Microsoft MD-102 Online Practice Questions and Exam Preparation

Microsoft MD-102 Online Questions & Answers

• Question 81:

  You have a Microsoft 365 tenant that contains the objects shown in the following table.

  

  You are creating a compliance policy named Compliance1.

  Which objects can you specify in Compliance1 as additional recipients of noncompliance notifications?

  A. Group3 and Group4 only
  B. Group3, Group4, and Admin1 only
  C. Group1, Group2, and Group3 only
  D. Group1, Group2, Group3, and Group4 only
  E. Group1, Group2, Group3, Group4, and Admin1
  C. Group1, Group2, and Group3 only

  ---

  Explanation

  https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups

• Question 82:

  HOTSPOT

  You have a Microsoft Entra tenant that contains the devices shown in the following table.

  

  The tenant contains the groups shown in the following table.

  

  You create a Windows Autopilot deployment profile as shown in the Deployment Profile exhibit. (Click the Deployment Profile tab.)

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

• Question 83:

  You have a Microsoft Intune deployment that contains the resources shown in the following table.

  

  You create a policy set named Set1 and add Comply1 to Set1.

  Which additional resources can you add to Set1?

  A. Conf1 only
  B. Comply2 only
  C. Comply2 and Conf1 only
  D. CA1, Conf1, and Office1 only
  E. Comply2, CA1, Conf1, and Office1
  C. Comply2 and Conf1 only

  ---

  Explanation

  You can include the following management objects in a policy set:

  Apps

  App configuration policies

  App protection policies

  Device configuration profiles (Conf1) Device compliance policies (Comply1) Windows autopilot deployment profiles Enrollment status page Settings catalog policies

  Note: Use policy sets to group collections of management objects

  Policy sets allow you to create a bundle of references to already existing management entities that need to be identified, targeted, and monitored as a single conceptual unit. A policy set is an assignable collection of apps, policies, and other management objects you've created. Creating a policy set enables you to select many different objects at once, and assign them from a single place. As your organization changes, you can revisit a policy set to add or remove its objects and assignments. You can use a policy set to associate and assign existing objects, such as apps, policies, and VPNs in a single package.

  https://learn.microsoft.com/en-us/mem/intune/fundamentals/policy-sets

• Question 84:

  Your network contains an Active Directory domain. The domain contains a computer named Computer1 that runs Windows 11.

  You need to enable the Windows Remote Management (WinRM) service on Computer1 and perform the following configurations:

  1. For the WinRM service, set Startup type to Automatic.

  2. Create a listener that accepts requests from any IP address.

  3. Enable a firewall exception for WS-Management communications.

  Which PowerShell cmdlet should you use?

  A. Connect-WSMan
  B. Enable-PSRemoting
  C. Invoke-WSManAction
  D. Enable-PSSessionConfiguration
  B. Enable-PSRemoting

  ---

  Explanation

  The Enable-PSRemoting cmdlet configures the computer to receive PowerShell remote commands that are sent by using the WS-Management technology. WS-Management based PowerShell remoting is currently supported only on Windows platform.

  The Enable-PSRemoting cmdlet performs the following operations:

  * Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks: Starts the WinRM service.

  Sets the startup type on the WinRM service to Automatic.

  Creates a listener to accept requests on any IP address.

  Enables a firewall exception for WS-Management communications.

  Creates the simple and long name session endpoint configurations if needed.

  Enables all session configurations.

  Changes the security descriptor of all session configurations to allow remote access.

  * Restarts the WinRM service to make the preceding changes effective.

  https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting

• Question 85:

  HOTSPOT

  You have an Azure AD Premium P2 subscription that contains the users shown in the following table.

  

  You purchase the devices shown in the following table.

  

  You configure automatic mobile device management (MDM) and mobile application management (MAM) enrollment by using the following settings:

  1. MDM user scope: Group1

  2. MAM user scope: Group2

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enroll

  https://powerautomate.microsoft.com/fr-fr/blog/mam-flow-mobile/

• Question 86:

  You have a Microsoft 365 E5 subscription. The subscription contains 25 computers that run Windows 11 and are enrolled in Microsoft Intune.

  You need to onboard the devices to Microsoft Defender for Endpoint.

  What should you create in the Microsoft Intune admin center?

  A. an attack surface reduction (ASR) policy
  B. a security baseline
  C. an endpoint detection and response (EDR) policy
  D. an account protection policy
  E. an antivirus policy
  C. an endpoint detection and response (EDR) policy

  ---

  Explanation

  Onboard Windows devices to Defender for Endpoint using Intune

  Enable Microsoft Defender for Endpoint in Intune

  The first step you take is to set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. Set up requires administrative access to both the Microsoft Defender Security Center, and to Intune.

  Onboard Windows devices (After you connect Intune and Microsoft Defender for Endpoint, Intune receives an onboarding configuration package from Microsoft Defender for Endpoint. You use a device configuration profile for Microsoft Defender for Endpoint to deploy the package to your Windows devices.

  The configuration package configures devices to communicate with Microsoft Defender for Endpoint services to scan files and detect threats. The device also reports its risk level to Microsoft Defender for Endpoint based on your compliance policies.

  After onboarding a device using the configuration package, you don't need to do it again.)

  You can also onboard devices using:

  *-> Endpoint detection and response (EDR) policy. Intune EDR policy is part of endpoint security in Intune. Use EDR policies to configure device security without the overhead of the larger body of settings found in device configuration profiles. You can also use EDR policy with tenant attached devices, which are devices you manage with Configuration Manager.

  https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure#enable-microsoft-defender-for-endpoint-in-intune

• Question 87:

  HOTSPOT

  You have a Microsoft 365 subscription and use the Microsoft Intune Suite.

  You have the devices shown in the following table.

  

  You plan to implement Microsoft Tunnel for Mobile Application Management (MAM).

  Which types of tunnels are supported by the devices? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Device2 and Device3 only Tunnel for MAM

  Microsoft Tunnel for Mobile Application Management

  When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune.

  Microsoft Tunnel for MAM supports the following platforms:

  Android Enterprise version 10.0 or higher [Device2] iOS version 14.0 or higher [Device3, not Device1]

  Box 2: Device2 only

  A per-app VPN tunnel

  Per-App VPN (Android only) is an optional setting. Select public or custom apps, to restrict the use of use the Tunnel VPN connection to these specified apps.

  https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-tunnel-mam

  https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-tunnel-mam-android

• Question 88:

  You need to ensure that computer objects can be created as part of the Windows Autopilot deployment. The solution must meet the technical requirements.

  To what should you grant the right to create the computer objects?

  A. Server1
  B. DC1
  C. GroupA
  D. Server2
  A. Server1

  ---

  Explanation

  The Intune connector for Active Directory is installed on Server1.

  Contoso must meet the following technical requirements:

  1. Users in GroupA must be able to deploy new computers.

  2. Administrative effort must be minimized.

  Note: To be clear, the entire domain join process will work without any direct connection to the on-premise network and domain controllers. The computer object is created on-premises through the Intune Connector for Active Directory triggered by the Windows Autopilot and Intune.

  https://blog.matrixpost.net/set-up-windows-autopilot-production-environment-part-2/

• Question 89:

  HOTSPOT

  You have a Microsoft 365 subscription. The subscription contains 1,000 computers that run Windows 11 and are enrolled in Microsoft Intune.

  You plan to create a compliance policy that has the following options enabled:

  1. Require Secure Boot to be enabled on the device.

  2. Require the device to be at or under the machine risk score.

  Which two Compliance settings should you configure? To answer, select the appropriate settings in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Device health

  https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-status

  Microsoft Defender for Endpoint

  https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows#microsoft-defender-for-endpoint

• Question 90:

  You have a Microsoft 365 E5 subscription that contains a group named Group1.

  You create a Conditional Access policy named CAPolicy1 and assign CAPolicy1 to Group1.

  You need to configure CAPolicy1 to require the members of Group1 to reauthenticate every eight hours when they connect to Microsoft Exchange Online.

  What should you configure?

  A. Session access controls
  B. an assignment that uses a User risk condition
  C. an assignment that uses a Sign-in risk condition
  D. Grant access controls
  A. Session access controls

  ---

  Explanation

  User sign-in frequency

  Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.

  The Azure Active Directory (Azure AD) default configuration for user sign-in frequency is a rolling window of 90 days.

  Sign-in frequency control

  Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.

  Browse to Azure Active Directory > Security > Conditional Access.

  Select New policy.

  Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

  Choose all required conditions for customer's environment, including the target cloud apps.

  Under Access controls > Session.

  Select Sign-in frequency.

  Choose Periodic reauthentication and enter a value of hours or days or select Every time.

  Save your policy.

  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime