MD-102: Endpoint Administrator Associate
You have devices enrolled in Microsoft Intune as shown in the following table.
On which devices can you apply app configuration policies?
Device2 only
Device1 and Device2 only
Device3 and Device4 only
Device2, Device3, and Device4 only
Device1, Device2, Device3, and Device4
Answer is Device1, Device2, Device3, and Device4
App Configuration policies in Microsoft Intune are not only for Android and iOS devices; they can also be used for Windows devices. App Configuration policies allow you to configure settings and features for apps on mobile devices, regardless of the operating system.
With App Configuration policies, you can customize app behavior, configure app settings, and even control app access to corporate resources. These policies are particularly useful for managing settings in line-of-business (LOB) apps or apps developed in-house that support AppConfig standards.
In the case of Windows devices managed by Intune, App Configuration policies can be used to configure settings for Universal Windows Platform (UWP) apps and Win32 apps deployed using Intune. This allows you to tailor the app experience and functionality to meet your organization's specific requirements.
Reference:
https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-managed-app
You have an Azure AD tenant named contoso.com that contains the devices shown in the following table.
All devices contain an app named App1 and are enrolled in Microsoft Intune.
You need to prevent users from copying data from App1 and pasting the data into other apps.
Which type of policy and how many policies should you create in Intune?
Check the answer section
Answer is Policy type: App protection policy
Minimum number of policies: 3
You need to create separate App Protection Policies for each platform to prevent users from copying data from App1 and pasting it into other apps. Here's the breakdown:
Windows: One App Protection Policy
Android: One App Protection Policy
iOS: One App Protection Policy
So, you need a total of three App Protection Policies.
Reference:
https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-protection-policies/troubleshoot-cut-copy-paste
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You plan to deploy two apps named App1 and App2 to all Windows devices. App1 must be installed before App2.
From the Intune admin center, you create and deploy two Windows app (Win32) apps.
You need to ensure that App1 is installed before App2 on every device.
What should you configure?
the App1 deployment configurations
a dynamic device group
a detection rule
the App2 deployment configurations
Answer is the App2 deployment configurations
To ensure that App1 is installed before App2 on every device, you should configure the dependency settings within the deployment configurations of App2. This involves specifying App1 as a dependency for App2, which ensures that App1 is installed before App2.
Reference:
https://msendpointmgr.com/2019/06/03/new-intune-feature-win32-app-dependencies/
https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add
You have a Microsoft Intune subscription.
You have devices enrolled in Intune as shown in the following table.
An app named App1 is installed on each device.
What is the minimum number of app configuration policies required to manage App1?
1
2
3
4
4
Answer is 2
Intune represents these different app configuration policy channels as:
Managed devices. The device is managed by Intune as the unified endpoint management provider.
Managed apps. An app that has either integrated the Intune App SDK or have been wrapped using the Intune Wrapping Tool and supports App Protection Policies (APP).
In this scenario (devices enrolled in Intune):
Choose the Apps - App configuration policies - Add - Managed devices
On basic tab: Select platform iOS/iPad or Android
Reference:
https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview
https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-ios
https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-android
You have a Microsoft 365 E5 subscription that contains 100 iOS devices enrolled in Microsoft Intune.
You need to deploy a custom line-of-business (LOB) app to the devices by using Intune.
Which extension should you select for the app package file?
.intunemac
.ipa
.apk
.appx
Answer is .ipa
To deploy a custom line-of-business (LOB) app to iOS devices using Microsoft Intune, you should select the app package file with the .ipa extension.
.IPA = iOS
.APK = Android
Reference:
https://learn.microsoft.com/en-us/mem/intune/apps/lob-apps-ios
https://learn.microsoft.com/en-us/mem/intune/apps/lob-apps-android
You have a Microsoft 365 E5 subscription that contains a user named User1 and a web app named App1.
App1 must only accept modern authentication requests.
You plan to create a Conditional Access policy named CAPolicy1 that will have the following settings:
Assignments
Users or workload identities: User1
Cloud apps or actions: App1
Access controls
Grant: Block access
You need to block only legacy authentication requests to App1. Which condition should you add to CAPolicy1?
Filter for devices
Device platforms
User risk
Sign-in risk
Client apps
Answer is Client apps
Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
Browse to Protection > Conditional Access.
Select Create new policy.
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Under Assignments, select Users or workload identities.
Under Include, select All users.
Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. Exclude at least one account to prevent yourself from being locked out. If you don't exclude any account, you won't be able to create this policy.
Under Target resources > Cloud apps > Include, select All cloud apps.
Under Conditions > Client apps, set Configure to Yes.
Check only the boxes Exchange ActiveSync clients and Other clients.
Select Done.
Under Access controls > Grant, select Block access.
Reference:
https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication
https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy
You have a Microsoft 365 subscription.
You use Microsoft Intune Suite to manage devices.
You have the iOS app protection policy shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Check the answer section
Answer is 1. PIN and account credentials
2. Reset the app PIN
1. PIN and account credentials
Select Require to require the user to sign in with their work or school account instead of entering a PIN for app access. If you set this to Require, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown.
2. Reset the app PIN
It's an APP protection policy, meaning the settings CAN'T apply to the device layer/level. An app policy is only allowed to utilize services on a device, but can't change device configurations.
Reference:
SOURCE: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#access-requirements
You have a Microsoft 365 E5 subscription and a computer that runs Windows 11.
You need to create a customized installation of Microsoft 365 Apps for enterprise.
Which four actions should you perform in sequence?
Check the answer section
Answer is 1. Download ODT application
2. Create a configuration file (XML)
3. setup.exe /download to download the installation files
4. setup.exe /configure to deploy the application
Reference:
https://learn.microsoft.com/en-us/deployoffice/deploy-microsoft-365-apps-local-source
https://learn.microsoft.com/en-us/deployoffice/overview-office-deployment-tool#download-the-installation-files-for-microsoft-365-apps
Overview ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
ADatum has a Microsoft 365 E5 subscription.
Environment
Network Environment
The network contains an on-premises Active Directory domain named adatum.com. The domain contains the servers shown in the following table.
ADatum has a hybrid Azure AD tenant named adatum.com.
Users and Groups
The adatum.com tenant contains the users shown in the following table.
All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group1 and Group2 have a Membership type of Assigned.
Devices
ADatum has the Windows 10 devices shown in the following table.
The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.
All the Azure AD joined devices have an executable file named C:AppA.exe and a folder named D:Folder1.
Microsoft Intune Configuration
Microsoft Intune has the compliance policies shown in the following table.
The Automatic Enrollment settings have the following configurations:
MDM user scope: GroupA
MAM user scope: GroupB
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:
Name: Protection1
Folder protection: Enable
List of apps that have access to protected folders: C:*AppA.exe
List of additional folders that need to be protected: D:Folder1
Assignments:
Included groups: Group2, GroupB
Windows Autopilot Configuration
ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.
Currently, there are no devices deployed by using Windows Autopilot.
The Intune connector for Active Directory is installed on Server1.
Requirements
Planned Changes
ADatum plans to implement the following changes:
Purchase a new Windows 10 device named Device6 and enroll the device in Intune
New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
Deployed a network boundary configuration profile that will have the following settings:
Name: Boundary1
Network boundary: 192.168.1.0/24
Scope tags: Tag1
Assignments:
Included groups: Group1, Group2
Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:
Name: Connection1
Connection name: VPN1
Connection type: L2TP
Assignments:
Included groups: Group1, Group2, GroupA
Excluded groups: --
Name: Connection2
zConnection name: VPN2
Connection type: IKEv2
Assignments:
Included groups: GroupA
Excluded groups: GroupB
Technical Requirements
ADatum must meet the following technical requirements:
Users in GroupA must be able to deploy new computers.
Administrative effort must be minimized.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Check the answer section
Answer is;
No - A Cloud Device Administrator doesn't have local admin rights. Without Local Admin rights no one can make a change to the folder in question except for C:*AppA.exe
Yes - Tried this on my laptop and it allows me to delete the folder and enable/disable the Controlled Folder feature if needed.
No - Cannot run a script as a Global Reader. Need the execution policy enabled to be able to do that.
Overview ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
ADatum has a Microsoft 365 E5 subscription.
Environment
Network Environment
The network contains an on-premises Active Directory domain named adatum.com. The domain contains the servers shown in the following table.
ADatum has a hybrid Azure AD tenant named adatum.com.
Users and Groups
The adatum.com tenant contains the users shown in the following table.
All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group1 and Group2 have a Membership type of Assigned.
Devices
ADatum has the Windows 10 devices shown in the following table.
The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.
All the Azure AD joined devices have an executable file named C:AppA.exe and a folder named D:Folder1.
Microsoft Intune Configuration
Microsoft Intune has the compliance policies shown in the following table.
The Automatic Enrollment settings have the following configurations:
MDM user scope: GroupA
MAM user scope: GroupB
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:
Name: Protection1
Folder protection: Enable
List of apps that have access to protected folders: C:*AppA.exe
List of additional folders that need to be protected: D:Folder1
Assignments:
Included groups: Group2, GroupB
Windows Autopilot Configuration
ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.
Currently, there are no devices deployed by using Windows Autopilot.
The Intune connector for Active Directory is installed on Server1.
Requirements
Planned Changes
ADatum plans to implement the following changes:
Purchase a new Windows 10 device named Device6 and enroll the device in Intune
New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
Deployed a network boundary configuration profile that will have the following settings:
Name: Boundary1
Network boundary: 192.168.1.0/24
Scope tags: Tag1
Assignments:
Included groups: Group1, Group2
Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:
Name: Connection1
Connection name: VPN1
Connection type: L2TP
Assignments:
Included groups: Group1, Group2, GroupA
Excluded groups: --
Name: Connection2
zConnection name: VPN2
Connection type: IKEv2
Assignments:
Included groups: GroupA
Excluded groups: GroupB
Technical Requirements
ADatum must meet the following technical requirements:
Users in GroupA must be able to deploy new computers.
Administrative effort must be minimized.
Which devices are registered by using the Windows Autopilot deployment service?
Device1 only
Device3 only
Device1 and Device3 only
Device1, Device2, and Device3
Answer is Device1 only
Only Device 1 because it is corporate owned and member of Group 1 qualifies for OOBE provided by Autopilot. But it still needs a reset for this to happen. A requirement not mentioned in the case study but we have this "All Windows 10 devices are joined to Entra id and enrolled in Intune"
Reference:
https://learn.microsoft.com/en-us/autopilot/registration-overview