUNEW1N format.
  C. Change App1.exe to the INIUNEW1N format.
  D. Upload App1 exe to Azure Blob Storage.
  B. Change App1.exe to the INIUNEW1N format.

• Question 153:

  Your company implements Azure AD, Microsoft 365, Microsoft Intune, and Azure Information Protection.

  The company's security policy states the following:

  1. Personal devices do not need to be enrolled in Intune.

  2. Users must authenticate by using a PIN before they can access corporate email data.

  3. Users can use their personal iOS and Android devices to access corporate cloud services.

  4. Users must be prevented from copying corporate email data to a cloud storage service other than Microsoft OneDrive for Business.

  You need to configure a solution to enforce the security policy.

  What should you create?

  A. a device configuration profile from the Microsoft Intune admin center
  B. a data loss prevention (DLP) policy from the Microsoft Purview compliance portal
  C. an insider risk management policy from the Microsoft Purview compliance portal
  D. an app protection policy from the Microsoft Intune admin center
  D. an app protection policy from the Microsoft Intune admin center

  ---

  Explanation

  By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

  Note: The important benefits of using App protection policies are the following:

  Protecting your company data at the app level. Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management.

  End-user productivity isn't affected and policies don't apply when using the app in a personal context. The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.

  App protection policies makes sure that the app-layer protections are in place. For example, you can:

  Require a PIN to open an app in a work context

  Control the sharing of data between apps

  Prevent the saving of company app data to a personal storage location MDM, in addition to MAM, makes sure that the device is protected. For example, you can require a PIN to access the device, or you can deploy managed apps to the device. You can also deploy apps to devices through your MDM solution, to give you more control over app management.

  https://docs.microsoft.com/en-us/intune/app-protection-policy

• Question 154:

  DRAG DROP

  You have a Microsoft 365 subscription that contains two users named User1 and User2.

  You need to ensure that the users can perform the following tasks:

  1. User1 must be able to create groups and manage users.

  2. User2 must be able to reset passwords for nonadministrative users.

  The solution must use the principle of least privilege.

  Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  

  ---

  Box 1: User Administrator

  User admin

  Assign the user admin role to users who you want to access and manage user password resets and manage users and groups. They can also open and manage support requests to Microsoft support.

  Box 2: Helpdesk Administrator

  Assign the Helpdesk admin role to users who want to reset passwords, force users to sign out for any security issues. They can also open and manage support requests to Microsoft support. The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.

  https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/admin-roles-page

• Question 155:

  You have a Microsoft Deployment Toolkit (MDT) deployment share.

  From the Deployment Workbench, you open the New Task Sequence Wizard and select the Standard Client Upgrade Task Sequence task sequence template.

  You discover that there are no operating system images listed on the Select OS page as shown in the following exhibit.

  

  You need to be able to select an operating system image to perform a Windows 11 in-place upgrade.

  What should you do?

  A. Enable monitoring for the deployment share.
  B. Import a full set of source files.
  C. Import a custom image file.
  D. Run the Update Deployment Share Wizard.
  B. Import a full set of source files.

  ---

  Explanation

  Importing a full set of source files into the Deployment Workbench is necessary to have an operating system image available for the in-place upgrade task sequence.

  The in-place upgrade task sequence requires access to the Windows 11 source files to perform the upgrade.

  Options A, C, and D are not directly related to the availability of operating system images in the task sequence. Enabling monitoring (Option A) is for tracking deployment progress, importing a custom image file (Option C) is for using a custom image (not needed for an in-place upgrade), and running the Update Deployment Share Wizard (Option D) is for updating the deployment share but doesn't specifically address the lack of operating system images.

• Question 156:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains devices enrolled in Microsoft Intune as shown in the following table.

  

  The subscription contains the users shown in the following table.

  

  The Remote Help Tier1 role is configured as shown in the following exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Yes

  Yes - Admin1 can take full control of Device2.

  Admin1 is Help-Desk Operator.

  Device2 is iOS.

  Note:

  Help desk operator

  Assign the help desk operator role to users who assign apps and policies to users and devices.

  Permissions:

  Elevation : Yes/No

  View screen : Yes/No

  *-> Take full control : Yes/No

  Unattended control : Yes/No

  By default, the built-in Help Desk Operator role sets all of these permissions to Yes. You can use the built- in role or create custom roles to grant only the remote tasks and Remote Help app permissions that you want different groups of users to have.

  Box 2: No

  No - Admin2 can take full control of Device1.

  Admin2 is Remote Help Tier 1.

  Device1 is Windows 11.

  Remote Helpt Tier 1 permission: Remote help app.

  Note: The new remote help capabilities will also enable administrators to set up tiers of helpdesk associates, and then determine which tier of associates can help which group of users. For example, if an organization has three tiers of helpdesk support, with RBAC the administrator can assign view-only permissions to tier 1 support, tier 2 can have full control permissions, and tier 3 could have the permissions required to elevate using their alternate local administrator credentials on the end user's device.

  Box 3: Yes

  Yes - Admin2 can take unattended control of Device3.

  Admin2 is Remote Help Tier1.

  Device3 is Android.

  Note 2: Use Remote Help with Microsoft Intune

  Supported platforms and devices

  This feature applies to:

  Windows 10/11

  Windows 11 on ARM64 devices

  Windows 10 on ARM64 devices

  Windows 365

  Android Enterprise Dedicated (Samsung and Zebra devices) macOS 13, 14, and 15

  https://learn.microsoft.com/en-us/mem/intune/fundamentals/remote-help

  https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac

  https://techcommunity.microsoft.com/blog/microsoftintuneblog/remote-help-a-new-remote-assistance-tool-from-microsoft/2822622

• Question 157:

  Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

  After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

  You have a Microsoft Entra tenant named contoso.com.

  You purchase an Android device named Device1.

  You need to register Device1 in contoso.com.

  Solution: You use the Google Chrome app.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  Explanation

  Correct:

  * You use the Microsoft Intune Company Portal app.

  Incorrect:

  * You use Microsoft Entra Connect.

  * You use the Google Chrome app.

  * You use the Microsoft Authenticator app.

  Note:

  Correct:

  * You use the Microsoft Intune Company Portal app.

  The Microsoft Intune Company Portal app is the correct solution for registering an Android device in the Microsoft Entra tenant. The Company Portal app is designed for users to enroll their devices into Microsoft Intune, which will then register the device with the Microsoft Entra tenant. This app allows users to manage their device registrations, access corporate resources, and apply policies.

  Incorrect:

  * You use the Microsoft Authenticator app.

  The Microsoft Authenticator app is used primarily for multi-factor authentication (MFA) and passwordless authentication. While it can be used for identity verification, it is not intended for registering devices in a Microsoft Entra tenant. The Company Portal app is required for device registration and management.

  * You use Microsoft Entra Connect.

  Microsoft Entra Connect is a tool used to synchronize on-premises Active Directory with Microsoft Entra ID (Azure AD). It is not used for registering mobile devices. Microsoft Entra Connect does not handle device enrollment or registration for mobile devices such as Android.

  https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-device-android-company-portal

• Question 158:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that includes Microsoft Intune. The subscription contains a group named Group1. Group1 contains devices enrolled in Intune.

  You deploy Remote Help in Intune.

  You need to configure Remote Help to only allow support administrators to join Remote Help sessions from the devices in Group1.

  Which type of Microsoft Entra object should you create, and which type of policy should you configure? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

• Question 159:

  You have a Microsoft 365 E5 subscription.

  You have a Microsoft Intune enrollment profile for Android Enterprise devices that has the following settings:

  Name: Profile1

  Token type: Corporate-owned, fully managed

  You need to enroll a new Android device in Intune by using Profile1.

  What should you use to enroll the device?

  A. a QR code
  B. the Company Portal app
  C. the Microsoft Authenticator app
  D. the Intune app
  C. the Microsoft Authenticator app

  ---

  Explanation

  Intune service, Set up enrollment for Android Enterprise fully managed devices

  The Microsoft Authenticator app automatically installs on fully managed devices during enrollment. This app is required for this enrollment method and cannot be uninstalled.

  https://learn.microsoft.com/en-us/mem/intune/enrollment/android-fully-managed-enroll

• Question 160:

  SIMULATION

  Username and password

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and select the username below.

  To enter your password, place your cursor in the Enter password box and select the password below.

  Microsoft 365 Username: [email protected]

  Microsoft 365 Password: i7A4$3o^HGD3L~=c[9xuOhM%^4:s11Ai

  If the Microsoft Edge browser or Microsoft 365 portal does not load successfully, select the Microsoft Edge browser icon from the task bar, type the URL "https://portal.office.com", and press Enter.

  The following information is for technical support purposes only:

  Lab Instance: 48262079

  You need to configure a policy to ensure that all Microsoft Intune-enrolled Windows devices back up their local admin account password to Microsoft Entra only.

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  Manage Windows LAPS (Local Administrator Password Solution) policy with Microsoft Intune

  Create a LAPS policy

  Step 1: Sign in to the Microsoft Intune admin center and go to Endpoint security > Account protection, and then select Create Policy.

  

  Set the Platform to Windows 10 and later, Profile to Local admin password solution (Windows LAPS), and then select Create.

  Step 2: On Basics, enter the following properties:

  Name: Enter a descriptive name for the profile. Name profiles so you can easily identify them later.

  Description: Enter a description for the profile. This setting is optional but recommended.

  Step 3: On Configuration settings, Configure a choice for Backup Directory to define the type of Directory to use to back up the local admin account. You can also choose not to back up an account and password. The type of Directory also determines which additional settings are available in this policy.

  

  [Select: Backup the password to Entra only]

  Select Next.

  Step 4: On the Scope tags page, select any desired scope tags to apply, then select Next. [Skip]

  Step 5: For Assignments, select the groups to receive this policy.. Step 6: In Review + create, review your settings and then select Create. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the policy list.

  https://learn.microsoft.com/en-us/intune/intune-service/protect/windows-laps-policy