You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" MD-101 Practice Test 6 "
0 of 62 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
Microsoft MD-101
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Answered
Review
Question 1 of 62
1. Question
You have 25 Windows 10 devices that are Azure AD-joined to the Azure AD-joined domain. You want to ensure the security of devices, that if a user’s device is stolen then the thief will not be able to steal the user’s account and password and be able to sign in to the account from any device on the network.
What should you do?
Correct
You should configure a PIN for the device using Windows Hello for Business. This can be accomplished either by using Intune in the Azure portal or configuring Windows Hello for Business in Group Policy.
A Hello PIN in some instances is better than a password. If someone is able to steal a user’s account and password, they may be able to sign in to that account from anywhere. Since the PIN is tied to the physical device, it is useless on other devices. If a PIN is stolen the thief would have to steal the device that the PIN is tied to as well.
You can configure the following settings in Group Policy for Windows Hello for Business:
– Maximum PIN length
– Minimum PIN length
– Require digits
– Require lowercase letters
– Require uppercase letters
– Require special characters
– Expiration Date
– History
You should not configure a password policy in a Group Policy object (GPO). A password policy will mandate the length and expiration of a password but will not specify a password that is specific to a device as a PIN would.
You should not configure an account lockout policy in a Group Policy object (GPO). An account lockout policy will set how many incorrect password attempts will be needed to lock out a user from a device and specify the duration of that lockout. However, an account lockout policy will not be tied to an individual device, it is tied to the user’s account.
You should not configure Dynamic Lock. Dynamic Lock allows your computer to be locked when the Bluetooth device that is paired with the Windows computer goes out of range. Dynamic Lock will not protect a user’s account if a device is stolen.
Incorrect
You should configure a PIN for the device using Windows Hello for Business. This can be accomplished either by using Intune in the Azure portal or configuring Windows Hello for Business in Group Policy.
A Hello PIN in some instances is better than a password. If someone is able to steal a user’s account and password, they may be able to sign in to that account from anywhere. Since the PIN is tied to the physical device, it is useless on other devices. If a PIN is stolen the thief would have to steal the device that the PIN is tied to as well.
You can configure the following settings in Group Policy for Windows Hello for Business:
– Maximum PIN length
– Minimum PIN length
– Require digits
– Require lowercase letters
– Require uppercase letters
– Require special characters
– Expiration Date
– History
You should not configure a password policy in a Group Policy object (GPO). A password policy will mandate the length and expiration of a password but will not specify a password that is specific to a device as a PIN would.
You should not configure an account lockout policy in a Group Policy object (GPO). An account lockout policy will set how many incorrect password attempts will be needed to lock out a user from a device and specify the duration of that lockout. However, an account lockout policy will not be tied to an individual device, it is tied to the user’s account.
You should not configure Dynamic Lock. Dynamic Lock allows your computer to be locked when the Bluetooth device that is paired with the Windows computer goes out of range. Dynamic Lock will not protect a user’s account if a device is stolen.
Unattempted
You should configure a PIN for the device using Windows Hello for Business. This can be accomplished either by using Intune in the Azure portal or configuring Windows Hello for Business in Group Policy.
A Hello PIN in some instances is better than a password. If someone is able to steal a user’s account and password, they may be able to sign in to that account from anywhere. Since the PIN is tied to the physical device, it is useless on other devices. If a PIN is stolen the thief would have to steal the device that the PIN is tied to as well.
You can configure the following settings in Group Policy for Windows Hello for Business:
– Maximum PIN length
– Minimum PIN length
– Require digits
– Require lowercase letters
– Require uppercase letters
– Require special characters
– Expiration Date
– History
You should not configure a password policy in a Group Policy object (GPO). A password policy will mandate the length and expiration of a password but will not specify a password that is specific to a device as a PIN would.
You should not configure an account lockout policy in a Group Policy object (GPO). An account lockout policy will set how many incorrect password attempts will be needed to lock out a user from a device and specify the duration of that lockout. However, an account lockout policy will not be tied to an individual device, it is tied to the user’s account.
You should not configure Dynamic Lock. Dynamic Lock allows your computer to be locked when the Bluetooth device that is paired with the Windows computer goes out of range. Dynamic Lock will not protect a user’s account if a device is stolen.
Question 2 of 62
2. Question
You have upgraded the hardware on several computers and replaced all outdated computers in the nutex.com domain. All client computers are running Windows 10 and all servers run Windows Server 2016. You must ensure that security for these computers meets company requirements.
Which of the following statements are true regarding Windows Defender Credential Guard? (Choose 2)
Correct
Windows Defender Credential Guard is not supported on all domain controllers in the domain. The host authentication service of the domain controller causes crashes when integrated with Windows Defender Credential Guard. Windows Defender Credential Guard can run on all Windows 10 computers, and all Windows Server 2016 member servers and stand-alone servers. It will run and will only work on Generation 2 virtual machines.
You cannot enable Windows Defender Credential Guard on a domain controller.
Windows Defender Credential Guard cannot provide protections for the Security Accounts Manager (SAM) or Active Directory database.
There are separate requirements for physical and virtual machines to run Credential Guard. The virtual machine must have virtual TPM enabled, have a 64-bit CPU, and must run Windows 10 or Windows Server 2016.
Other requirements for Credential Guard include virtualization-based security and Secure Boot. TPM 2.0 and UEFI lock are strongly recommended, but not absolute requirements.
Credential Guard stores domain credentials in a virtual container, rather than in memory as in past systems. For this reason, it requires Hyper-V. It makes use of isolated user mode as well. Isolated user mode is a part of the memory that is protected by virtualization-based security.
Windows Defender Credential Guard cannot provide protection against a key logger. Key loggers are software that is already installed on the computer.
Windows Defender Credential Guard cannot protect local credentials or Microsoft accounts. It also does not protect against credential theft via key loggers.
Incorrect
Windows Defender Credential Guard is not supported on all domain controllers in the domain. The host authentication service of the domain controller causes crashes when integrated with Windows Defender Credential Guard. Windows Defender Credential Guard can run on all Windows 10 computers, and all Windows Server 2016 member servers and stand-alone servers. It will run and will only work on Generation 2 virtual machines.
You cannot enable Windows Defender Credential Guard on a domain controller.
Windows Defender Credential Guard cannot provide protections for the Security Accounts Manager (SAM) or Active Directory database.
There are separate requirements for physical and virtual machines to run Credential Guard. The virtual machine must have virtual TPM enabled, have a 64-bit CPU, and must run Windows 10 or Windows Server 2016.
Other requirements for Credential Guard include virtualization-based security and Secure Boot. TPM 2.0 and UEFI lock are strongly recommended, but not absolute requirements.
Credential Guard stores domain credentials in a virtual container, rather than in memory as in past systems. For this reason, it requires Hyper-V. It makes use of isolated user mode as well. Isolated user mode is a part of the memory that is protected by virtualization-based security.
Windows Defender Credential Guard cannot provide protection against a key logger. Key loggers are software that is already installed on the computer.
Windows Defender Credential Guard cannot protect local credentials or Microsoft accounts. It also does not protect against credential theft via key loggers.
Unattempted
Windows Defender Credential Guard is not supported on all domain controllers in the domain. The host authentication service of the domain controller causes crashes when integrated with Windows Defender Credential Guard. Windows Defender Credential Guard can run on all Windows 10 computers, and all Windows Server 2016 member servers and stand-alone servers. It will run and will only work on Generation 2 virtual machines.
You cannot enable Windows Defender Credential Guard on a domain controller.
Windows Defender Credential Guard cannot provide protections for the Security Accounts Manager (SAM) or Active Directory database.
There are separate requirements for physical and virtual machines to run Credential Guard. The virtual machine must have virtual TPM enabled, have a 64-bit CPU, and must run Windows 10 or Windows Server 2016.
Other requirements for Credential Guard include virtualization-based security and Secure Boot. TPM 2.0 and UEFI lock are strongly recommended, but not absolute requirements.
Credential Guard stores domain credentials in a virtual container, rather than in memory as in past systems. For this reason, it requires Hyper-V. It makes use of isolated user mode as well. Isolated user mode is a part of the memory that is protected by virtualization-based security.
Windows Defender Credential Guard cannot provide protection against a key logger. Key loggers are software that is already installed on the computer.
Windows Defender Credential Guard cannot protect local credentials or Microsoft accounts. It also does not protect against credential theft via key loggers.
Question 3 of 62
3. Question
Nutex Corporation uses Microsoft Intune as its mobile device management solution. All devices are enrolled using the Hybrid AD Join method. You have been asked to provide regular reports on the health of these devices.
What products can give you this information? (Choose all that apply.)
Correct
You should choose the following:
Windows Security Center
Windows Analytics Device Health
Azure Monitor Log Analytics
Windows Security Center offers device health information and would work in this scenario. To enable it, go to Windows Security and choose Device Performance and Health. However, a cloud-based solution would be a better choice.
Windows Analytics Device Health is one of the latest device health offerings. It can report on devices that crash frequently and identify drivers that are causing those crashes. It is part of Windows Analytics in the Azure Portal.
Azure Monitor Log Analytics can provide information on device health. It depends on the Microsoft Monitoring Agent Service to collect information and provide it to Azure Monitor.
System Center Configuration Manager is not a health reporting tool by itself. It is a device management tool.
Windows Autopilot does not monitor device health. It is used for the deployment of new devices. https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent
Incorrect
You should choose the following:
Windows Security Center
Windows Analytics Device Health
Azure Monitor Log Analytics
Windows Security Center offers device health information and would work in this scenario. To enable it, go to Windows Security and choose Device Performance and Health. However, a cloud-based solution would be a better choice.
Windows Analytics Device Health is one of the latest device health offerings. It can report on devices that crash frequently and identify drivers that are causing those crashes. It is part of Windows Analytics in the Azure Portal.
Azure Monitor Log Analytics can provide information on device health. It depends on the Microsoft Monitoring Agent Service to collect information and provide it to Azure Monitor.
System Center Configuration Manager is not a health reporting tool by itself. It is a device management tool.
Windows Autopilot does not monitor device health. It is used for the deployment of new devices. https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent
Unattempted
You should choose the following:
Windows Security Center
Windows Analytics Device Health
Azure Monitor Log Analytics
Windows Security Center offers device health information and would work in this scenario. To enable it, go to Windows Security and choose Device Performance and Health. However, a cloud-based solution would be a better choice.
Windows Analytics Device Health is one of the latest device health offerings. It can report on devices that crash frequently and identify drivers that are causing those crashes. It is part of Windows Analytics in the Azure Portal.
Azure Monitor Log Analytics can provide information on device health. It depends on the Microsoft Monitoring Agent Service to collect information and provide it to Azure Monitor.
System Center Configuration Manager is not a health reporting tool by itself. It is a device management tool.
Windows Autopilot does not monitor device health. It is used for the deployment of new devices. https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent
Question 4 of 62
4. Question
You have computers that run Windows 10 Cloud. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune. You need to perform the following:
– Upgrade the computers to Windows 10 Enterprise
– Create a WiFi profile
– Block ActiveX controls in Internet Explorer
What should you configure in Intune?
Correct
You should set a device configuration profile. A device configuration profile allows you to do the following:
– Perform edition upgrades, such as going from the Cloud edition to the Enterprise Edition or going from the Pro Edition to the Enterprise edition
– Manage software updates, even when the updates are installed
– Allow or prevent access to Bluetooth on the device
– Set up a VPN or WiFi profile
– Use a profile template that prevents an ActiveX control in Internet Explorer
You should not configure a device enrollment policy. A device enrollment policy specifies how a device can be enrolled. You can use a device enrollment policy to restrict the devices from enrolling by platform such as Android, Windows or iOS. You can also specify settings on enrollment such as if reset is required, whether user affinity is used, or device is locked.
You should not use a device cleanup rule. A clean up rule can be used to specify what to do with a device when it is no longer needed such as wiping the device or retiring the device.
A device compliance policy allows devices to meet compliance requirements. With a device compliance policy, you can define rules and settings for compliance for security settings, such as:
– The device has not been rooted.
– The device has minimum version of the operating system.
– The device to be under or at a specific threat level.
– Users must use a password to access company data on mobile device. https://docs.microsoft.com/en-us/mem/intune/configuration/device-profiles
Incorrect
You should set a device configuration profile. A device configuration profile allows you to do the following:
– Perform edition upgrades, such as going from the Cloud edition to the Enterprise Edition or going from the Pro Edition to the Enterprise edition
– Manage software updates, even when the updates are installed
– Allow or prevent access to Bluetooth on the device
– Set up a VPN or WiFi profile
– Use a profile template that prevents an ActiveX control in Internet Explorer
You should not configure a device enrollment policy. A device enrollment policy specifies how a device can be enrolled. You can use a device enrollment policy to restrict the devices from enrolling by platform such as Android, Windows or iOS. You can also specify settings on enrollment such as if reset is required, whether user affinity is used, or device is locked.
You should not use a device cleanup rule. A clean up rule can be used to specify what to do with a device when it is no longer needed such as wiping the device or retiring the device.
A device compliance policy allows devices to meet compliance requirements. With a device compliance policy, you can define rules and settings for compliance for security settings, such as:
– The device has not been rooted.
– The device has minimum version of the operating system.
– The device to be under or at a specific threat level.
– Users must use a password to access company data on mobile device. https://docs.microsoft.com/en-us/mem/intune/configuration/device-profiles
Unattempted
You should set a device configuration profile. A device configuration profile allows you to do the following:
– Perform edition upgrades, such as going from the Cloud edition to the Enterprise Edition or going from the Pro Edition to the Enterprise edition
– Manage software updates, even when the updates are installed
– Allow or prevent access to Bluetooth on the device
– Set up a VPN or WiFi profile
– Use a profile template that prevents an ActiveX control in Internet Explorer
You should not configure a device enrollment policy. A device enrollment policy specifies how a device can be enrolled. You can use a device enrollment policy to restrict the devices from enrolling by platform such as Android, Windows or iOS. You can also specify settings on enrollment such as if reset is required, whether user affinity is used, or device is locked.
You should not use a device cleanup rule. A clean up rule can be used to specify what to do with a device when it is no longer needed such as wiping the device or retiring the device.
A device compliance policy allows devices to meet compliance requirements. With a device compliance policy, you can define rules and settings for compliance for security settings, such as:
– The device has not been rooted.
– The device has minimum version of the operating system.
– The device to be under or at a specific threat level.
– Users must use a password to access company data on mobile device. https://docs.microsoft.com/en-us/mem/intune/configuration/device-profiles
Question 5 of 62
5. Question
You manage devices that run Windows 10. You need to ensure that only privileged system software can access operating system secrets.
What should you use?
Correct
You should use Credential Guard. This protects credentials and allows only privileged system software to access them.
In versions of Windows before Windows 10, secrets used by the operating system were stored in the process memory of the Local Security Authority (LSA). Credential Guard isolates single sign-on credentials in virtualized storage.
You should not use Device Guard. Device Guard can prevent untrusted code from running on a device.
You should not use data loss prevention. This is an Exchange Server concept to prevent users from sending confidential data.
You should not use AppLocker. This can prevent applications from running, but does not use Secure Boot. https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements?_ga=2.113366663.1891306208.1610497220-512178102.1610381523
Incorrect
You should use Credential Guard. This protects credentials and allows only privileged system software to access them.
In versions of Windows before Windows 10, secrets used by the operating system were stored in the process memory of the Local Security Authority (LSA). Credential Guard isolates single sign-on credentials in virtualized storage.
You should not use Device Guard. Device Guard can prevent untrusted code from running on a device.
You should not use data loss prevention. This is an Exchange Server concept to prevent users from sending confidential data.
You should not use AppLocker. This can prevent applications from running, but does not use Secure Boot. https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements?_ga=2.113366663.1891306208.1610497220-512178102.1610381523
Unattempted
You should use Credential Guard. This protects credentials and allows only privileged system software to access them.
In versions of Windows before Windows 10, secrets used by the operating system were stored in the process memory of the Local Security Authority (LSA). Credential Guard isolates single sign-on credentials in virtualized storage.
You should not use Device Guard. Device Guard can prevent untrusted code from running on a device.
You should not use data loss prevention. This is an Exchange Server concept to prevent users from sending confidential data.
You should not use AppLocker. This can prevent applications from running, but does not use Secure Boot. https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements?_ga=2.113366663.1891306208.1610497220-512178102.1610381523
Question 6 of 62
6. Question
Dreamsuites Corporation has several essential web applications that were designed several years ago. They hope to retire these applications by next year but they are currently still in use. Dreamsuites has upgraded all enterprise laptops to Windows 10. Unfortunately, this has resulted in several of these applications not running as they should in Windows Edge. They worked correctly with Internet Explorer 11.
What steps would you suggest to alleviate this issue? (Choose all that apply.)
Your network contains an Active Directory domain named nutex.com. The domain has an OU named Marketing that contains five computers, named Mkt1, Mkt2, Mkt3, Mkt4, and Mkt5, that run Windows 10.
Folder Redirection is configured for a domain user named Ann. The AppData\Roaming folder and the Desktop folder are redirected to a network share named \\srv5.nutex.com\Mkt.
Ann signs in to Mkt3 and performs the following tasks:
Configures screen saver to start after one minute of inactivity.
Modifies the default save location for Microsoft Excel.
Creates a file named ClientList.xls and saves it on the desktop.
Maps a drive to \\srv5.nutex.com\FileShare.
What will be retained when Ann signs in to another computer in the Marketing OU such as Mkt5?
Correct
The file ClientList.xls that is saved in the Desktop folder will appear on another computer in the Marketing OU.
The default save location for Excel or any other Office app will revert back to default. The default directory for these applications is the %SystemDrive%\Users\%UserName%\Documents folder, for example C:\Users\Ann\Documents. The Appdata\Roaming folder is where programs on your computer store data specific to your user account, such as default templates, configuration files, and other support data that applications might use. Redirecting the Appdata\Roaming folder will ensure that the user will have access to default templates, configuration files, and other support data. Redirecting this folder does not change the configuration of the application, but it does ensure that the original configuration remains with the user. So if the configuration of the application were to store files in the user’s Documents folder, then when the user logged onto another computer that configuration would follow the user and the user would still store files in their Documents folder.
A drive mapping would not be saved by folder redirection. It would be saved in a roaming user profile or with a Group Policy that specifies the drive mapping in Group Policy preferences.
A roaming user profile can save the following information:
Display settings
Application settings
Network connections
What the user sees on the computer screen
You can configure a roaming profile in the Active Directory Administration Center. Select the user or users that you want assigned a roaming user profile, right-click the users and then select Properties.
In the Profile section, select the Profile path. Specify the file server and the share followed by %USERNAME%, which represents the name of the user. An example would be \\srv5.nutex.com\NutexUserProfiles\%USERNAME%.
Screen saver settings would not be retained by folder redirection. Screen saver settings and other display settings can be saved with a roaming user profile. https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview https://searchsecurity.techtarget.com/definition/user-profile?_ga=2.84106009.1891306208.1610497220-512178102.1610381523 https://answers.microsoft.com/en-us/insider/forum/all/windows-10-roaming-folder/6c99ffdc-90d5-4d1d-8ab1-b4f448ecc8ee
Incorrect
The file ClientList.xls that is saved in the Desktop folder will appear on another computer in the Marketing OU.
The default save location for Excel or any other Office app will revert back to default. The default directory for these applications is the %SystemDrive%\Users\%UserName%\Documents folder, for example C:\Users\Ann\Documents. The Appdata\Roaming folder is where programs on your computer store data specific to your user account, such as default templates, configuration files, and other support data that applications might use. Redirecting the Appdata\Roaming folder will ensure that the user will have access to default templates, configuration files, and other support data. Redirecting this folder does not change the configuration of the application, but it does ensure that the original configuration remains with the user. So if the configuration of the application were to store files in the user’s Documents folder, then when the user logged onto another computer that configuration would follow the user and the user would still store files in their Documents folder.
A drive mapping would not be saved by folder redirection. It would be saved in a roaming user profile or with a Group Policy that specifies the drive mapping in Group Policy preferences.
A roaming user profile can save the following information:
Display settings
Application settings
Network connections
What the user sees on the computer screen
You can configure a roaming profile in the Active Directory Administration Center. Select the user or users that you want assigned a roaming user profile, right-click the users and then select Properties.
In the Profile section, select the Profile path. Specify the file server and the share followed by %USERNAME%, which represents the name of the user. An example would be \\srv5.nutex.com\NutexUserProfiles\%USERNAME%.
Screen saver settings would not be retained by folder redirection. Screen saver settings and other display settings can be saved with a roaming user profile. https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview https://searchsecurity.techtarget.com/definition/user-profile?_ga=2.84106009.1891306208.1610497220-512178102.1610381523 https://answers.microsoft.com/en-us/insider/forum/all/windows-10-roaming-folder/6c99ffdc-90d5-4d1d-8ab1-b4f448ecc8ee
Unattempted
The file ClientList.xls that is saved in the Desktop folder will appear on another computer in the Marketing OU.
The default save location for Excel or any other Office app will revert back to default. The default directory for these applications is the %SystemDrive%\Users\%UserName%\Documents folder, for example C:\Users\Ann\Documents. The Appdata\Roaming folder is where programs on your computer store data specific to your user account, such as default templates, configuration files, and other support data that applications might use. Redirecting the Appdata\Roaming folder will ensure that the user will have access to default templates, configuration files, and other support data. Redirecting this folder does not change the configuration of the application, but it does ensure that the original configuration remains with the user. So if the configuration of the application were to store files in the user’s Documents folder, then when the user logged onto another computer that configuration would follow the user and the user would still store files in their Documents folder.
A drive mapping would not be saved by folder redirection. It would be saved in a roaming user profile or with a Group Policy that specifies the drive mapping in Group Policy preferences.
A roaming user profile can save the following information:
Display settings
Application settings
Network connections
What the user sees on the computer screen
You can configure a roaming profile in the Active Directory Administration Center. Select the user or users that you want assigned a roaming user profile, right-click the users and then select Properties.
In the Profile section, select the Profile path. Specify the file server and the share followed by %USERNAME%, which represents the name of the user. An example would be \\srv5.nutex.com\NutexUserProfiles\%USERNAME%.
Screen saver settings would not be retained by folder redirection. Screen saver settings and other display settings can be saved with a roaming user profile. https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview https://searchsecurity.techtarget.com/definition/user-profile?_ga=2.84106009.1891306208.1610497220-512178102.1610381523 https://answers.microsoft.com/en-us/insider/forum/all/windows-10-roaming-folder/6c99ffdc-90d5-4d1d-8ab1-b4f448ecc8ee
Question 8 of 62
8. Question
You have been placed in control of managing Azure Information Protection templates to protect sensitive corporate data. You want to ensure that specific protected content starts out read-only or read/write.
How can you implement these requirements? (Choose two, each answer will be part of the solution.)
Correct
You should do the following:
Assign Read/Write content to the default template Confidential\All Employees
Assign Read Only content to the default template Highly Confidential\All Employees.
Using the default templates saves you some work if they fit your needs. In the current scenario they fit perfectly. The Confidential\All Employees template grants read and modify permissions for protected content. The Highly Confidential\All Employees template grants read-only permission for protected content.
In previous versions of Azure, the default templates were called \Confidential for granting read and modify to protected content, and \Confidential View Only for granting read-only permission for protected content.
You should not do the following
Create two new templates to protect Read/Write content and Read Only content
Assign Read/Write content to the new template ReadWrite\All Employees
Assign Read Only content to the new template Read Only\All Employees
It is not necessary to create new templates as there are already default templates in existence that will cover the necessary use cases.
Incorrect
You should do the following:
Assign Read/Write content to the default template Confidential\All Employees
Assign Read Only content to the default template Highly Confidential\All Employees.
Using the default templates saves you some work if they fit your needs. In the current scenario they fit perfectly. The Confidential\All Employees template grants read and modify permissions for protected content. The Highly Confidential\All Employees template grants read-only permission for protected content.
In previous versions of Azure, the default templates were called \Confidential for granting read and modify to protected content, and \Confidential View Only for granting read-only permission for protected content.
You should not do the following
Create two new templates to protect Read/Write content and Read Only content
Assign Read/Write content to the new template ReadWrite\All Employees
Assign Read Only content to the new template Read Only\All Employees
It is not necessary to create new templates as there are already default templates in existence that will cover the necessary use cases.
Unattempted
You should do the following:
Assign Read/Write content to the default template Confidential\All Employees
Assign Read Only content to the default template Highly Confidential\All Employees.
Using the default templates saves you some work if they fit your needs. In the current scenario they fit perfectly. The Confidential\All Employees template grants read and modify permissions for protected content. The Highly Confidential\All Employees template grants read-only permission for protected content.
In previous versions of Azure, the default templates were called \Confidential for granting read and modify to protected content, and \Confidential View Only for granting read-only permission for protected content.
You should not do the following
Create two new templates to protect Read/Write content and Read Only content
Assign Read/Write content to the new template ReadWrite\All Employees
Assign Read Only content to the new template Read Only\All Employees
It is not necessary to create new templates as there are already default templates in existence that will cover the necessary use cases.
Question 9 of 62
9. Question
You manage the computers in the marketing department for the Nutex Corporation. You need to add a LOB app that does not have a Windows Store license to a running Windows 10 operating system. You type the following at the command prompt:
Match the missing parameters and values.
Correct
You should choose the following:
DISM /Online /Add-ProvisionedAppxPackage /PackagePath:C:\App1.appx /SkipLicense
You can use the DISM command-line utility to add or remove packages from an offline or online Windows image. You must use the /Online parameter in this scenario because the image is not offline, but actually a running operating system. If do not specify the /Online parameter, then you are updating an offline image.
The /SkipLicense parameter is used with apps that do not require a license. Do not use the /SkipLicense parameter if the app requires a license because it may compromise an image.
You should not use the Add-WindowsPackage parameter. This parameter adds single .msu file or .cab file to a Windows image. In this scenario, you have a LOB app package that will use an .appx file, not a .msu file or .cab file.
You cannot use the stao or the ato parameter with the DISM command. These parameters are used with Slmgr utility. You can use the Slmgr /ato sideloading product key command to activate a product key on a LOB app. The stao parameter sets a token based flag. https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-app-package–appx-or-appxbundle–servicing-command-line-options https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10
Incorrect
You should choose the following:
DISM /Online /Add-ProvisionedAppxPackage /PackagePath:C:\App1.appx /SkipLicense
You can use the DISM command-line utility to add or remove packages from an offline or online Windows image. You must use the /Online parameter in this scenario because the image is not offline, but actually a running operating system. If do not specify the /Online parameter, then you are updating an offline image.
The /SkipLicense parameter is used with apps that do not require a license. Do not use the /SkipLicense parameter if the app requires a license because it may compromise an image.
You should not use the Add-WindowsPackage parameter. This parameter adds single .msu file or .cab file to a Windows image. In this scenario, you have a LOB app package that will use an .appx file, not a .msu file or .cab file.
You cannot use the stao or the ato parameter with the DISM command. These parameters are used with Slmgr utility. You can use the Slmgr /ato sideloading product key command to activate a product key on a LOB app. The stao parameter sets a token based flag. https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-app-package–appx-or-appxbundle–servicing-command-line-options https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10
Unattempted
You should choose the following:
DISM /Online /Add-ProvisionedAppxPackage /PackagePath:C:\App1.appx /SkipLicense
You can use the DISM command-line utility to add or remove packages from an offline or online Windows image. You must use the /Online parameter in this scenario because the image is not offline, but actually a running operating system. If do not specify the /Online parameter, then you are updating an offline image.
The /SkipLicense parameter is used with apps that do not require a license. Do not use the /SkipLicense parameter if the app requires a license because it may compromise an image.
You should not use the Add-WindowsPackage parameter. This parameter adds single .msu file or .cab file to a Windows image. In this scenario, you have a LOB app package that will use an .appx file, not a .msu file or .cab file.
You cannot use the stao or the ato parameter with the DISM command. These parameters are used with Slmgr utility. You can use the Slmgr /ato sideloading product key command to activate a product key on a LOB app. The stao parameter sets a token based flag. https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-app-package–appx-or-appxbundle–servicing-command-line-options https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10
Question 10 of 62
10. Question
The Nutex Corporation has an Active Directory domain named nutex.com. This domain has 100 computers that run Windows 10 version 1809. You implement hybrid Microsoft Azure Active Directory (Azure AD) and Microsoft Intune.
You need to join several devices to the nutex.com domain with Windows Autopilot. What should you do?
Choose the appropriate steps and place them in the correct order.
Unordered Choices
Register the device with Windows Autopilot
Create an Autodiscover address record
Install the Intune Connector for Active Directory on a computer running Windows server 2016
Specify Hybrid Azure AD as the method
Create an Autopilot deployment profile
Specify Azure AD joined as the method
Create an Autodiscover Service Connection Point (SCP)
Correct
You should choose the following:
Register the device with Windows Autopilot.
Create an Autopilot deployment profile.
Specify Hybrid Azure AD as the method.
Install the Intune Connector for Active Directory on a computer running Windows Server 2016.
You can use a Hybrid Azure AD join for joining computers to your on-premises AD domain using the user-driven mode in Windows Autopilot.
You first need to register the device with Windows Autopilot. You can manually register a device by capturing its hardware ID or hardware hash and uploading this information to the Windows Autopilot deployment service. You can also use the Get-WindowsAutoPilotInfo.ps1 script to capture the hardware hash from the local computer.
You will then need to create an Autopilot deployment profile. In Windows Intune, you can choose Device Configuration > Profiles > Create Profile. In the Create Profile blade for user-driven mode, choose the Hybrid Azure AD joined method under Join to Azure AD instead of the Azure AD joined option, which only joins the computer to Azure AD.
You will then have to configure Intune Connector for Active Directory on a Windows Server that runs Windows Server 2016 or higher. Microsoft Intune will use this connector to communicate with the on-premises domain controller during the Windows Autopilot process.
You do not have to create an Autodiscover address record. An Autodiscover record is needed for an Exchange account to work properly in Outlook but is not needed for Intune.
You do not have to create an Autodiscover service connection point. A service connection point (SCP) object in Active Directory provides a way for domain-joined clients to find Autodiscover servers. Intune does not use an SCP. https://docs.microsoft.com/en-us/mem/autopilot/add-devices?_ga=2.12173108.1891306208.1610497220-512178102.1610381523 https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-hybrid-azure-ad-join-and-automatic/ba-p/286126
Incorrect
You should choose the following:
Register the device with Windows Autopilot.
Create an Autopilot deployment profile.
Specify Hybrid Azure AD as the method.
Install the Intune Connector for Active Directory on a computer running Windows Server 2016.
You can use a Hybrid Azure AD join for joining computers to your on-premises AD domain using the user-driven mode in Windows Autopilot.
You first need to register the device with Windows Autopilot. You can manually register a device by capturing its hardware ID or hardware hash and uploading this information to the Windows Autopilot deployment service. You can also use the Get-WindowsAutoPilotInfo.ps1 script to capture the hardware hash from the local computer.
You will then need to create an Autopilot deployment profile. In Windows Intune, you can choose Device Configuration > Profiles > Create Profile. In the Create Profile blade for user-driven mode, choose the Hybrid Azure AD joined method under Join to Azure AD instead of the Azure AD joined option, which only joins the computer to Azure AD.
You will then have to configure Intune Connector for Active Directory on a Windows Server that runs Windows Server 2016 or higher. Microsoft Intune will use this connector to communicate with the on-premises domain controller during the Windows Autopilot process.
You do not have to create an Autodiscover address record. An Autodiscover record is needed for an Exchange account to work properly in Outlook but is not needed for Intune.
You do not have to create an Autodiscover service connection point. A service connection point (SCP) object in Active Directory provides a way for domain-joined clients to find Autodiscover servers. Intune does not use an SCP. https://docs.microsoft.com/en-us/mem/autopilot/add-devices?_ga=2.12173108.1891306208.1610497220-512178102.1610381523 https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-hybrid-azure-ad-join-and-automatic/ba-p/286126
Unattempted
You should choose the following:
Register the device with Windows Autopilot.
Create an Autopilot deployment profile.
Specify Hybrid Azure AD as the method.
Install the Intune Connector for Active Directory on a computer running Windows Server 2016.
You can use a Hybrid Azure AD join for joining computers to your on-premises AD domain using the user-driven mode in Windows Autopilot.
You first need to register the device with Windows Autopilot. You can manually register a device by capturing its hardware ID or hardware hash and uploading this information to the Windows Autopilot deployment service. You can also use the Get-WindowsAutoPilotInfo.ps1 script to capture the hardware hash from the local computer.
You will then need to create an Autopilot deployment profile. In Windows Intune, you can choose Device Configuration > Profiles > Create Profile. In the Create Profile blade for user-driven mode, choose the Hybrid Azure AD joined method under Join to Azure AD instead of the Azure AD joined option, which only joins the computer to Azure AD.
You will then have to configure Intune Connector for Active Directory on a Windows Server that runs Windows Server 2016 or higher. Microsoft Intune will use this connector to communicate with the on-premises domain controller during the Windows Autopilot process.
You do not have to create an Autodiscover address record. An Autodiscover record is needed for an Exchange account to work properly in Outlook but is not needed for Intune.
You do not have to create an Autodiscover service connection point. A service connection point (SCP) object in Active Directory provides a way for domain-joined clients to find Autodiscover servers. Intune does not use an SCP. https://docs.microsoft.com/en-us/mem/autopilot/add-devices?_ga=2.12173108.1891306208.1610497220-512178102.1610381523 https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-hybrid-azure-ad-join-and-automatic/ba-p/286126
Question 11 of 62
11. Question
You plan to implement Windows Hello for Business with devices that run Windows 10.
What hardware requirements can be used for Windows Hello for Business authentication? (Choose all that apply.)
Your network contains an Active Directory domain named nutex.com. You have a Group Policy object named GPO1 that uses Windows Folder Redirection to redirect the Documents, Pictures, or Desktop folders to the \\srv5\UsersFolder\%UserName% location.
You want users to have their Documents, Pictures, Screenshots, and Camera Roll redirected to OneDrive for Business.
Your solution is to create a Group Policy Object named GPO2 that enables OneDrive’s Known Folder Move Group Policy to have the Documents, Pictures, Screenshots, and Camera Roll folders redirected to OneDrive for Business. You apply GPO2 to the nutex.com domain.
Does your solution allow users to have their Documents, Pictures, Screenshots, and Camera Roll redirected to OneDrive for Business?
Your organization has eight Windows 10 computers and all domain controllers run Windows Servers 2012. All group policies are managed at the enterprise level.
You purchase a Windows Store app that you use for troubleshooting, and install the app on two devices that you will soon add to the domain. You attempt to install the app on another domain user’s computer after you log in to the computer using your Windows account. You receive the following error message:
“Windows Store is not available on this PC. Contact your system Administrator for more information.”
You need to be able to install this app on all Windows 10 computers on your organization’s network.
What should you do?
Correct
You should disable the Turn off the Store application group policy in the Computer Configuration\Administrative Templates\Windows Components\Store path. When this policy is set to Enable, it will prevent users from being able to access Windows Store apps. This group policy controls access to the entire Windows Store. If the policy is not configured or is set to Disable, it will allow access to the Windows Store application.
This policy can be set at the machine level or the user level. The Turn off the Store application group policy is shown in the following exhibit:
Note that the Store Policy folder does not appear on a Windows Server 2012 R2 computer or a Windows 10 computer. On your Windows Server 2012 R2 computer, you have to download the Administrative Templates (.admx) for Windows 8.1 Update and Windows Server 2012 R2 Update. You can copy the Administrative Templates to C:\Windows\PolicyDefinitions or to your Group Policy Central Store to overwrite the old ADMX and ADML files with the new ones. The Store policy definitions are not included in the Windows 10 ADMX templates. However, if you enable the Turn off the Store application in a Group Policy, it will disable the Windows Store application on a Windows 10 computer.
When you purchase a Windows Store app, you can install that app on up to 10 devices per Microsoft account. If you want to install the app on an eleventh device, you will be prompted to remove the app from another device. You will need to log in with your Microsoft account and remove a device from the Windows Store device list.
If you want to control which apps can be installed on a device, you should use the AppLocker feature, not the Turn off the Store application group policy. AppLocker is a set of Application Control Policies introduced with Windows Server 2008 R2. AppLocker adds features to manage Windows apps that are downloaded from the Windows store.
You should not configure the Allow Store to install apps on Windows To Go workspaces group policy. This policy controls the installation properties of Windows Store apps on Windows To Go workspaces. The scenario does not mention Windows To Go. This group policy is shown in the following exhibit:
You should not enable the Turn off the Store application group policy. This is the current setting for this group policy based on the error message you received. This policy is located in the Windows Components\Store path.
You should not configure the Turn off Automatic Download of updates group policy. This policy in the Windows Components\Store path controls the download of Windows Store app updates. While this group policy can control the download of the updates, update installation must still be initiated manually by the user. Windows 10 checks the Windows Store for updates on a daily basis. When an update for an installed app is available, Windows updates the Store tile in the Start screen to indicate that updates are available. The user can choose to update one, several, or all of their installed apps. The Turn off Automatic Download of updates group policy is shown in the following exhibit:
Incorrect
You should disable the Turn off the Store application group policy in the Computer Configuration\Administrative Templates\Windows Components\Store path. When this policy is set to Enable, it will prevent users from being able to access Windows Store apps. This group policy controls access to the entire Windows Store. If the policy is not configured or is set to Disable, it will allow access to the Windows Store application.
This policy can be set at the machine level or the user level. The Turn off the Store application group policy is shown in the following exhibit:
Note that the Store Policy folder does not appear on a Windows Server 2012 R2 computer or a Windows 10 computer. On your Windows Server 2012 R2 computer, you have to download the Administrative Templates (.admx) for Windows 8.1 Update and Windows Server 2012 R2 Update. You can copy the Administrative Templates to C:\Windows\PolicyDefinitions or to your Group Policy Central Store to overwrite the old ADMX and ADML files with the new ones. The Store policy definitions are not included in the Windows 10 ADMX templates. However, if you enable the Turn off the Store application in a Group Policy, it will disable the Windows Store application on a Windows 10 computer.
When you purchase a Windows Store app, you can install that app on up to 10 devices per Microsoft account. If you want to install the app on an eleventh device, you will be prompted to remove the app from another device. You will need to log in with your Microsoft account and remove a device from the Windows Store device list.
If you want to control which apps can be installed on a device, you should use the AppLocker feature, not the Turn off the Store application group policy. AppLocker is a set of Application Control Policies introduced with Windows Server 2008 R2. AppLocker adds features to manage Windows apps that are downloaded from the Windows store.
You should not configure the Allow Store to install apps on Windows To Go workspaces group policy. This policy controls the installation properties of Windows Store apps on Windows To Go workspaces. The scenario does not mention Windows To Go. This group policy is shown in the following exhibit:
You should not enable the Turn off the Store application group policy. This is the current setting for this group policy based on the error message you received. This policy is located in the Windows Components\Store path.
You should not configure the Turn off Automatic Download of updates group policy. This policy in the Windows Components\Store path controls the download of Windows Store app updates. While this group policy can control the download of the updates, update installation must still be initiated manually by the user. Windows 10 checks the Windows Store for updates on a daily basis. When an update for an installed app is available, Windows updates the Store tile in the Start screen to indicate that updates are available. The user can choose to update one, several, or all of their installed apps. The Turn off Automatic Download of updates group policy is shown in the following exhibit:
Unattempted
You should disable the Turn off the Store application group policy in the Computer Configuration\Administrative Templates\Windows Components\Store path. When this policy is set to Enable, it will prevent users from being able to access Windows Store apps. This group policy controls access to the entire Windows Store. If the policy is not configured or is set to Disable, it will allow access to the Windows Store application.
This policy can be set at the machine level or the user level. The Turn off the Store application group policy is shown in the following exhibit:
Note that the Store Policy folder does not appear on a Windows Server 2012 R2 computer or a Windows 10 computer. On your Windows Server 2012 R2 computer, you have to download the Administrative Templates (.admx) for Windows 8.1 Update and Windows Server 2012 R2 Update. You can copy the Administrative Templates to C:\Windows\PolicyDefinitions or to your Group Policy Central Store to overwrite the old ADMX and ADML files with the new ones. The Store policy definitions are not included in the Windows 10 ADMX templates. However, if you enable the Turn off the Store application in a Group Policy, it will disable the Windows Store application on a Windows 10 computer.
When you purchase a Windows Store app, you can install that app on up to 10 devices per Microsoft account. If you want to install the app on an eleventh device, you will be prompted to remove the app from another device. You will need to log in with your Microsoft account and remove a device from the Windows Store device list.
If you want to control which apps can be installed on a device, you should use the AppLocker feature, not the Turn off the Store application group policy. AppLocker is a set of Application Control Policies introduced with Windows Server 2008 R2. AppLocker adds features to manage Windows apps that are downloaded from the Windows store.
You should not configure the Allow Store to install apps on Windows To Go workspaces group policy. This policy controls the installation properties of Windows Store apps on Windows To Go workspaces. The scenario does not mention Windows To Go. This group policy is shown in the following exhibit:
You should not enable the Turn off the Store application group policy. This is the current setting for this group policy based on the error message you received. This policy is located in the Windows Components\Store path.
You should not configure the Turn off Automatic Download of updates group policy. This policy in the Windows Components\Store path controls the download of Windows Store app updates. While this group policy can control the download of the updates, update installation must still be initiated manually by the user. Windows 10 checks the Windows Store for updates on a daily basis. When an update for an installed app is available, Windows updates the Store tile in the Start screen to indicate that updates are available. The user can choose to update one, several, or all of their installed apps. The Turn off Automatic Download of updates group policy is shown in the following exhibit:
Question 14 of 62
14. Question
Your company’s network consists of 25 Windows 10 computers and two Windows Server 2012 R2 computers. A salesperson has a Windows 10 computer named Client22. When she is in the office, she connects to the Contacts folder on another Windows 10 computer named Client3. The salesperson requests to have access to the Contacts folder even when she is not on the network or connected to the Internet.
From Client22, you open Sync Center and establish a sync partnership with Client3. Then you connect to Client3 from Client22 and locate the Contacts folder. You right-click the Contacts folder.
What should you do next?
Correct
You should select the Always available offline option. This will ensure that the contents of this folder will be available even when Client22 is offline. The following exhibit shows the Always available offline option:
You should not select the Properties option and configure the appropriate permissions on the Security tab. This will only affect the user’s permissions when she is accessing the Contacts folder via a network or locally.
You should not select the Map Network Drive option and assign a drive letter to the mapping. This will create a mapping to the Contacts folder that will only work when Client22 is connected to the network.
You should not select the Restore Previous Versions option and select the version you want to restore. This will restore a previous version of the folder, but will not ensure that the salesperson can access the folder when she is not connected to the network or the Internet.
The correct steps that you should use to ensure that a computer can access files when the computer is offline are as follows:
On the computer that needs access to the folder, establish a sync partnership with the computer on which the files reside normally.
From the same computer, navigate to the folder that you need to use offline.
Right-click the folder, and select the Always available offline option.
Set up a synchronization schedule by clicking the Schedule option in the Sync Center as highlighted in the following exhibit:
You can schedule the synchronization to run on a particular day/time schedule or when a particular event occurs, such as every time you log on to your computer.
Incorrect
You should select the Always available offline option. This will ensure that the contents of this folder will be available even when Client22 is offline. The following exhibit shows the Always available offline option:
You should not select the Properties option and configure the appropriate permissions on the Security tab. This will only affect the user’s permissions when she is accessing the Contacts folder via a network or locally.
You should not select the Map Network Drive option and assign a drive letter to the mapping. This will create a mapping to the Contacts folder that will only work when Client22 is connected to the network.
You should not select the Restore Previous Versions option and select the version you want to restore. This will restore a previous version of the folder, but will not ensure that the salesperson can access the folder when she is not connected to the network or the Internet.
The correct steps that you should use to ensure that a computer can access files when the computer is offline are as follows:
On the computer that needs access to the folder, establish a sync partnership with the computer on which the files reside normally.
From the same computer, navigate to the folder that you need to use offline.
Right-click the folder, and select the Always available offline option.
Set up a synchronization schedule by clicking the Schedule option in the Sync Center as highlighted in the following exhibit:
You can schedule the synchronization to run on a particular day/time schedule or when a particular event occurs, such as every time you log on to your computer.
Unattempted
You should select the Always available offline option. This will ensure that the contents of this folder will be available even when Client22 is offline. The following exhibit shows the Always available offline option:
You should not select the Properties option and configure the appropriate permissions on the Security tab. This will only affect the user’s permissions when she is accessing the Contacts folder via a network or locally.
You should not select the Map Network Drive option and assign a drive letter to the mapping. This will create a mapping to the Contacts folder that will only work when Client22 is connected to the network.
You should not select the Restore Previous Versions option and select the version you want to restore. This will restore a previous version of the folder, but will not ensure that the salesperson can access the folder when she is not connected to the network or the Internet.
The correct steps that you should use to ensure that a computer can access files when the computer is offline are as follows:
On the computer that needs access to the folder, establish a sync partnership with the computer on which the files reside normally.
From the same computer, navigate to the folder that you need to use offline.
Right-click the folder, and select the Always available offline option.
Set up a synchronization schedule by clicking the Schedule option in the Sync Center as highlighted in the following exhibit:
You can schedule the synchronization to run on a particular day/time schedule or when a particular event occurs, such as every time you log on to your computer.
Question 15 of 62
15. Question
As a security professional at Dreamsuites Incorporated, you are concerned about increasingly frequent attacks on Windows 10 machines. You want to keep employees from using applications that may visit dangerous domains. You want to avoid phishing scams and other attacks.
What feature should you implement?
Correct
You want to use Windows Defender Exploit Guard Network Protection. This blocks outbound processes from applications to untrusted hosts. Before implementing, you can enable this feature in audit mode to see what addresses or domains would have been blocked if it was fully enabled.
Network Protection is one of the four components of Windows Defender Exploit Guard:
Network protection: Helps stop web-based threats by preventing outbound processes on the device to untrusted hosts/IPs through Windows Defender SmartScreen
Attack Surface Reduction (ASR): A set of tools to protect against malware invading the device by blocking Office-, script-, and email-based threats
Controlled folder access: Blocks untrusted processes from accessing your protected folders thereby protecting sensitive data from ransomware
Exploit protection: This component is a set of exploit mitigations that replaced the Enhanced Mitigation Experience Toolkit.
You would not choose Windows Defender Exploit Guard Exploit Protection. The Exploit Protection component protects devices from malware that use OS and application exploits. It does not protect against dangerous domains.
You would not choose Microsoft Defender Threat Analytics. While useful, this tool is focused on reporting and does not meet the scenario.
You would not choose Microsoft Threat Modeling Tool. This tool contains a set of capabilities that are used by software architects in the early stages of development.
You would not choose Windows Defender Exploit Guard Controlled Folder Access. This component helps protect selected folders against ransomware. https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Incorrect
You want to use Windows Defender Exploit Guard Network Protection. This blocks outbound processes from applications to untrusted hosts. Before implementing, you can enable this feature in audit mode to see what addresses or domains would have been blocked if it was fully enabled.
Network Protection is one of the four components of Windows Defender Exploit Guard:
Network protection: Helps stop web-based threats by preventing outbound processes on the device to untrusted hosts/IPs through Windows Defender SmartScreen
Attack Surface Reduction (ASR): A set of tools to protect against malware invading the device by blocking Office-, script-, and email-based threats
Controlled folder access: Blocks untrusted processes from accessing your protected folders thereby protecting sensitive data from ransomware
Exploit protection: This component is a set of exploit mitigations that replaced the Enhanced Mitigation Experience Toolkit.
You would not choose Windows Defender Exploit Guard Exploit Protection. The Exploit Protection component protects devices from malware that use OS and application exploits. It does not protect against dangerous domains.
You would not choose Microsoft Defender Threat Analytics. While useful, this tool is focused on reporting and does not meet the scenario.
You would not choose Microsoft Threat Modeling Tool. This tool contains a set of capabilities that are used by software architects in the early stages of development.
You would not choose Windows Defender Exploit Guard Controlled Folder Access. This component helps protect selected folders against ransomware. https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Unattempted
You want to use Windows Defender Exploit Guard Network Protection. This blocks outbound processes from applications to untrusted hosts. Before implementing, you can enable this feature in audit mode to see what addresses or domains would have been blocked if it was fully enabled.
Network Protection is one of the four components of Windows Defender Exploit Guard:
Network protection: Helps stop web-based threats by preventing outbound processes on the device to untrusted hosts/IPs through Windows Defender SmartScreen
Attack Surface Reduction (ASR): A set of tools to protect against malware invading the device by blocking Office-, script-, and email-based threats
Controlled folder access: Blocks untrusted processes from accessing your protected folders thereby protecting sensitive data from ransomware
Exploit protection: This component is a set of exploit mitigations that replaced the Enhanced Mitigation Experience Toolkit.
You would not choose Windows Defender Exploit Guard Exploit Protection. The Exploit Protection component protects devices from malware that use OS and application exploits. It does not protect against dangerous domains.
You would not choose Microsoft Defender Threat Analytics. While useful, this tool is focused on reporting and does not meet the scenario.
You would not choose Microsoft Threat Modeling Tool. This tool contains a set of capabilities that are used by software architects in the early stages of development.
You would not choose Windows Defender Exploit Guard Controlled Folder Access. This component helps protect selected folders against ransomware. https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Question 16 of 62
16. Question
The Sales department at Nutex is planning for a deployment of the newest Microsoft Office 365 release. They currently use Excel workbooks and Word documents that have some fairly intense macros built into them for their day-to-day work. You decide to use the Readiness Toolkit for Office add-ins and VBA utility to prepare for this deployment. On a specific user’s computer, you execute the following command:
ReadinessReportCreator.exe -mru -output \\NutexServ\finance -silent
What will this command accomplish? (Choose 2. Each option is part of the complete answer.)
Correct
When you execute the command ReadinessReportCreator.exe -mru -output \\NutexServ\finance -silent, the Readiness Toolkit will scan files in the user’s Most Recently Used list and generate an Excel workbook as output, stored in the \\NutexServ\finance folder, without sending any output back to the screen. The benefit of allowing the Readiness Report Creator to only scan Office documents that are in the user’s most recently used files list is that it allows you to narrow the focus of the scan to documents that the user accesses on a regular basis.
The command will only scan the specified files for MACROS and make recommendations to fix their compatibility. It does not fix or repair code in VBA macros. This command does not include the -addinscan option, which would be required to scan and report on add-ins.
The command contains the parameter -output \\NutexServ\finance. The value of this parameter is the output destination for the Excel workbook output. This command will NOT scan the files in the folder \\NutexServ\finance but will use the folder as the output destination.
This command will NOT fix deprecated/broken macro code or add-ins for compatibility in the scanned files. It only recommends possible fixes and compatibility statuses.
This command will NOT scan the specified files for add-ins and report on their possible readiness status. You would need to add the -addinscan option to accomplish this. https://docs.microsoft.com/en-us/deployoffice/readiness-toolkit-application-compatibility-microsoft-365-apps
Incorrect
When you execute the command ReadinessReportCreator.exe -mru -output \\NutexServ\finance -silent, the Readiness Toolkit will scan files in the user’s Most Recently Used list and generate an Excel workbook as output, stored in the \\NutexServ\finance folder, without sending any output back to the screen. The benefit of allowing the Readiness Report Creator to only scan Office documents that are in the user’s most recently used files list is that it allows you to narrow the focus of the scan to documents that the user accesses on a regular basis.
The command will only scan the specified files for MACROS and make recommendations to fix their compatibility. It does not fix or repair code in VBA macros. This command does not include the -addinscan option, which would be required to scan and report on add-ins.
The command contains the parameter -output \\NutexServ\finance. The value of this parameter is the output destination for the Excel workbook output. This command will NOT scan the files in the folder \\NutexServ\finance but will use the folder as the output destination.
This command will NOT fix deprecated/broken macro code or add-ins for compatibility in the scanned files. It only recommends possible fixes and compatibility statuses.
This command will NOT scan the specified files for add-ins and report on their possible readiness status. You would need to add the -addinscan option to accomplish this. https://docs.microsoft.com/en-us/deployoffice/readiness-toolkit-application-compatibility-microsoft-365-apps
Unattempted
When you execute the command ReadinessReportCreator.exe -mru -output \\NutexServ\finance -silent, the Readiness Toolkit will scan files in the user’s Most Recently Used list and generate an Excel workbook as output, stored in the \\NutexServ\finance folder, without sending any output back to the screen. The benefit of allowing the Readiness Report Creator to only scan Office documents that are in the user’s most recently used files list is that it allows you to narrow the focus of the scan to documents that the user accesses on a regular basis.
The command will only scan the specified files for MACROS and make recommendations to fix their compatibility. It does not fix or repair code in VBA macros. This command does not include the -addinscan option, which would be required to scan and report on add-ins.
The command contains the parameter -output \\NutexServ\finance. The value of this parameter is the output destination for the Excel workbook output. This command will NOT scan the files in the folder \\NutexServ\finance but will use the folder as the output destination.
This command will NOT fix deprecated/broken macro code or add-ins for compatibility in the scanned files. It only recommends possible fixes and compatibility statuses.
This command will NOT scan the specified files for add-ins and report on their possible readiness status. You would need to add the -addinscan option to accomplish this. https://docs.microsoft.com/en-us/deployoffice/readiness-toolkit-application-compatibility-microsoft-365-apps
Question 17 of 62
17. Question
The Nutex Corporation plans to purchase several Windows 10 devices. You need to ensure that the devices will use Secure Boot.
What must you check or configure on the devices? (Choose two.)
Correct
You should run the MBR2GPT tool. This will convert the disk using MBR to GPT-style partitioning, which is the main requirement to run Windows 10 in UEFI mode. The MBR2GPT tool is a command line utility introduced in version 1607 of Windows 10.
The computer must have UEFI firmware version 2.3.1 or higher, which includes UEFI 2.5 and 2.6. If Secure Boot is disabled on your computer, you must first check to see if it is enabled in the BIOS of your computer. You should then reboot the computer and ensure that Secure Boot is enabled in the operating system by booting into troubleshooting mode by running shutdown -t 3 -o -r at an administrative command prompt. When the computer boots to the Troubleshoot screen, you should choose Advanced Options > UEFI Firmware Settings and change the Secure Boot setting to Enabled. When you save changes and exit, the computer will reboot using Secure Boot.
You cannot use BIOS for Secure Boot. BIOS is used with legacy hardware and cannot support larger hard drives as UEFI does. Besides allowing the device to support Secure Boot, UEFI has other benefits over BIOS, such as faster startup, sleep, resume, and shutdown times.
You do NOT have to have a device with a TPM chip to support Secure Boot. Secure Boot does not require a Trusted Platform Module (TPM). https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/hh824987(v=win.10)?redirectedfrom=MSDN https://www.windowscentral.com/how-convert-mbr-disk-gpt-move-bios-uefi-windows-10?_ga=2.114334087.1891306208.1610497220-512178102.1610381523
Incorrect
You should run the MBR2GPT tool. This will convert the disk using MBR to GPT-style partitioning, which is the main requirement to run Windows 10 in UEFI mode. The MBR2GPT tool is a command line utility introduced in version 1607 of Windows 10.
The computer must have UEFI firmware version 2.3.1 or higher, which includes UEFI 2.5 and 2.6. If Secure Boot is disabled on your computer, you must first check to see if it is enabled in the BIOS of your computer. You should then reboot the computer and ensure that Secure Boot is enabled in the operating system by booting into troubleshooting mode by running shutdown -t 3 -o -r at an administrative command prompt. When the computer boots to the Troubleshoot screen, you should choose Advanced Options > UEFI Firmware Settings and change the Secure Boot setting to Enabled. When you save changes and exit, the computer will reboot using Secure Boot.
You cannot use BIOS for Secure Boot. BIOS is used with legacy hardware and cannot support larger hard drives as UEFI does. Besides allowing the device to support Secure Boot, UEFI has other benefits over BIOS, such as faster startup, sleep, resume, and shutdown times.
You do NOT have to have a device with a TPM chip to support Secure Boot. Secure Boot does not require a Trusted Platform Module (TPM). https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/hh824987(v=win.10)?redirectedfrom=MSDN https://www.windowscentral.com/how-convert-mbr-disk-gpt-move-bios-uefi-windows-10?_ga=2.114334087.1891306208.1610497220-512178102.1610381523
Unattempted
You should run the MBR2GPT tool. This will convert the disk using MBR to GPT-style partitioning, which is the main requirement to run Windows 10 in UEFI mode. The MBR2GPT tool is a command line utility introduced in version 1607 of Windows 10.
The computer must have UEFI firmware version 2.3.1 or higher, which includes UEFI 2.5 and 2.6. If Secure Boot is disabled on your computer, you must first check to see if it is enabled in the BIOS of your computer. You should then reboot the computer and ensure that Secure Boot is enabled in the operating system by booting into troubleshooting mode by running shutdown -t 3 -o -r at an administrative command prompt. When the computer boots to the Troubleshoot screen, you should choose Advanced Options > UEFI Firmware Settings and change the Secure Boot setting to Enabled. When you save changes and exit, the computer will reboot using Secure Boot.
You cannot use BIOS for Secure Boot. BIOS is used with legacy hardware and cannot support larger hard drives as UEFI does. Besides allowing the device to support Secure Boot, UEFI has other benefits over BIOS, such as faster startup, sleep, resume, and shutdown times.
You do NOT have to have a device with a TPM chip to support Secure Boot. Secure Boot does not require a Trusted Platform Module (TPM). https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/hh824987(v=win.10)?redirectedfrom=MSDN https://www.windowscentral.com/how-convert-mbr-disk-gpt-move-bios-uefi-windows-10?_ga=2.114334087.1891306208.1610497220-512178102.1610381523
Question 18 of 62
18. Question
As an administrator for Nutex Corporation, you are part of a group responsible for maintaining essential Windows 10 updates. The main office has several Windows Server 2016 servers. Nutex also has a Dallas office with a Windows Server 2016 server and several laptops that were upgraded to Windows 10 Enterprise in 2019. The Dallas office has high-bandwidth Internet connectivity. You want to keep these laptops current with quality updates by using Windows Update for Business.
What steps must be part of this process? (Choose 3)
Correct
On each laptop, you will need to configure the operating system diagnostic level to 1 (Basic) or higher. This will allow the Group Policy settings for Windows Update for Business to be honored.
You will use Group Policy to configure when the devices should receive Quality Updates. You can also choose to pause or defer updates via Group Policy. Although not offered in this scenario, Windows Intune is another option to configure Windows Update for Business if you don’t want to do this via Group Policy.
You will need to create Active Directory security groups to manage updates. You will filter the security on your Windows Update for Business group policies to limit them to these groups. (The groups will be based on deployment “rings” device groupings.)
You do not need to install Windows Server Update Services (WSUS) on the Dallas server. Windows Update for Business offers a peer-to-peer delivery service for updates. You may choose to include a WSUS server but it is not required for the scenario.
You must not configure the operating system diagnostic level to 0 (Security). Windows Update for Business Group Policy settings would not be honored at this level.
Note that no additional features need to be installed. Windows Update for Business is integrated into Windows 10 software. https://techcommunity.microsoft.com/t5/windows-blog-archive/what-is-windows-update-for-business/ba-p/167033?_ga=2.9534901.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb https://docs.microsoft.com/en-us/windows/deployment/update/waas-wufb-group-policy?_ga=2.9534901.1891306208.1610497220-512178102.1610381523
Incorrect
On each laptop, you will need to configure the operating system diagnostic level to 1 (Basic) or higher. This will allow the Group Policy settings for Windows Update for Business to be honored.
You will use Group Policy to configure when the devices should receive Quality Updates. You can also choose to pause or defer updates via Group Policy. Although not offered in this scenario, Windows Intune is another option to configure Windows Update for Business if you don’t want to do this via Group Policy.
You will need to create Active Directory security groups to manage updates. You will filter the security on your Windows Update for Business group policies to limit them to these groups. (The groups will be based on deployment “rings” device groupings.)
You do not need to install Windows Server Update Services (WSUS) on the Dallas server. Windows Update for Business offers a peer-to-peer delivery service for updates. You may choose to include a WSUS server but it is not required for the scenario.
You must not configure the operating system diagnostic level to 0 (Security). Windows Update for Business Group Policy settings would not be honored at this level.
Note that no additional features need to be installed. Windows Update for Business is integrated into Windows 10 software. https://techcommunity.microsoft.com/t5/windows-blog-archive/what-is-windows-update-for-business/ba-p/167033?_ga=2.9534901.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb https://docs.microsoft.com/en-us/windows/deployment/update/waas-wufb-group-policy?_ga=2.9534901.1891306208.1610497220-512178102.1610381523
Unattempted
On each laptop, you will need to configure the operating system diagnostic level to 1 (Basic) or higher. This will allow the Group Policy settings for Windows Update for Business to be honored.
You will use Group Policy to configure when the devices should receive Quality Updates. You can also choose to pause or defer updates via Group Policy. Although not offered in this scenario, Windows Intune is another option to configure Windows Update for Business if you don’t want to do this via Group Policy.
You will need to create Active Directory security groups to manage updates. You will filter the security on your Windows Update for Business group policies to limit them to these groups. (The groups will be based on deployment “rings” device groupings.)
You do not need to install Windows Server Update Services (WSUS) on the Dallas server. Windows Update for Business offers a peer-to-peer delivery service for updates. You may choose to include a WSUS server but it is not required for the scenario.
You must not configure the operating system diagnostic level to 0 (Security). Windows Update for Business Group Policy settings would not be honored at this level.
Note that no additional features need to be installed. Windows Update for Business is integrated into Windows 10 software. https://techcommunity.microsoft.com/t5/windows-blog-archive/what-is-windows-update-for-business/ba-p/167033?_ga=2.9534901.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb https://docs.microsoft.com/en-us/windows/deployment/update/waas-wufb-group-policy?_ga=2.9534901.1891306208.1610497220-512178102.1610381523
Question 19 of 62
19. Question
Employees at Verigon Corporation use company-provided Windows 10 laptops that are managed with Intune. Verigon has decided to allow some employees to use their personal iPhones to access company email.
What steps will be part of the process to allow users to enroll their personal devices? (CHOOSE TWO)
Correct
You will need to get an Apple MDM Push certificate. This is required for Intune to manage iOS devices. You will start this process in the Azure Portal, under Device Enrollment > Apple Enrollment > Apple MDM Push Certificate.
You will need to have users install the Intune Company Portal application on their iOS devices. After you complete the prerequisites and assign user licenses, they can download the app from the App Store and follow the instructions.
You do not need to create a CSV file with a list of devices to add. This action would be a part of using Windows Autopilot to enroll company devices in Intune, but is not relevant here.
You do not need to have users install the Lookout for Work application on their iOS devices. Lookout for Work is one of several MDM Mobile Threat Defense applications that you may choose to implement, but they are not part of enrollment.
You do not need to add a device enrollment manager account to Intune. Adding a user as a device enrollment manager account would allow the user to enroll up to 1000 devices. The scenario is about self-enrollment https://docs.microsoft.com/en-us/mem/intune/user-help/use-managed-devices-to-get-work-done?_ga=2.76576405.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/enrollment/ios-enroll
Incorrect
You will need to get an Apple MDM Push certificate. This is required for Intune to manage iOS devices. You will start this process in the Azure Portal, under Device Enrollment > Apple Enrollment > Apple MDM Push Certificate.
You will need to have users install the Intune Company Portal application on their iOS devices. After you complete the prerequisites and assign user licenses, they can download the app from the App Store and follow the instructions.
You do not need to create a CSV file with a list of devices to add. This action would be a part of using Windows Autopilot to enroll company devices in Intune, but is not relevant here.
You do not need to have users install the Lookout for Work application on their iOS devices. Lookout for Work is one of several MDM Mobile Threat Defense applications that you may choose to implement, but they are not part of enrollment.
You do not need to add a device enrollment manager account to Intune. Adding a user as a device enrollment manager account would allow the user to enroll up to 1000 devices. The scenario is about self-enrollment https://docs.microsoft.com/en-us/mem/intune/user-help/use-managed-devices-to-get-work-done?_ga=2.76576405.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/enrollment/ios-enroll
Unattempted
You will need to get an Apple MDM Push certificate. This is required for Intune to manage iOS devices. You will start this process in the Azure Portal, under Device Enrollment > Apple Enrollment > Apple MDM Push Certificate.
You will need to have users install the Intune Company Portal application on their iOS devices. After you complete the prerequisites and assign user licenses, they can download the app from the App Store and follow the instructions.
You do not need to create a CSV file with a list of devices to add. This action would be a part of using Windows Autopilot to enroll company devices in Intune, but is not relevant here.
You do not need to have users install the Lookout for Work application on their iOS devices. Lookout for Work is one of several MDM Mobile Threat Defense applications that you may choose to implement, but they are not part of enrollment.
You do not need to add a device enrollment manager account to Intune. Adding a user as a device enrollment manager account would allow the user to enroll up to 1000 devices. The scenario is about self-enrollment https://docs.microsoft.com/en-us/mem/intune/user-help/use-managed-devices-to-get-work-done?_ga=2.76576405.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/enrollment/ios-enroll
Question 20 of 62
20. Question
Dreamsuites Corporation has been using Configuration Manager for their devices, but has now implemented Windows Intune for their mobile device management solution. All devices are joined to the Drearmsuites.com domain. Dreamsuites has an Azure AD Premium subscription. You have been asked to provide a solution to enroll existing Windows 10 devices in Intune that does not require any end-user interaction.
What methods might meet the Dreamsuites requirement? (Choose all that apply.)
Correct
You could use bulk enrollment as an enrollment method. This method requires the creation of a provisioning package using Windows Configuration Designer (WCD).
You could use a device enrollment manager (DEM) account as an enrollment method. A DEM account lets a single user account enroll up to 1000 devices.
You could use Hybrid Azure AD Join as an enrollment method. You can set up a GPO for this purpose to trigger auto-enrollment for domain-joined devices.
You could use Configuration Manager Co-Management as an enrollment method, as long as the Windows 10 devices have the Configuration Manager client. When you manage devices with both Configuration Manager and Intune, Microsoft refers to this as co-management.
Windows Autopilot would a useful method for the deployment and pre-configuration of new devices in the future, but the scenario applies to existing devices.
Note that some of these methods require an Azure AD Premium subscription.
Incorrect
You could use bulk enrollment as an enrollment method. This method requires the creation of a provisioning package using Windows Configuration Designer (WCD).
You could use a device enrollment manager (DEM) account as an enrollment method. A DEM account lets a single user account enroll up to 1000 devices.
You could use Hybrid Azure AD Join as an enrollment method. You can set up a GPO for this purpose to trigger auto-enrollment for domain-joined devices.
You could use Configuration Manager Co-Management as an enrollment method, as long as the Windows 10 devices have the Configuration Manager client. When you manage devices with both Configuration Manager and Intune, Microsoft refers to this as co-management.
Windows Autopilot would a useful method for the deployment and pre-configuration of new devices in the future, but the scenario applies to existing devices.
Note that some of these methods require an Azure AD Premium subscription.
Unattempted
You could use bulk enrollment as an enrollment method. This method requires the creation of a provisioning package using Windows Configuration Designer (WCD).
You could use a device enrollment manager (DEM) account as an enrollment method. A DEM account lets a single user account enroll up to 1000 devices.
You could use Hybrid Azure AD Join as an enrollment method. You can set up a GPO for this purpose to trigger auto-enrollment for domain-joined devices.
You could use Configuration Manager Co-Management as an enrollment method, as long as the Windows 10 devices have the Configuration Manager client. When you manage devices with both Configuration Manager and Intune, Microsoft refers to this as co-management.
Windows Autopilot would a useful method for the deployment and pre-configuration of new devices in the future, but the scenario applies to existing devices.
Note that some of these methods require an Azure AD Premium subscription.
Question 21 of 62
21. Question
Your network contains an Active Directory domain named nutex.com that is synced to Microsoft Azure Active Directory (Azure AD).
You have a Microsoft 365 subscription. You have devices that run Android, iOS, and Windows. Devices can connect either in the office or remotely. You want to have a conditional access policy to enforce Microsoft Cloud App Security session control when Android, iOS, or Windows devices are unmanaged and not joined to Azure AD.
Which settings should you configure in a conditional access policy?
Correct
You should choose Device State. Device state can exclude hybrid Azure AD-joined devices from a conditional access policy. It can also mark a device as compliant in a conditional access policy. Device state can be used to apply a conditional access policy to unmanaged devices to enforce the Microsoft Cloud App Security session control when a device is unmanaged.
You should not choose Device Platform in a conditional policy. Device Platform allows you to include or exclude specific device platforms. In this scenario, all platforms are included. There is no need to exclude any.
You should not choose Locations in the conditional policy. By default, all locations are included in the conditional policy.
You should not choose Users and Groups. This condition is used to include or exclude guest users, directory roles, or a specific group of users.
Incorrect
You should choose Device State. Device state can exclude hybrid Azure AD-joined devices from a conditional access policy. It can also mark a device as compliant in a conditional access policy. Device state can be used to apply a conditional access policy to unmanaged devices to enforce the Microsoft Cloud App Security session control when a device is unmanaged.
You should not choose Device Platform in a conditional policy. Device Platform allows you to include or exclude specific device platforms. In this scenario, all platforms are included. There is no need to exclude any.
You should not choose Locations in the conditional policy. By default, all locations are included in the conditional policy.
You should not choose Users and Groups. This condition is used to include or exclude guest users, directory roles, or a specific group of users.
Unattempted
You should choose Device State. Device state can exclude hybrid Azure AD-joined devices from a conditional access policy. It can also mark a device as compliant in a conditional access policy. Device state can be used to apply a conditional access policy to unmanaged devices to enforce the Microsoft Cloud App Security session control when a device is unmanaged.
You should not choose Device Platform in a conditional policy. Device Platform allows you to include or exclude specific device platforms. In this scenario, all platforms are included. There is no need to exclude any.
You should not choose Locations in the conditional policy. By default, all locations are included in the conditional policy.
You should not choose Users and Groups. This condition is used to include or exclude guest users, directory roles, or a specific group of users.
Question 22 of 62
22. Question
Your company has purchased another company. The purchased company’s computer inventory runs Windows 10 and will be assigned to new users in your organization using Windows Autopilot.
Which four actions should be performed in sequence in Windows Autopilot?
Unordered Choices
– Run the Get-WindowsAutoPilotInfo.ps1 PowerShell script
– Upload the CSV inventory file
– Employee logs in with email and password
– Windows Intune push apps to users
– Upload the JSON inventory file
– Run the Azureinventory_V2.ps1 PowerShell script
– Have user select Cortana and Privacy settings [Windows autopilot takes care of those decisions]
Correct
You should choose the following actions:
1. Run the Get-WindowsAutoPilotInfo.ps1 PowerShell script.
2. Upload the CSV inventory file.
3. Employee logs in with email and password.
4. Windows Intune pushes apps to user.
You will first need to register the devices by creating a profile and assigning the devices. You can use the Get-WindowsAutoPilotInfo.ps1 PowerShell script to create a CSV file that will contain an inventory list of the computers. The CSV file will need to have three headings with the following:
Column A: Device Serial Number
Column B: Windows Product ID
Column C: Hardware Hash
This file must be a CSV file, not a JSON file.
You can create multiple CSV files if need be. You can upload the CSV files via AzCopy to storage, such as Azure Blob Storage, but you will need to combine the multiple files into a single CSV file. This single CSV file has to be uploaded to Autopilot and Deployment Profiles must be assigned.
The device can then be delivered to the end user. The IT department does not need to touch the device, it can go straight to the end user. When the user receives the device, they will log in with their email address and password.
The end user will choose the appropriate language, keyboard, and locale, and will need to connect to either a wireless or wired network, or both. Once the user connects to the network, Autopilot will finish the setup tasks, including privacy settings, Cortana settings, and other OOBE settings. Once the OOBE settings have finished, Windows Intune will push any configured apps to the device.
You should not run the AzureInventory_V2.ps1 script. This script is used to create a CSV of the objects in Azure.
You should not have the user select Cortana and Privacy settings. Windows Autopilot takes care of those decisions and other OOBE user prompts during auto-enrollment. https://docs.microsoft.com/en-us/microsoft-365/business/add-autopilot-devices-and-profile?view=o365-worldwide https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot?_ga=2.17028537.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/mem/autopilot/enrollment-autopilot?_ga=2.17028537.1891306208.1610497220-512178102.1610381523
Incorrect
You should choose the following actions:
1. Run the Get-WindowsAutoPilotInfo.ps1 PowerShell script.
2. Upload the CSV inventory file.
3. Employee logs in with email and password.
4. Windows Intune pushes apps to user.
You will first need to register the devices by creating a profile and assigning the devices. You can use the Get-WindowsAutoPilotInfo.ps1 PowerShell script to create a CSV file that will contain an inventory list of the computers. The CSV file will need to have three headings with the following:
Column A: Device Serial Number
Column B: Windows Product ID
Column C: Hardware Hash
This file must be a CSV file, not a JSON file.
You can create multiple CSV files if need be. You can upload the CSV files via AzCopy to storage, such as Azure Blob Storage, but you will need to combine the multiple files into a single CSV file. This single CSV file has to be uploaded to Autopilot and Deployment Profiles must be assigned.
The device can then be delivered to the end user. The IT department does not need to touch the device, it can go straight to the end user. When the user receives the device, they will log in with their email address and password.
The end user will choose the appropriate language, keyboard, and locale, and will need to connect to either a wireless or wired network, or both. Once the user connects to the network, Autopilot will finish the setup tasks, including privacy settings, Cortana settings, and other OOBE settings. Once the OOBE settings have finished, Windows Intune will push any configured apps to the device.
You should not run the AzureInventory_V2.ps1 script. This script is used to create a CSV of the objects in Azure.
You should not have the user select Cortana and Privacy settings. Windows Autopilot takes care of those decisions and other OOBE user prompts during auto-enrollment. https://docs.microsoft.com/en-us/microsoft-365/business/add-autopilot-devices-and-profile?view=o365-worldwide https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot?_ga=2.17028537.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/mem/autopilot/enrollment-autopilot?_ga=2.17028537.1891306208.1610497220-512178102.1610381523
Unattempted
You should choose the following actions:
1. Run the Get-WindowsAutoPilotInfo.ps1 PowerShell script.
2. Upload the CSV inventory file.
3. Employee logs in with email and password.
4. Windows Intune pushes apps to user.
You will first need to register the devices by creating a profile and assigning the devices. You can use the Get-WindowsAutoPilotInfo.ps1 PowerShell script to create a CSV file that will contain an inventory list of the computers. The CSV file will need to have three headings with the following:
Column A: Device Serial Number
Column B: Windows Product ID
Column C: Hardware Hash
This file must be a CSV file, not a JSON file.
You can create multiple CSV files if need be. You can upload the CSV files via AzCopy to storage, such as Azure Blob Storage, but you will need to combine the multiple files into a single CSV file. This single CSV file has to be uploaded to Autopilot and Deployment Profiles must be assigned.
The device can then be delivered to the end user. The IT department does not need to touch the device, it can go straight to the end user. When the user receives the device, they will log in with their email address and password.
The end user will choose the appropriate language, keyboard, and locale, and will need to connect to either a wireless or wired network, or both. Once the user connects to the network, Autopilot will finish the setup tasks, including privacy settings, Cortana settings, and other OOBE settings. Once the OOBE settings have finished, Windows Intune will push any configured apps to the device.
You should not run the AzureInventory_V2.ps1 script. This script is used to create a CSV of the objects in Azure.
You should not have the user select Cortana and Privacy settings. Windows Autopilot takes care of those decisions and other OOBE user prompts during auto-enrollment. https://docs.microsoft.com/en-us/microsoft-365/business/add-autopilot-devices-and-profile?view=o365-worldwide https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot?_ga=2.17028537.1891306208.1610497220-512178102.1610381523 https://docs.microsoft.com/en-us/mem/autopilot/enrollment-autopilot?_ga=2.17028537.1891306208.1610497220-512178102.1610381523
Question 23 of 62
23. Question
You are the desktop support technician of your company. The network consists of a single Active Directory domain. All client computers on the network run Windows 10.
You are configuring folder redirection for all users. You create a shared folder on a file server that will contain home directories of all users. You want to redirect user data to the user’s home directory. You need to determine which folders can be redirected to the user’s home directory.
Which folder can be redirected in this scenario?
Correct
You can redirect the Documents folder to the user’s home directory. Folder Redirection is a feature that allows users and administrators to redirect user-specific profile folders, such as Documents, Desktop, and Start Menu, to an alternate location.
You can use the Folder Redirection snap-in in the Group Policy Object Editor to configure Folder Redirection policies. Each folder that you want to redirect requires a target location. Windows provides the following four options that can be selected as a target location:
– Create a folder for each user under the redirection path: When you select this option, the selected folder will be redirected to the location specified in the Root Path field. Also, this option will add a folder named after the user logon name. For example, if you redirect the Documents folder to the root path of \\SRV1\Share1, Folder Redirection will create the Documents folder under the path \\SRV1\Share1\Username.
– Redirect to the following location: When you select this option, the folder will be redirected to the exact path listed in the Root Path field.
– Redirect to the local user profile location: When you select this option, the folder will be redirected to the local user profile. The local user profile for Windows is Users\Username.
– Redirect to the user’s home directory: This option is available only on the Documents folder and redirects the Documents folder to the home folder path configured in the properties of the user object.
You cannot redirect the AppData\Roaming, AppData\Local, and Desktop folders to the user’s home directory because the Redirect to the user’s home directory option is available only for the Documents folder.
Incorrect
You can redirect the Documents folder to the user’s home directory. Folder Redirection is a feature that allows users and administrators to redirect user-specific profile folders, such as Documents, Desktop, and Start Menu, to an alternate location.
You can use the Folder Redirection snap-in in the Group Policy Object Editor to configure Folder Redirection policies. Each folder that you want to redirect requires a target location. Windows provides the following four options that can be selected as a target location:
– Create a folder for each user under the redirection path: When you select this option, the selected folder will be redirected to the location specified in the Root Path field. Also, this option will add a folder named after the user logon name. For example, if you redirect the Documents folder to the root path of \\SRV1\Share1, Folder Redirection will create the Documents folder under the path \\SRV1\Share1\Username.
– Redirect to the following location: When you select this option, the folder will be redirected to the exact path listed in the Root Path field.
– Redirect to the local user profile location: When you select this option, the folder will be redirected to the local user profile. The local user profile for Windows is Users\Username.
– Redirect to the user’s home directory: This option is available only on the Documents folder and redirects the Documents folder to the home folder path configured in the properties of the user object.
You cannot redirect the AppData\Roaming, AppData\Local, and Desktop folders to the user’s home directory because the Redirect to the user’s home directory option is available only for the Documents folder.
Unattempted
You can redirect the Documents folder to the user’s home directory. Folder Redirection is a feature that allows users and administrators to redirect user-specific profile folders, such as Documents, Desktop, and Start Menu, to an alternate location.
You can use the Folder Redirection snap-in in the Group Policy Object Editor to configure Folder Redirection policies. Each folder that you want to redirect requires a target location. Windows provides the following four options that can be selected as a target location:
– Create a folder for each user under the redirection path: When you select this option, the selected folder will be redirected to the location specified in the Root Path field. Also, this option will add a folder named after the user logon name. For example, if you redirect the Documents folder to the root path of \\SRV1\Share1, Folder Redirection will create the Documents folder under the path \\SRV1\Share1\Username.
– Redirect to the following location: When you select this option, the folder will be redirected to the exact path listed in the Root Path field.
– Redirect to the local user profile location: When you select this option, the folder will be redirected to the local user profile. The local user profile for Windows is Users\Username.
– Redirect to the user’s home directory: This option is available only on the Documents folder and redirects the Documents folder to the home folder path configured in the properties of the user object.
You cannot redirect the AppData\Roaming, AppData\Local, and Desktop folders to the user’s home directory because the Redirect to the user’s home directory option is available only for the Documents folder.
Question 24 of 62
24. Question
You work for the Nutex Corporation, which has a single Active Directory domain named nutex.com. All domain controllers run Windows Server 2012 R2. You have purchased Windows 10 client computers that will be used by sales people. The marketing department uses computers that run Windows 8.1 Enterprise. Computers for the Finance departments run Windows RT and Windows 8.1 Pro. All certificates are issued by an internal certification authority (CA). All of the computers are managed by using Microsoft Intune.
You want to install LOB apps on the computers for the Sales department, Marketing department, and Finance department by sideloading, not by going through the Windows Store. You have enabled the Allow all trusted applications to install Group Policy setting in a GPO linked to nutex.com.
Which of the following are true? (Choose all that apply.)
Correct
The following are true:
– To run sideloaded LOB apps on the Windows 8.1 Pro computers, you must join the computers to nutex.com.
– Windows 10 devices do not have to be joined to a domain to sideload an app.
– Microsoft Intune sideloads apps to Windows RT, Windows 8.1 Pro, Windows 10 Enterprise, and Windows 10 computers.
– License keys are not required with Windows 10 to sideload LOB apps, but are required with earlier Windows versions.
Before you can run sideloaded LOB apps on a computer running Windows 8.1 Pro, you must join the computer to a domain that has the Allow all trusted applications to install Group Policy setting enabled or activate the sideloading product key.
Before you can run sideloaded LOB apps on a computer running Windows 8 Pro or Windows RT, you MUST activate the sideloading product key. Beginning with Windows 8.1, Microsoft allowed you to enable sideloading for all Windows 8.1 Pro devices that are joined to an Active Directory domain without activating the sideloading product key. You cannot have a Windows RT computer join a domain.
Sideloading apps in Windows 10 is different than Windows 8.1 in the following ways:
– Windows 10 computers do not have to be joined to a domain for apps to be sideloaded.
– License keys are not required to sideload an app.
– Device may be unlocked for sideloading using an enterprise policy or through Settings on the device.
Microsoft Intune can be used to sideload apps in your organization using cloud-based deployment so that apps are available to any device with Internet access. This can be accomplished by doing the following:
1. Upload the app to Microsoft Intune.
2. Deploy the app to Microsoft Intune Groups that are based on users or devices.
Once the app is deployed, it will appear in the company portal. Microsoft Intune will NOT push the app to the user. Users will be able to deploy the app to their devices.
References: https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sideload-apps-with-dism-s14 https://www.cnet.com/how-to/how-to-sideload-apps-in-windows-10/ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/dn613839(v=ws.11)?redirectedfrom=MSDN
Incorrect
The following are true:
– To run sideloaded LOB apps on the Windows 8.1 Pro computers, you must join the computers to nutex.com.
– Windows 10 devices do not have to be joined to a domain to sideload an app.
– Microsoft Intune sideloads apps to Windows RT, Windows 8.1 Pro, Windows 10 Enterprise, and Windows 10 computers.
– License keys are not required with Windows 10 to sideload LOB apps, but are required with earlier Windows versions.
Before you can run sideloaded LOB apps on a computer running Windows 8.1 Pro, you must join the computer to a domain that has the Allow all trusted applications to install Group Policy setting enabled or activate the sideloading product key.
Before you can run sideloaded LOB apps on a computer running Windows 8 Pro or Windows RT, you MUST activate the sideloading product key. Beginning with Windows 8.1, Microsoft allowed you to enable sideloading for all Windows 8.1 Pro devices that are joined to an Active Directory domain without activating the sideloading product key. You cannot have a Windows RT computer join a domain.
Sideloading apps in Windows 10 is different than Windows 8.1 in the following ways:
– Windows 10 computers do not have to be joined to a domain for apps to be sideloaded.
– License keys are not required to sideload an app.
– Device may be unlocked for sideloading using an enterprise policy or through Settings on the device.
Microsoft Intune can be used to sideload apps in your organization using cloud-based deployment so that apps are available to any device with Internet access. This can be accomplished by doing the following:
1. Upload the app to Microsoft Intune.
2. Deploy the app to Microsoft Intune Groups that are based on users or devices.
Once the app is deployed, it will appear in the company portal. Microsoft Intune will NOT push the app to the user. Users will be able to deploy the app to their devices.
References: https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sideload-apps-with-dism-s14 https://www.cnet.com/how-to/how-to-sideload-apps-in-windows-10/ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/dn613839(v=ws.11)?redirectedfrom=MSDN
Unattempted
The following are true:
– To run sideloaded LOB apps on the Windows 8.1 Pro computers, you must join the computers to nutex.com.
– Windows 10 devices do not have to be joined to a domain to sideload an app.
– Microsoft Intune sideloads apps to Windows RT, Windows 8.1 Pro, Windows 10 Enterprise, and Windows 10 computers.
– License keys are not required with Windows 10 to sideload LOB apps, but are required with earlier Windows versions.
Before you can run sideloaded LOB apps on a computer running Windows 8.1 Pro, you must join the computer to a domain that has the Allow all trusted applications to install Group Policy setting enabled or activate the sideloading product key.
Before you can run sideloaded LOB apps on a computer running Windows 8 Pro or Windows RT, you MUST activate the sideloading product key. Beginning with Windows 8.1, Microsoft allowed you to enable sideloading for all Windows 8.1 Pro devices that are joined to an Active Directory domain without activating the sideloading product key. You cannot have a Windows RT computer join a domain.
Sideloading apps in Windows 10 is different than Windows 8.1 in the following ways:
– Windows 10 computers do not have to be joined to a domain for apps to be sideloaded.
– License keys are not required to sideload an app.
– Device may be unlocked for sideloading using an enterprise policy or through Settings on the device.
Microsoft Intune can be used to sideload apps in your organization using cloud-based deployment so that apps are available to any device with Internet access. This can be accomplished by doing the following:
1. Upload the app to Microsoft Intune.
2. Deploy the app to Microsoft Intune Groups that are based on users or devices.
Once the app is deployed, it will appear in the company portal. Microsoft Intune will NOT push the app to the user. Users will be able to deploy the app to their devices.
References: https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sideload-apps-with-dism-s14 https://www.cnet.com/how-to/how-to-sideload-apps-in-windows-10/ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/dn613839(v=ws.11)?redirectedfrom=MSDN
Question 25 of 62
25. Question
Some Nutex employees have both a company-owned Windows 10 Enterprise desktop and a Windows 10 laptop. They would like some of their settings, such as desktop themes and Microsoft Edge favorites, to be synchronized between both computers both at home and the office.
As a Nutex administrator, what will you require to implement this request? (Choose all that apply.)
Correct
You will need to configure an Azure AD account for each user. They will need to log on to the computer using this account.
You will want to enable Enterprise State Roaming so that each user’s Windows 10 settings can sync to Azure AD. Note that only desktop and laptop settings can sync with an Azure AD account. You would require a normal Microsoft Account to sync mobile settings from phones and tablet devices.
On each machine, under Settings > Accounts, you will want to turn on Sync Settings.
This can be customized via GPO if desired, under Computer Configuration > Administrative Templates > Windows Components > Sync your settings.
You do not want to configure a Roaming User Profile for each user. The scenario does not say whether all users will be able to access a company server at all times where the profile would be stored. In addition, Microsoft has suggested that Roaming User Profiles will be deprecated, and Enterprise State Roaming is the better solution for Windows 10.
You do not need a Microsoft account for each user. That would be appropriate for personal unmanaged devices.
Incorrect
You will need to configure an Azure AD account for each user. They will need to log on to the computer using this account.
You will want to enable Enterprise State Roaming so that each user’s Windows 10 settings can sync to Azure AD. Note that only desktop and laptop settings can sync with an Azure AD account. You would require a normal Microsoft Account to sync mobile settings from phones and tablet devices.
On each machine, under Settings > Accounts, you will want to turn on Sync Settings.
This can be customized via GPO if desired, under Computer Configuration > Administrative Templates > Windows Components > Sync your settings.
You do not want to configure a Roaming User Profile for each user. The scenario does not say whether all users will be able to access a company server at all times where the profile would be stored. In addition, Microsoft has suggested that Roaming User Profiles will be deprecated, and Enterprise State Roaming is the better solution for Windows 10.
You do not need a Microsoft account for each user. That would be appropriate for personal unmanaged devices.
Unattempted
You will need to configure an Azure AD account for each user. They will need to log on to the computer using this account.
You will want to enable Enterprise State Roaming so that each user’s Windows 10 settings can sync to Azure AD. Note that only desktop and laptop settings can sync with an Azure AD account. You would require a normal Microsoft Account to sync mobile settings from phones and tablet devices.
On each machine, under Settings > Accounts, you will want to turn on Sync Settings.
This can be customized via GPO if desired, under Computer Configuration > Administrative Templates > Windows Components > Sync your settings.
You do not want to configure a Roaming User Profile for each user. The scenario does not say whether all users will be able to access a company server at all times where the profile would be stored. In addition, Microsoft has suggested that Roaming User Profiles will be deprecated, and Enterprise State Roaming is the better solution for Windows 10.
You do not need a Microsoft account for each user. That would be appropriate for personal unmanaged devices.
Question 26 of 62
26. Question
You plan to use Windows Autopilot to add several Windows 10 devices to Azure AD. These devices will be joined automatically to Azure AD.
What information is required from the device?
Correct
In the Azure Portal or the Azure Active Directory administrative center, you can choose Device Enrollment and import a CSV file that contains a list of devices that you want to add. The file should contain serial numbers, hardware hashes, Windows Product IDs, and optional order IDs. You can only have a maximum of 175 rows in the CSV file.
All other answers are incorrect. Computer name, MAC address, and IP address are not needed in the CSV file.
Incorrect
In the Azure Portal or the Azure Active Directory administrative center, you can choose Device Enrollment and import a CSV file that contains a list of devices that you want to add. The file should contain serial numbers, hardware hashes, Windows Product IDs, and optional order IDs. You can only have a maximum of 175 rows in the CSV file.
All other answers are incorrect. Computer name, MAC address, and IP address are not needed in the CSV file.
Unattempted
In the Azure Portal or the Azure Active Directory administrative center, you can choose Device Enrollment and import a CSV file that contains a list of devices that you want to add. The file should contain serial numbers, hardware hashes, Windows Product IDs, and optional order IDs. You can only have a maximum of 175 rows in the CSV file.
All other answers are incorrect. Computer name, MAC address, and IP address are not needed in the CSV file.
Question 27 of 62
27. Question
Your network contains an Active Directory domain named nutex.com. You have configured Group Policy to configure Folder Redirection for the Desktop folder as shown in the following exhibit:
The target is set to \\Srv11.Nutex.com.
You plan to use Known Folder Redirection (KPR) in Microsoft OneDrive for Business. However, you want to ensure that the users’ desktop content stays on their desktops after you implement KPR, and is the same content that is on the server.
Which actions should you perform? (Choose two. Each correct answer is part of the solution.)
Correct
You should do the following:
Uncheck Grant the user exclusive rights to Documents
Check Redirect the folder back to the local userprofile location when policy is removed.
You should uncheck the Grant the user exclusive rights to Documents check box. When this is enabled, Folder Redirection first checks preexisting folders to determine if the user is the owner. If the administrator previously created the folder, this check will fail and redirection will be cancelled. If you create folders for users, the permissions must be set correctly. The user’s redirected folder can inherit the ACLs from its parent.
Because you want to ensure that the desktop content of users still remains on their desktop after you implement known folder redirection, you check the Redirect the folder back to the local userprofile location when policy is removed setting. When this setting is enabled, all users for whom you want to stop Folder Redirection must log off and then log back on again. This allows you to make sure that the updated GPO settings are applied before you stop Folder Redirection.
You should not have the Leave the folder in the new location when policy is removed setting enabled. When this setting is enabled, the redirected documents will remain in OneDrive after the policy is removed. In this scenario, you want to ensure that the desktop content of users still remains on their desktop after you implement Known Folder Redirection.
You should not uncheck the Move the contents of Documents to the new location setting. If this setting is unchecked, then files residing in the local Documents folder at the time the Group Policy is applied would not automatically be moved to the new Documents location on the server. However, after that, when the user creates new documents they will be redirected to the server. Unfortunately, the contents of the Documents folder on the server and local client will not be the same.
You do not have to uncheck the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems setting. This setting applies to legacy clients.
Incorrect
You should do the following:
Uncheck Grant the user exclusive rights to Documents
Check Redirect the folder back to the local userprofile location when policy is removed.
You should uncheck the Grant the user exclusive rights to Documents check box. When this is enabled, Folder Redirection first checks preexisting folders to determine if the user is the owner. If the administrator previously created the folder, this check will fail and redirection will be cancelled. If you create folders for users, the permissions must be set correctly. The user’s redirected folder can inherit the ACLs from its parent.
Because you want to ensure that the desktop content of users still remains on their desktop after you implement known folder redirection, you check the Redirect the folder back to the local userprofile location when policy is removed setting. When this setting is enabled, all users for whom you want to stop Folder Redirection must log off and then log back on again. This allows you to make sure that the updated GPO settings are applied before you stop Folder Redirection.
You should not have the Leave the folder in the new location when policy is removed setting enabled. When this setting is enabled, the redirected documents will remain in OneDrive after the policy is removed. In this scenario, you want to ensure that the desktop content of users still remains on their desktop after you implement Known Folder Redirection.
You should not uncheck the Move the contents of Documents to the new location setting. If this setting is unchecked, then files residing in the local Documents folder at the time the Group Policy is applied would not automatically be moved to the new Documents location on the server. However, after that, when the user creates new documents they will be redirected to the server. Unfortunately, the contents of the Documents folder on the server and local client will not be the same.
You do not have to uncheck the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems setting. This setting applies to legacy clients.
Unattempted
You should do the following:
Uncheck Grant the user exclusive rights to Documents
Check Redirect the folder back to the local userprofile location when policy is removed.
You should uncheck the Grant the user exclusive rights to Documents check box. When this is enabled, Folder Redirection first checks preexisting folders to determine if the user is the owner. If the administrator previously created the folder, this check will fail and redirection will be cancelled. If you create folders for users, the permissions must be set correctly. The user’s redirected folder can inherit the ACLs from its parent.
Because you want to ensure that the desktop content of users still remains on their desktop after you implement known folder redirection, you check the Redirect the folder back to the local userprofile location when policy is removed setting. When this setting is enabled, all users for whom you want to stop Folder Redirection must log off and then log back on again. This allows you to make sure that the updated GPO settings are applied before you stop Folder Redirection.
You should not have the Leave the folder in the new location when policy is removed setting enabled. When this setting is enabled, the redirected documents will remain in OneDrive after the policy is removed. In this scenario, you want to ensure that the desktop content of users still remains on their desktop after you implement Known Folder Redirection.
You should not uncheck the Move the contents of Documents to the new location setting. If this setting is unchecked, then files residing in the local Documents folder at the time the Group Policy is applied would not automatically be moved to the new Documents location on the server. However, after that, when the user creates new documents they will be redirected to the server. Unfortunately, the contents of the Documents folder on the server and local client will not be the same.
You do not have to uncheck the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems setting. This setting applies to legacy clients.
Question 28 of 62
28. Question
To further protect user Windows 10 laptops, Dreamsuites Inc. would like to isolate user credentials from the rest of the operating system. As the security admin, you suggest using Windows Defender Credential Guard.
What are the required components to implement this feature? (CHOOSE 2)
Correct
A 64-bit CPU is a hardware requirement. The system must also include support for virtualization-based security, as that is the methodology used by the Windows Defender Credential Guard feature. You will also need Secure Boot for Windows Defender Credential Guard: Microsoft recommends that you use TPM 1.2 or greater and UEFI lock.
Windows Defender Credential Guard cannot be implemented on domain controllers.
You do not need a Hyper-V virtual machine, although Windows Defender Credential Guard can be used to protect a virtual machine.
You do not need the Windows Defender Credential Guard hardware readiness tool, but it may be useful. This tool is one of many ways to enable virtualization-based security. Other methods include Intune, and Group Policy.
MSinfo32.exe is not a requirement. You may choose to use it after implementation to verify that Windows Defender Credential Guard is running.
Microsoft suggests that Windows Defender Credential Guard be implemented along with Windows Defender Device Guard. https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works?_ga=2.227819677.1486813339.1610381523-512178102.1610381523
Incorrect
A 64-bit CPU is a hardware requirement. The system must also include support for virtualization-based security, as that is the methodology used by the Windows Defender Credential Guard feature. You will also need Secure Boot for Windows Defender Credential Guard: Microsoft recommends that you use TPM 1.2 or greater and UEFI lock.
Windows Defender Credential Guard cannot be implemented on domain controllers.
You do not need a Hyper-V virtual machine, although Windows Defender Credential Guard can be used to protect a virtual machine.
You do not need the Windows Defender Credential Guard hardware readiness tool, but it may be useful. This tool is one of many ways to enable virtualization-based security. Other methods include Intune, and Group Policy.
MSinfo32.exe is not a requirement. You may choose to use it after implementation to verify that Windows Defender Credential Guard is running.
Microsoft suggests that Windows Defender Credential Guard be implemented along with Windows Defender Device Guard. https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works?_ga=2.227819677.1486813339.1610381523-512178102.1610381523
Unattempted
A 64-bit CPU is a hardware requirement. The system must also include support for virtualization-based security, as that is the methodology used by the Windows Defender Credential Guard feature. You will also need Secure Boot for Windows Defender Credential Guard: Microsoft recommends that you use TPM 1.2 or greater and UEFI lock.
Windows Defender Credential Guard cannot be implemented on domain controllers.
You do not need a Hyper-V virtual machine, although Windows Defender Credential Guard can be used to protect a virtual machine.
You do not need the Windows Defender Credential Guard hardware readiness tool, but it may be useful. This tool is one of many ways to enable virtualization-based security. Other methods include Intune, and Group Policy.
MSinfo32.exe is not a requirement. You may choose to use it after implementation to verify that Windows Defender Credential Guard is running.
Microsoft suggests that Windows Defender Credential Guard be implemented along with Windows Defender Device Guard. https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works?_ga=2.227819677.1486813339.1610381523-512178102.1610381523
Question 29 of 62
29. Question
Dreamsuites Incorporated is concerned about the impact of their decision to allow users to bring their own devices. They would like to be able to protect corporate data accessed on these devices. A key requirement is to prevent users from cutting and pasting data between Office 365 mobile apps. Dreamsuites has an E3 license subscription.
What Microsoft product or service should you implement?
Correct
You should implement an Intune MAM policy. A MAM policy can be configured to prevent cutting and pasting of data between applications.
You would not implement device-based conditional access to meet the goal of the scenario. Conditional access defines the device access, not the behavior of applications on the device.
You would not implement an Intune MDM policy. The scenario does not indicate that the devices are registered with Intune. Intune works with both MDM and MAM policies.
You would not implement Windows Information Protection (WIP). WIP policies only apply to Windows 10. The employees could have non-Windows devices such as Android and iOS devices.
You would not implement MDM for Office 365. MDM for Office 365 has many capabilities to protect corporate data on mobile devices, but is not as feature-rich as Intune. Only Intune allows control of copying and pasting between apps.
Incorrect
You should implement an Intune MAM policy. A MAM policy can be configured to prevent cutting and pasting of data between applications.
You would not implement device-based conditional access to meet the goal of the scenario. Conditional access defines the device access, not the behavior of applications on the device.
You would not implement an Intune MDM policy. The scenario does not indicate that the devices are registered with Intune. Intune works with both MDM and MAM policies.
You would not implement Windows Information Protection (WIP). WIP policies only apply to Windows 10. The employees could have non-Windows devices such as Android and iOS devices.
You would not implement MDM for Office 365. MDM for Office 365 has many capabilities to protect corporate data on mobile devices, but is not as feature-rich as Intune. Only Intune allows control of copying and pasting between apps.
Unattempted
You should implement an Intune MAM policy. A MAM policy can be configured to prevent cutting and pasting of data between applications.
You would not implement device-based conditional access to meet the goal of the scenario. Conditional access defines the device access, not the behavior of applications on the device.
You would not implement an Intune MDM policy. The scenario does not indicate that the devices are registered with Intune. Intune works with both MDM and MAM policies.
You would not implement Windows Information Protection (WIP). WIP policies only apply to Windows 10. The employees could have non-Windows devices such as Android and iOS devices.
You would not implement MDM for Office 365. MDM for Office 365 has many capabilities to protect corporate data on mobile devices, but is not as feature-rich as Intune. Only Intune allows control of copying and pasting between apps.
Question 30 of 62
30. Question
You have 15 Windows 10 devices. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune. You have implemented Microsoft OneDrive for Business.
Which of the following Windows known folders will be redirected to Microsoft OneDrive for Business?
Correct
Microsoft’s OneDrive for Business moves or redirects the following Windows known folders for users in your Active Directory domain to OneDrive for Business:
– Desktop
– Documents
– Pictures
– Screenshots
– Camera Roll
Microsoft OneDrive for Business backs up users’ data to the cloud. Users in the domain can easily access their files in OneDrive for Business from any device.
The folders such as Downloads, Music, and Videos are not Windows known folders.
Incorrect
Microsoft’s OneDrive for Business moves or redirects the following Windows known folders for users in your Active Directory domain to OneDrive for Business:
– Desktop
– Documents
– Pictures
– Screenshots
– Camera Roll
Microsoft OneDrive for Business backs up users’ data to the cloud. Users in the domain can easily access their files in OneDrive for Business from any device.
The folders such as Downloads, Music, and Videos are not Windows known folders.
Unattempted
Microsoft’s OneDrive for Business moves or redirects the following Windows known folders for users in your Active Directory domain to OneDrive for Business:
– Desktop
– Documents
– Pictures
– Screenshots
– Camera Roll
Microsoft OneDrive for Business backs up users’ data to the cloud. Users in the domain can easily access their files in OneDrive for Business from any device.
The folders such as Downloads, Music, and Videos are not Windows known folders.
Question 31 of 62
31. Question
The Nutex Corporation is headquartered in Atlanta, GA. It has branch offices in Knoxville, TN and Dallas, TX. Nutex manufactures and distributes pet toys for cats and dogs.
All desktop computers in all offices run Windows 10.
All server computers run Windows Server 2016 except the database servers, which run Windows Server 2012 R2.
Nutex has an Active Directory domain, and all offices have an organizational unit (OU) in the domain.
Nutex has recently implemented an Azure Active Directory domain.
Because the members of the sales and engineering department will sometimes work remotely, they have been issued Android devices.
Planned Changes
The Atlanta office will expand the lobby of the building to accommodate customers and partners. Kiosk computers will be stationed there for customers and partners to use.
The accounting department has complained that end-of-quarter reports are taking too long to run. The accounting software runs on SQL Server 2014.
The CAD software that is used to build plastic pet toys must be upgraded.
The manager of the sales tax department wants her department members to be able to modify their desktops.
50 computers that run Windows 10 will be deployed to Azure Active Directory. These computers will be joined to the Microsoft Azure Active Directory (Azure AD) domain and enrolled in Microsoft Intune.
Nutex has implement Mobile Application Management (MAM) using Microsoft Intune to protect corporate data when using Excel Online, PowerPoint Online, and several other Office 365 applications. Nutex wants to protect these apps on both personal devices and company-owned devices.
Technical Issues
Recently, users in the Atlanta office have been complaining about the lack of a backup system for the documents stored on their Windows 10 computers. Management has asked you to implement a solution that will ensure that user documents are stored in a central location on a file server named NUTEXDC.
For the engineering department, a MAM policy was created to protect corporate data when using Excel Online, PowerPoint Online, and Word Online. The policy is causing problems when Engineering users try to use Excel Online on mobile devices.
Technical Requirements
The accounting department plans an upgrade of the accounting software. The database servers will need to be upgraded to SQL Server 2016 to support the new accounting software.
The kiosk computers must use Windows 10 and only use a wired connection instead of a wireless connection.
Several 3D printers must be installed and be ready for full production within the next 5 weeks.
You decide to implement a File Redirection group policy for users in the Atlanta office. You must ensure that all user documents are moved to NUTEXDC.
The 50 computers that will be deployed to Azure Active Directory need to be configured with the following device restrictions:
Stop users from visiting sites that host unsafe content
Real-time monitoring for unwanted software that can affect Microsoft Edge
Prevent users from interacting with Cortana after the Windows 10 device has been locked
User Requirements
The kiosk computers must not allow a user to connect to the nutex.com domain.
Users in the sales tax department should not be able to save changes to their desktop when they log off.
What could prevent the MAM policy from working for the Engineering department?
Correct
It is most likely that the policy is not configured for Excel Online. You must select the apps to be protected as part of the policy. In this scenario, you would probably apply this policy to a Sales group.
It is unlikely that the problem is that the users do not have an Intune license. Excel Online is the only application with an issue.
It is unlikely that the problem is that the users do not have an Office 365 license. The other Office 365 applications are working properly with the policy.
It is unlikely that the problem is the users are not on a managed device. Mobile Device Management (MDM) can work with MAM via Intune, but it is not required. MAM can work with other third-party MDM solutions, or even none at all for mobile devices.
It is unlikely that the problem is the users are on Android devices. MAM works with both Android and iOS.
Incorrect
It is most likely that the policy is not configured for Excel Online. You must select the apps to be protected as part of the policy. In this scenario, you would probably apply this policy to a Sales group.
It is unlikely that the problem is that the users do not have an Intune license. Excel Online is the only application with an issue.
It is unlikely that the problem is that the users do not have an Office 365 license. The other Office 365 applications are working properly with the policy.
It is unlikely that the problem is the users are not on a managed device. Mobile Device Management (MDM) can work with MAM via Intune, but it is not required. MAM can work with other third-party MDM solutions, or even none at all for mobile devices.
It is unlikely that the problem is the users are on Android devices. MAM works with both Android and iOS.
Unattempted
It is most likely that the policy is not configured for Excel Online. You must select the apps to be protected as part of the policy. In this scenario, you would probably apply this policy to a Sales group.
It is unlikely that the problem is that the users do not have an Intune license. Excel Online is the only application with an issue.
It is unlikely that the problem is that the users do not have an Office 365 license. The other Office 365 applications are working properly with the policy.
It is unlikely that the problem is the users are not on a managed device. Mobile Device Management (MDM) can work with MAM via Intune, but it is not required. MAM can work with other third-party MDM solutions, or even none at all for mobile devices.
It is unlikely that the problem is the users are on Android devices. MAM works with both Android and iOS.
Question 32 of 62
32. Question
You are in need of a method of generating custom device inventory reports from the Nutex implementation of Intune. Which are some of the options at your disposal to accomplish this custom reporting? (Choose all that apply.)
Correct
You could accomplish the required reporting by doing the following:
– Connecting PowerBI to the Intune Data Warehouse using OData link URL because the Intune Data Warehouse uses OData
– Query the Intune Data Warehouse API using RESTful calls because communication with Intune Data Warehouse uses RESTful communication.
You cannot accomplish the required reporting with the following:
– Connecting PowerBI to the Intune Data Warehouse using OLEDB link URL because there are no OLEDB connection options for the Intune Data Warehouse
– Querying the Intune Data Warehouse API using SOAP calls because communication with Intune Data Warehouse uses RESTful communication. There are currently no SOAP communication channels for the Intune Data Warehouse
– Crafting a .NET application that calls to the Intune Data Warehouse API using ODBC because there are no ODBC connection options for the Intune Data Warehouse.
Incorrect
You could accomplish the required reporting by doing the following:
– Connecting PowerBI to the Intune Data Warehouse using OData link URL because the Intune Data Warehouse uses OData
– Query the Intune Data Warehouse API using RESTful calls because communication with Intune Data Warehouse uses RESTful communication.
You cannot accomplish the required reporting with the following:
– Connecting PowerBI to the Intune Data Warehouse using OLEDB link URL because there are no OLEDB connection options for the Intune Data Warehouse
– Querying the Intune Data Warehouse API using SOAP calls because communication with Intune Data Warehouse uses RESTful communication. There are currently no SOAP communication channels for the Intune Data Warehouse
– Crafting a .NET application that calls to the Intune Data Warehouse API using ODBC because there are no ODBC connection options for the Intune Data Warehouse.
Unattempted
You could accomplish the required reporting by doing the following:
– Connecting PowerBI to the Intune Data Warehouse using OData link URL because the Intune Data Warehouse uses OData
– Query the Intune Data Warehouse API using RESTful calls because communication with Intune Data Warehouse uses RESTful communication.
You cannot accomplish the required reporting with the following:
– Connecting PowerBI to the Intune Data Warehouse using OLEDB link URL because there are no OLEDB connection options for the Intune Data Warehouse
– Querying the Intune Data Warehouse API using SOAP calls because communication with Intune Data Warehouse uses RESTful communication. There are currently no SOAP communication channels for the Intune Data Warehouse
– Crafting a .NET application that calls to the Intune Data Warehouse API using ODBC because there are no ODBC connection options for the Intune Data Warehouse.
Question 33 of 62
33. Question
Recently, Josh’s computer was the source of a malware attack inside your company. You are concerned about threats affecting other Windows 10 computers in your company. You have the following script run on each computer after hours:
Start-MpScan -ScanType FullScan
You need to find the threats affecting the computers. Which cmdlet will retrieve the history of threats that Windows Defender detected on a computer?
Correct
The Get-MpThreat cmdlet retrieves the history of threats that Windows Defender detected on the computer. For example, the following command will find the history of the threat on the local computer that has the ID 1953:
Get-MpThreat -ThreatID 1953
The Get-MpThreatCatalog cmdlet gets a list of all possible known threats based on the signatures from the Windows Defender definitions catalog. The definitions catalog contains references to all known threats that Windows Defender can identify. The following command will display the virus signatures that have the greatest severity level:
Get-MpThreatCatalog | where-object {$_.SeverityID -eq “5”} | where-object {$_.ThreatName -Match “^Virus.*”} | select ThreatName | more
The Get-MpThreatDetection cmdlet finds active and past malware threats that Windows Defender detected.
The Get-MpPreference cmdlet finds preferences for the Windows Defender scans and updates.
Incorrect
The Get-MpThreat cmdlet retrieves the history of threats that Windows Defender detected on the computer. For example, the following command will find the history of the threat on the local computer that has the ID 1953:
Get-MpThreat -ThreatID 1953
The Get-MpThreatCatalog cmdlet gets a list of all possible known threats based on the signatures from the Windows Defender definitions catalog. The definitions catalog contains references to all known threats that Windows Defender can identify. The following command will display the virus signatures that have the greatest severity level:
Get-MpThreatCatalog | where-object {$_.SeverityID -eq “5”} | where-object {$_.ThreatName -Match “^Virus.*”} | select ThreatName | more
The Get-MpThreatDetection cmdlet finds active and past malware threats that Windows Defender detected.
The Get-MpPreference cmdlet finds preferences for the Windows Defender scans and updates.
Unattempted
The Get-MpThreat cmdlet retrieves the history of threats that Windows Defender detected on the computer. For example, the following command will find the history of the threat on the local computer that has the ID 1953:
Get-MpThreat -ThreatID 1953
The Get-MpThreatCatalog cmdlet gets a list of all possible known threats based on the signatures from the Windows Defender definitions catalog. The definitions catalog contains references to all known threats that Windows Defender can identify. The following command will display the virus signatures that have the greatest severity level:
Get-MpThreatCatalog | where-object {$_.SeverityID -eq “5”} | where-object {$_.ThreatName -Match “^Virus.*”} | select ThreatName | more
The Get-MpThreatDetection cmdlet finds active and past malware threats that Windows Defender detected.
The Get-MpPreference cmdlet finds preferences for the Windows Defender scans and updates.
Question 34 of 62
34. Question
You are the desktop support technician of your company. Client computers on the network run Windows 10. You configure a Folder Redirection policy on all client computers to redirect the Documents folder. You want to configure the Follow Documents folder option to ensure that folders that support this option are automatically redirected with the Documents folder.
Which folder or folders can be configured? (Choose all that apply.)
Correct
You can configure the Music folder, the Pictures folder, and the Videos folder to follow the Documents folder. Windows allows you to redirect ten user-specific folders. By using Windows Folder Redirection, you can redirect all the well-known folders in a Windows user profile.
The Follow Documents folder setting redirects the Music, Pictures, and Videos folders as subfolders of the Documents folder. The Follow Documents folder setting causes the selected folder to inherit folder redirection options from the Documents folder, and it also disables the folder redirection options for the selected folder.
You cannot configure the Favorites, Contacts, Downloads, and Links folders to follow the Documents folder because the Follow Documents folder option is not available for these folders.
Incorrect
You can configure the Music folder, the Pictures folder, and the Videos folder to follow the Documents folder. Windows allows you to redirect ten user-specific folders. By using Windows Folder Redirection, you can redirect all the well-known folders in a Windows user profile.
The Follow Documents folder setting redirects the Music, Pictures, and Videos folders as subfolders of the Documents folder. The Follow Documents folder setting causes the selected folder to inherit folder redirection options from the Documents folder, and it also disables the folder redirection options for the selected folder.
You cannot configure the Favorites, Contacts, Downloads, and Links folders to follow the Documents folder because the Follow Documents folder option is not available for these folders.
Unattempted
You can configure the Music folder, the Pictures folder, and the Videos folder to follow the Documents folder. Windows allows you to redirect ten user-specific folders. By using Windows Folder Redirection, you can redirect all the well-known folders in a Windows user profile.
The Follow Documents folder setting redirects the Music, Pictures, and Videos folders as subfolders of the Documents folder. The Follow Documents folder setting causes the selected folder to inherit folder redirection options from the Documents folder, and it also disables the folder redirection options for the selected folder.
You cannot configure the Favorites, Contacts, Downloads, and Links folders to follow the Documents folder because the Follow Documents folder option is not available for these folders.
Question 35 of 62
35. Question
Your organization has purchased an Office 365 subscription. You need to install Office 365 on the Windows 10 computers on your organization’s network. The installation should be customized so that users only get access to the Office 365 components that they need.
What should you do?
Correct
You should use the Office Deployment Tool with the /configure command and the customized Configuration.xml file to install Click-to-Run for Office 365 products and languages on each user’s computer. This will allow you to customize the installation of Office 365 and ensure that users only get access to the Office 365 components that they need.
You should not use AppLocker or the Windows Store in this scenario. AppLocker is a feature that advances the features and functionality of Software Restriction Policies. AppLocker allows you to create rules to allow or deny applications based on unique file identities and to specify which users or groups can run those applications. The Windows Store is a listing of applications that are available to be installed on Windows 10 and Windows RT devices. Office 365 is not installed using either of these two features.
You should not sign in to the Office 365 portal with the /configure command and the customized Configuration.xml file to install Click-to-Run for Office 365 products and languages on each user’s computer. A user can sign in to the Office 365 portal to install Office 365. The portal allows the user to select which components to install. The portal can be used to connect Office 365 to Lync and Outlook. However, if an administrator wants to control which features of Office 365 that are installed, the Office Deployment tool should be used.
Incorrect
You should use the Office Deployment Tool with the /configure command and the customized Configuration.xml file to install Click-to-Run for Office 365 products and languages on each user’s computer. This will allow you to customize the installation of Office 365 and ensure that users only get access to the Office 365 components that they need.
You should not use AppLocker or the Windows Store in this scenario. AppLocker is a feature that advances the features and functionality of Software Restriction Policies. AppLocker allows you to create rules to allow or deny applications based on unique file identities and to specify which users or groups can run those applications. The Windows Store is a listing of applications that are available to be installed on Windows 10 and Windows RT devices. Office 365 is not installed using either of these two features.
You should not sign in to the Office 365 portal with the /configure command and the customized Configuration.xml file to install Click-to-Run for Office 365 products and languages on each user’s computer. A user can sign in to the Office 365 portal to install Office 365. The portal allows the user to select which components to install. The portal can be used to connect Office 365 to Lync and Outlook. However, if an administrator wants to control which features of Office 365 that are installed, the Office Deployment tool should be used.
Unattempted
You should use the Office Deployment Tool with the /configure command and the customized Configuration.xml file to install Click-to-Run for Office 365 products and languages on each user’s computer. This will allow you to customize the installation of Office 365 and ensure that users only get access to the Office 365 components that they need.
You should not use AppLocker or the Windows Store in this scenario. AppLocker is a feature that advances the features and functionality of Software Restriction Policies. AppLocker allows you to create rules to allow or deny applications based on unique file identities and to specify which users or groups can run those applications. The Windows Store is a listing of applications that are available to be installed on Windows 10 and Windows RT devices. Office 365 is not installed using either of these two features.
You should not sign in to the Office 365 portal with the /configure command and the customized Configuration.xml file to install Click-to-Run for Office 365 products and languages on each user’s computer. A user can sign in to the Office 365 portal to install Office 365. The portal allows the user to select which components to install. The portal can be used to connect Office 365 to Lync and Outlook. However, if an administrator wants to control which features of Office 365 that are installed, the Office Deployment tool should be used.
Question 36 of 62
36. Question
You need to ensure that local users of the Nutex Sales web application are working in IE 11 but browse other sites using Microsoft Edge.
What options will be needed to accomplish this? (Choose all that apply.)
Correct
You should set Microsoft Edge as the default browser. In conjunction with implementing IE Enterprise Mode, this configuration ensures normal web access is being handled by a browser designed for better security, safety, and rendering. Then, when a site on the Enterprise Mode Site List is visited, it will automatically open in IE 11.
You should configure IE Enterprise Mode. This ensures that both IE and Edge are using the same Enterprise Mode Site List and automatic site presentation is reciprocal. When MS Edge visits any site identified as requiring IE 11 it automatically spawns an IE window and goes there. When IE 11 visits any site identified as requiring MS Edge, it automatically generates an MS Edge window and goes there.
You should place the Nutex Sales web app URL on the Enterprise Mode Site List. This ensures that when visiting this site in MS Edge it will automatically open in IE instead.
You should push a Group Policy to restrict IE 11 usage to only sites on the Enterprise Mode Site List. This option will ensure that only sites on the Enterprise Mode Site List will use IE 11 and all other sites will display in MS Edge automatically.
You should not set IE as the default browser. This action will cause site visits which begin in IE 11 to spawn MS Edge and possibly cause confusion.
You should not push a Group Policy to restrict IE 11 usage to only sites not on the Enterprise Mode Site List. This action is not appropriate because we want IE 11 to be responsible for opening sites in the Enterprise Mode Site List, and anything NOT on the list should open in MS Edge for the best web experience. This has become possible since the Windows 10 Anniversary Update.
Incorrect
You should set Microsoft Edge as the default browser. In conjunction with implementing IE Enterprise Mode, this configuration ensures normal web access is being handled by a browser designed for better security, safety, and rendering. Then, when a site on the Enterprise Mode Site List is visited, it will automatically open in IE 11.
You should configure IE Enterprise Mode. This ensures that both IE and Edge are using the same Enterprise Mode Site List and automatic site presentation is reciprocal. When MS Edge visits any site identified as requiring IE 11 it automatically spawns an IE window and goes there. When IE 11 visits any site identified as requiring MS Edge, it automatically generates an MS Edge window and goes there.
You should place the Nutex Sales web app URL on the Enterprise Mode Site List. This ensures that when visiting this site in MS Edge it will automatically open in IE instead.
You should push a Group Policy to restrict IE 11 usage to only sites on the Enterprise Mode Site List. This option will ensure that only sites on the Enterprise Mode Site List will use IE 11 and all other sites will display in MS Edge automatically.
You should not set IE as the default browser. This action will cause site visits which begin in IE 11 to spawn MS Edge and possibly cause confusion.
You should not push a Group Policy to restrict IE 11 usage to only sites not on the Enterprise Mode Site List. This action is not appropriate because we want IE 11 to be responsible for opening sites in the Enterprise Mode Site List, and anything NOT on the list should open in MS Edge for the best web experience. This has become possible since the Windows 10 Anniversary Update.
Unattempted
You should set Microsoft Edge as the default browser. In conjunction with implementing IE Enterprise Mode, this configuration ensures normal web access is being handled by a browser designed for better security, safety, and rendering. Then, when a site on the Enterprise Mode Site List is visited, it will automatically open in IE 11.
You should configure IE Enterprise Mode. This ensures that both IE and Edge are using the same Enterprise Mode Site List and automatic site presentation is reciprocal. When MS Edge visits any site identified as requiring IE 11 it automatically spawns an IE window and goes there. When IE 11 visits any site identified as requiring MS Edge, it automatically generates an MS Edge window and goes there.
You should place the Nutex Sales web app URL on the Enterprise Mode Site List. This ensures that when visiting this site in MS Edge it will automatically open in IE instead.
You should push a Group Policy to restrict IE 11 usage to only sites on the Enterprise Mode Site List. This option will ensure that only sites on the Enterprise Mode Site List will use IE 11 and all other sites will display in MS Edge automatically.
You should not set IE as the default browser. This action will cause site visits which begin in IE 11 to spawn MS Edge and possibly cause confusion.
You should not push a Group Policy to restrict IE 11 usage to only sites not on the Enterprise Mode Site List. This action is not appropriate because we want IE 11 to be responsible for opening sites in the Enterprise Mode Site List, and anything NOT on the list should open in MS Edge for the best web experience. This has become possible since the Windows 10 Anniversary Update.
Question 37 of 62
37. Question
The sales team at Nutex is using a new custom Line-of-Business (LOB) application. They have found a bug that affects some very important sales issues. The software development team has written an update to fix the bug and they want you to deploy it using Intune.
What must the users do to receive the update?
Correct
The users should do nothing. Once you have deployed the fix update to Intune, it will be available for the users and will be applied automatically. When applications are deployed using Intune, the updates generated through Intune are automatically applied.
You do not have to run Windows Update and select the LOB Update. Windows Update will successfully apply operating system updates and if pressed into service can also apply updates for other software and drivers. But Windows Update has no place in deploying this update from Intune.
Users do not have to open the LOB app and find the update option in the menus. This would certainly suffice if the app were written to deploy updates in this manner. However, this is not the type of interaction that Intune uses as the question indicates.
Users do not have to download the update from Intune and install it manually. This is unnecessary as the update in Intune will apply automatically. As a matter of fact, the user has NO say in whether this update applies or not. When indicated, the user WILL receive this update automatically.
References: https://docs.microsoft.com/en-us/mem/intune/apps/apps-windows-10-app-deploy?_ga=2.21964603.1486813339.1610381523-512178102.1610381523
Incorrect
The users should do nothing. Once you have deployed the fix update to Intune, it will be available for the users and will be applied automatically. When applications are deployed using Intune, the updates generated through Intune are automatically applied.
You do not have to run Windows Update and select the LOB Update. Windows Update will successfully apply operating system updates and if pressed into service can also apply updates for other software and drivers. But Windows Update has no place in deploying this update from Intune.
Users do not have to open the LOB app and find the update option in the menus. This would certainly suffice if the app were written to deploy updates in this manner. However, this is not the type of interaction that Intune uses as the question indicates.
Users do not have to download the update from Intune and install it manually. This is unnecessary as the update in Intune will apply automatically. As a matter of fact, the user has NO say in whether this update applies or not. When indicated, the user WILL receive this update automatically.
References: https://docs.microsoft.com/en-us/mem/intune/apps/apps-windows-10-app-deploy?_ga=2.21964603.1486813339.1610381523-512178102.1610381523
Unattempted
The users should do nothing. Once you have deployed the fix update to Intune, it will be available for the users and will be applied automatically. When applications are deployed using Intune, the updates generated through Intune are automatically applied.
You do not have to run Windows Update and select the LOB Update. Windows Update will successfully apply operating system updates and if pressed into service can also apply updates for other software and drivers. But Windows Update has no place in deploying this update from Intune.
Users do not have to open the LOB app and find the update option in the menus. This would certainly suffice if the app were written to deploy updates in this manner. However, this is not the type of interaction that Intune uses as the question indicates.
Users do not have to download the update from Intune and install it manually. This is unnecessary as the update in Intune will apply automatically. As a matter of fact, the user has NO say in whether this update applies or not. When indicated, the user WILL receive this update automatically.
References: https://docs.microsoft.com/en-us/mem/intune/apps/apps-windows-10-app-deploy?_ga=2.21964603.1486813339.1610381523-512178102.1610381523
Question 38 of 62
38. Question
As a Windows 10 administrator for Verigon Corporation, you have been tasked with configuring a few hundred laptops purchased from several resellers. You have chosen to use Windows Autopilot and Intune to simplify configuration. The laptops have not been registered by the resellers. All Autopilot service prerequisites have been configured.
What is the first step in deploying these laptops?
Correct
You must first collect the hardware ID from each laptop. You can do this with a script from the PowerShell Gallery or use System Center Configuration Manager. You can use the Get-WindowsAutoPilotInfo.ps1 script from the PowerShell Gallery and run it on each computer:
md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
You must not connect each laptop to the Internet. This would cause the laptop to download an empty profile that would have to be removed. Collect the hardware ID first.
You cannot enroll the laptops in Intune until you have a CSV file containing their hardware IDs.
You will want to create an Autopilot device group, but this can only be done after you have added the devices.
You would not, at an administrative command prompt, run sysprep /generalize /oobe. This process would only be relevant to Autopilot when attempting to clear a stored profile.
Incorrect
You must first collect the hardware ID from each laptop. You can do this with a script from the PowerShell Gallery or use System Center Configuration Manager. You can use the Get-WindowsAutoPilotInfo.ps1 script from the PowerShell Gallery and run it on each computer:
md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
You must not connect each laptop to the Internet. This would cause the laptop to download an empty profile that would have to be removed. Collect the hardware ID first.
You cannot enroll the laptops in Intune until you have a CSV file containing their hardware IDs.
You will want to create an Autopilot device group, but this can only be done after you have added the devices.
You would not, at an administrative command prompt, run sysprep /generalize /oobe. This process would only be relevant to Autopilot when attempting to clear a stored profile.
Unattempted
You must first collect the hardware ID from each laptop. You can do this with a script from the PowerShell Gallery or use System Center Configuration Manager. You can use the Get-WindowsAutoPilotInfo.ps1 script from the PowerShell Gallery and run it on each computer:
md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
You must not connect each laptop to the Internet. This would cause the laptop to download an empty profile that would have to be removed. Collect the hardware ID first.
You cannot enroll the laptops in Intune until you have a CSV file containing their hardware IDs.
You will want to create an Autopilot device group, but this can only be done after you have added the devices.
You would not, at an administrative command prompt, run sysprep /generalize /oobe. This process would only be relevant to Autopilot when attempting to clear a stored profile.
Question 39 of 62
39. Question
Nutex Corporation wants to ensure that highly confidential documents created in Word Online can only be opened by specific users in the company. You have just implemented the Azure Rights Management service in Azure Information Protection. You want to create a new custom template.
Which steps will be part of the process? (Choose all that apply.)
Correct
Your first step is to open Azure Information Protection and choose Labels > Add a New Label.
On the Protection blade, you will change the permissions and access settings as needed.
You should choose the Protection setting of Azure (cloud key). This is the step that creates the custom template.
There is no need to delete the default templates.
You do not need to refresh the new template. Existing clients will get the changes within 15 minutes. Existing templates refresh automatically on a schedule (7 days for Office 365 apps). You do have the option to force a refresh if you modify a custom template.
Incorrect
Your first step is to open Azure Information Protection and choose Labels > Add a New Label.
On the Protection blade, you will change the permissions and access settings as needed.
You should choose the Protection setting of Azure (cloud key). This is the step that creates the custom template.
There is no need to delete the default templates.
You do not need to refresh the new template. Existing clients will get the changes within 15 minutes. Existing templates refresh automatically on a schedule (7 days for Office 365 apps). You do have the option to force a refresh if you modify a custom template.
Unattempted
Your first step is to open Azure Information Protection and choose Labels > Add a New Label.
On the Protection blade, you will change the permissions and access settings as needed.
You should choose the Protection setting of Azure (cloud key). This is the step that creates the custom template.
There is no need to delete the default templates.
You do not need to refresh the new template. Existing clients will get the changes within 15 minutes. Existing templates refresh automatically on a schedule (7 days for Office 365 apps). You do have the option to force a refresh if you modify a custom template.
Question 40 of 62
40. Question
You manage devices that run Windows 10 with Azure Active Directory Premium. You need to enable two-factor authentication on the devices without installing any third-party applications.
What should you use? (Choose all that apply.)
Correct
You should use fingerprint recognition or facial recognition. Both two-factor authentication types are supported by Windows Hello for Business using Azure AD Premium. You can use a user ID and password as the first authentication factor and a biometric recognition as a second authentication factor.
If your device is joined to a domain, the device itself becomes one of the two factors required for authentication.
You should not use a retinal scan or RSA keys. These options are not supported by Windows 10 or Azure AD Premium without installing a third-party application.
You cannot use a BitLocker key for two-factor authentication. A BitLocker key is used to decrypt a BitLocker-encrypted drive.
Incorrect
You should use fingerprint recognition or facial recognition. Both two-factor authentication types are supported by Windows Hello for Business using Azure AD Premium. You can use a user ID and password as the first authentication factor and a biometric recognition as a second authentication factor.
If your device is joined to a domain, the device itself becomes one of the two factors required for authentication.
You should not use a retinal scan or RSA keys. These options are not supported by Windows 10 or Azure AD Premium without installing a third-party application.
You cannot use a BitLocker key for two-factor authentication. A BitLocker key is used to decrypt a BitLocker-encrypted drive.
Unattempted
You should use fingerprint recognition or facial recognition. Both two-factor authentication types are supported by Windows Hello for Business using Azure AD Premium. You can use a user ID and password as the first authentication factor and a biometric recognition as a second authentication factor.
If your device is joined to a domain, the device itself becomes one of the two factors required for authentication.
You should not use a retinal scan or RSA keys. These options are not supported by Windows 10 or Azure AD Premium without installing a third-party application.
You cannot use a BitLocker key for two-factor authentication. A BitLocker key is used to decrypt a BitLocker-encrypted drive.
Question 41 of 62
41. Question
You are an administrator for Nutex Corporation. Nutex uses Microsoft Intune as its MDM solution. All company devices were successfully registered last month. Your manager would like a CSV file showing all the registered devices that have the data encrypted as part of a security evaluation.
What steps would be required to prepare this information? (Place the correct steps in sequence.)
Unordered Choices
– Export the Data
– Filter by hardware details
– Filter by device Configuration
– In the Intune console, select Devices
– Select all devices, then choose Remote Tasks
>Refresh Inventory
Correct
You will need to open the Intune console and select Devices.
You will want to filter the device view by hardware details, selecting the Encrypted property.
You will want to export the data. Here you would choose to export to a CSV file.
You will not need to select all devices, then choose Remote Tasks > Refresh Inventory. This action would be a good idea if you thought some devices had not been captured, but it is not a requirement. The scenario tells us that all devices were successfully registered last month.
You do not need to filter by device configuration. This action would show device configuration policies assigned to the device and if the policy succeeded or failed. The scenario does not include this criterion.
For even more information about your mobile environment, there is also the Intune Data Warehouse. You can connect to it with Power BI for access to historical data and custom reporting.
Incorrect
You will need to open the Intune console and select Devices.
You will want to filter the device view by hardware details, selecting the Encrypted property.
You will want to export the data. Here you would choose to export to a CSV file.
You will not need to select all devices, then choose Remote Tasks > Refresh Inventory. This action would be a good idea if you thought some devices had not been captured, but it is not a requirement. The scenario tells us that all devices were successfully registered last month.
You do not need to filter by device configuration. This action would show device configuration policies assigned to the device and if the policy succeeded or failed. The scenario does not include this criterion.
For even more information about your mobile environment, there is also the Intune Data Warehouse. You can connect to it with Power BI for access to historical data and custom reporting.
Unattempted
You will need to open the Intune console and select Devices.
You will want to filter the device view by hardware details, selecting the Encrypted property.
You will want to export the data. Here you would choose to export to a CSV file.
You will not need to select all devices, then choose Remote Tasks > Refresh Inventory. This action would be a good idea if you thought some devices had not been captured, but it is not a requirement. The scenario tells us that all devices were successfully registered last month.
You do not need to filter by device configuration. This action would show device configuration policies assigned to the device and if the policy succeeded or failed. The scenario does not include this criterion.
For even more information about your mobile environment, there is also the Intune Data Warehouse. You can connect to it with Power BI for access to historical data and custom reporting.
Question 42 of 62
42. Question
After implementing an Application Protection Policy in Microsoft Intune, you discover that there are a few iOS users who are still able to violate the policy by saving sensitive corporate documents to their personal devices using Microsoft Office Apps on iOS. You have selected the correct apps and settings for your policy and assigned the correct groups to include. You verify that the users in question are part of the correct groups as specified in the policy assignments.
What else could you do to ensure the Application Protection Policy is properly being applied?
Correct
You should make sure that the users have been assigned Microsoft Intune licenses. Any users in the groups selected for policy assignment who have a valid Microsoft Intune license assigned will be restricted by the policy, but if they do not have a valid license assigned then the policy will not apply to them.
You should not assign certificates to the users’ iOS devices. Certificate assignment would only be necessary to grant users protected connections through a VPN, authenticated Wi-Fi, or protected email profiles. This is not necessary for the current situation.
You should not use the Intune App Wrapping Tool to ensure that the Application is enforceable. This tool is used mostly on internally developed Line-of-Business apps that you want to be managed by Intune policies. Apps that already support Intune management (such as MS Office apps) do not need this step.
You should not turn on Multi-Factor Authentication (MFA) to validate the offending users. MFA will certainly bring more security in authentication by forcing the user to provide more than just their username/password, but it will not resolve the problem as specified
Incorrect
You should make sure that the users have been assigned Microsoft Intune licenses. Any users in the groups selected for policy assignment who have a valid Microsoft Intune license assigned will be restricted by the policy, but if they do not have a valid license assigned then the policy will not apply to them.
You should not assign certificates to the users’ iOS devices. Certificate assignment would only be necessary to grant users protected connections through a VPN, authenticated Wi-Fi, or protected email profiles. This is not necessary for the current situation.
You should not use the Intune App Wrapping Tool to ensure that the Application is enforceable. This tool is used mostly on internally developed Line-of-Business apps that you want to be managed by Intune policies. Apps that already support Intune management (such as MS Office apps) do not need this step.
You should not turn on Multi-Factor Authentication (MFA) to validate the offending users. MFA will certainly bring more security in authentication by forcing the user to provide more than just their username/password, but it will not resolve the problem as specified
Unattempted
You should make sure that the users have been assigned Microsoft Intune licenses. Any users in the groups selected for policy assignment who have a valid Microsoft Intune license assigned will be restricted by the policy, but if they do not have a valid license assigned then the policy will not apply to them.
You should not assign certificates to the users’ iOS devices. Certificate assignment would only be necessary to grant users protected connections through a VPN, authenticated Wi-Fi, or protected email profiles. This is not necessary for the current situation.
You should not use the Intune App Wrapping Tool to ensure that the Application is enforceable. This tool is used mostly on internally developed Line-of-Business apps that you want to be managed by Intune policies. Apps that already support Intune management (such as MS Office apps) do not need this step.
You should not turn on Multi-Factor Authentication (MFA) to validate the offending users. MFA will certainly bring more security in authentication by forcing the user to provide more than just their username/password, but it will not resolve the problem as specified
Question 43 of 62
43. Question
You have been tasked with updating the features on the Windows 10 laptops in Nutex Corporations satellite office in Paris. A Windows Server 2016 server is available for use in this office.
What choices do you have to implement feature updates? (Choose all that apply.)
Correct
You could configure Windows Updates for Business Delivery Optimization. This is a new alternative to WSUS as it takes advantage of a peer-to-peer delivery service for updates thereby minimizing downloads.
You could install Windows Server Update Services (WSUS) on the branch server to deliver updates. Note that adding BranchCache in distributed mode could enhance this process, making it similar to the behavior of Windows Updates for Business.
You could choose to install System Center Configuration Manager on the branch server to deliver updates. Note that adding BranchCache in distributed mode could enhance the process, making it similar to the behavior of Windows Updates for Business.
You cannot use Windows Autopilot to deliver updates. Autopilot installs the operating system itself.
You cannot use Windows Intune directly, although you may choose to use Intune to configure Windows Updates for Business.
Incorrect
You could configure Windows Updates for Business Delivery Optimization. This is a new alternative to WSUS as it takes advantage of a peer-to-peer delivery service for updates thereby minimizing downloads.
You could install Windows Server Update Services (WSUS) on the branch server to deliver updates. Note that adding BranchCache in distributed mode could enhance this process, making it similar to the behavior of Windows Updates for Business.
You could choose to install System Center Configuration Manager on the branch server to deliver updates. Note that adding BranchCache in distributed mode could enhance the process, making it similar to the behavior of Windows Updates for Business.
You cannot use Windows Autopilot to deliver updates. Autopilot installs the operating system itself.
You cannot use Windows Intune directly, although you may choose to use Intune to configure Windows Updates for Business.
Unattempted
You could configure Windows Updates for Business Delivery Optimization. This is a new alternative to WSUS as it takes advantage of a peer-to-peer delivery service for updates thereby minimizing downloads.
You could install Windows Server Update Services (WSUS) on the branch server to deliver updates. Note that adding BranchCache in distributed mode could enhance this process, making it similar to the behavior of Windows Updates for Business.
You could choose to install System Center Configuration Manager on the branch server to deliver updates. Note that adding BranchCache in distributed mode could enhance the process, making it similar to the behavior of Windows Updates for Business.
You cannot use Windows Autopilot to deliver updates. Autopilot installs the operating system itself.
You cannot use Windows Intune directly, although you may choose to use Intune to configure Windows Updates for Business.
Question 44 of 62
44. Question
The Nutex Corporation has an Active Directory domain named nutex.com. All servers run Windows Server 2012 R2 and all clients run Windows 10 Enterprise. Nutex uses Microsoft Office 365.
You do not want your Office 365 users to install Office products directly from the Internet by using the Office 365 portal. You download the Office product and language files to your local network that all users have permissions to access. You want to deploy those Office products and languages to users from a local network share named \\server55\Office.
Users in nutex.com are not local administrators on their computers.
What should you do? Choose the steps place them in the correct order.
Correct
In this scenario, you will deploy Office products and languages to users from a local network share. These deployments will use Click-to-Run. The necessary files will be streamed from your local network to the user’s computer during the installation, instead of being streamed from the Internet.
To prepare and deploy Click-to-Run Office 365 products, you will need to download the Office Deployment Tool (ODT) to the server. You will not download the ODT to each user’s computer. The users need to have read permissions to the network share that contains the ODT, the customized configuration.xml file, and any Click-to-Run for Office 365 product and language files.
You need to configure a customized configuration.xml file on the server to specify which Click-to-Run for Office 365 products and languages to deploy.
To download Office 365 products and languages to the server, use the download mode with setup.exe.
You should then use the Office Deployment Tool with the configure command and the customized configuration.xml file to install Click-to-Run for Office 365 products and languages on a user’s computer. You will not use the Office Deployment Tool with the configure command on the server.
You should not use the Office Deployment Tool with the packager command. This command is use to create an App-V package. If you needed to create an App-V package, you would do the following:
1. Download the Office Deployment Tool (ODT) to the server.
2. Prepare a configuration file.
3. Download the applications in the configuration file to a specified location (setup.exe /download).
4. Run the ODT with the packager command (setup.exe /packager).
Incorrect
In this scenario, you will deploy Office products and languages to users from a local network share. These deployments will use Click-to-Run. The necessary files will be streamed from your local network to the user’s computer during the installation, instead of being streamed from the Internet.
To prepare and deploy Click-to-Run Office 365 products, you will need to download the Office Deployment Tool (ODT) to the server. You will not download the ODT to each user’s computer. The users need to have read permissions to the network share that contains the ODT, the customized configuration.xml file, and any Click-to-Run for Office 365 product and language files.
You need to configure a customized configuration.xml file on the server to specify which Click-to-Run for Office 365 products and languages to deploy.
To download Office 365 products and languages to the server, use the download mode with setup.exe.
You should then use the Office Deployment Tool with the configure command and the customized configuration.xml file to install Click-to-Run for Office 365 products and languages on a user’s computer. You will not use the Office Deployment Tool with the configure command on the server.
You should not use the Office Deployment Tool with the packager command. This command is use to create an App-V package. If you needed to create an App-V package, you would do the following:
1. Download the Office Deployment Tool (ODT) to the server.
2. Prepare a configuration file.
3. Download the applications in the configuration file to a specified location (setup.exe /download).
4. Run the ODT with the packager command (setup.exe /packager).
Unattempted
In this scenario, you will deploy Office products and languages to users from a local network share. These deployments will use Click-to-Run. The necessary files will be streamed from your local network to the user’s computer during the installation, instead of being streamed from the Internet.
To prepare and deploy Click-to-Run Office 365 products, you will need to download the Office Deployment Tool (ODT) to the server. You will not download the ODT to each user’s computer. The users need to have read permissions to the network share that contains the ODT, the customized configuration.xml file, and any Click-to-Run for Office 365 product and language files.
You need to configure a customized configuration.xml file on the server to specify which Click-to-Run for Office 365 products and languages to deploy.
To download Office 365 products and languages to the server, use the download mode with setup.exe.
You should then use the Office Deployment Tool with the configure command and the customized configuration.xml file to install Click-to-Run for Office 365 products and languages on a user’s computer. You will not use the Office Deployment Tool with the configure command on the server.
You should not use the Office Deployment Tool with the packager command. This command is use to create an App-V package. If you needed to create an App-V package, you would do the following:
1. Download the Office Deployment Tool (ODT) to the server.
2. Prepare a configuration file.
3. Download the applications in the configuration file to a specified location (setup.exe /download).
4. Run the ODT with the packager command (setup.exe /packager).
Question 45 of 62
45. Question
A security audit has revealed that the Sales department has been attacked by malware sent via an email forwarded by internal users. The Finance department has inadvertently released corporate financials to the public and the development department has shared proprietary source code and data externally.
Which of the following can help prevent these issues from occurring again?
Correct
Windows Information Protection (WIP) can prevent certain emails from being forwarded, data from being printed, or data from being copied to the wrong location. You can configure a rule to identify credit card information, financial information, proprietary source code, or other type of company data. You can categorize this data and specify what happens when the data matches a rule. You can block this data from being shared, printed, copied, or emailed.
You should not use a conditional access policy. This type of policy can provide protection based on the sign-in risk, device platform, device state, or location. While a conditional access policy can be used to ensure that a user uses Multi-Factor Authentication (MFA), it cannot ensure that a user cannot email, print, copy, or forward specific type of data.
You can use app protection policies to stop company data from being saved to local storage, but it will not protect data that is not in an application. It cannot ensure that data is not printed or emailed.
You cannot use Group Policy to prevent data from being copied, emailed, printed, or forwarded. Group Policy is used to configure users, devices, and Active Directory objects.
Incorrect
Windows Information Protection (WIP) can prevent certain emails from being forwarded, data from being printed, or data from being copied to the wrong location. You can configure a rule to identify credit card information, financial information, proprietary source code, or other type of company data. You can categorize this data and specify what happens when the data matches a rule. You can block this data from being shared, printed, copied, or emailed.
You should not use a conditional access policy. This type of policy can provide protection based on the sign-in risk, device platform, device state, or location. While a conditional access policy can be used to ensure that a user uses Multi-Factor Authentication (MFA), it cannot ensure that a user cannot email, print, copy, or forward specific type of data.
You can use app protection policies to stop company data from being saved to local storage, but it will not protect data that is not in an application. It cannot ensure that data is not printed or emailed.
You cannot use Group Policy to prevent data from being copied, emailed, printed, or forwarded. Group Policy is used to configure users, devices, and Active Directory objects.
Unattempted
Windows Information Protection (WIP) can prevent certain emails from being forwarded, data from being printed, or data from being copied to the wrong location. You can configure a rule to identify credit card information, financial information, proprietary source code, or other type of company data. You can categorize this data and specify what happens when the data matches a rule. You can block this data from being shared, printed, copied, or emailed.
You should not use a conditional access policy. This type of policy can provide protection based on the sign-in risk, device platform, device state, or location. While a conditional access policy can be used to ensure that a user uses Multi-Factor Authentication (MFA), it cannot ensure that a user cannot email, print, copy, or forward specific type of data.
You can use app protection policies to stop company data from being saved to local storage, but it will not protect data that is not in an application. It cannot ensure that data is not printed or emailed.
You cannot use Group Policy to prevent data from being copied, emailed, printed, or forwarded. Group Policy is used to configure users, devices, and Active Directory objects.
Question 46 of 62
46. Question
You are the branch office administrator for the Verigon Corporation. You have a few Windows 10 computers in your branch office. These Windows 10 computers have the default settings for Windows Updates and Automatic Maintenance configured.
You want to ensure that all Windows updates are downloaded from the server srv55.verigon.com. This server downloads approved updates from Microsoft Update. You want any updates to be automatically downloaded every day and installed at 02:00 AM. You plan to test this configuration in a local security policy. If the updates are downloaded successfully on the proper schedule, you will configure the settings in a Group Policy object that will be applied to this branch office and other branch offices.
What must you configure? (Select the group policy setting(s) that you should enable, CHOOSE 4)
Correct
The correct policy settings that should be enabled are shown in the following graphic:
The Maintenance Scheduler group policy settings in the top of the exhibit are located in the Computer Configuration > Administrative Templates > Windows Components > Maintenance Scheduler node. The Windows Update group policy settings in the bottom of the exhibit are located in the Computer Configuration > Administrative Templates > Windows Components > Windows Update node.
You should enable the Configure Automatic Updates policy setting and set this policy to Auto download and schedule the install , as shown in the following exhibit:
For Windows 7 and earlier computers, the schedule configured here would apply. However, Windows 10 controls the scheduling using the Automatic Maintenance feature. For Windows 10, you would need to configure the update schedule in the Maintenance Scheduler group policy section.
You should also enable the Specify intranet Microsoft Update service location policy and specify the intranet update service for detecting updates as srv55.verigon.com , which is a WSUS server. With this configuration, the Windows 10 computer will pull updates from srv55.verigon.com instead of using the Windows update servers.
You should enable the Automatic Maintenance Activation Boundary setting and set it to 2:00 a.m. as shown in the following exhibit:
This will ensure that the Windows 10 computers will be scheduled to perform maintenance at 2:00 a.m. The default settings on Windows 10 computers are to perform maintenance at 3:00 a.m.
You should also enable the Automatic Maintenance Wakeup Policy setting as shown in the following exhibit:
This setting ensures that the wake up policy is configured by group policy settings, not by the local settings. However, if Windows 10 Automatic Maintenance does not have the Allow scheduled maintenance to wake up my computer at the scheduled time option enabled, then the group policy will not work. By default, the Allow scheduled maintenance to wake up my computer at the scheduled time option is enabled. You access this setting by expanding the Maintenance section in Action Center, and clicking the Change maintenance settings option
You should not enable the Turn on Software Notifications group policy setting as shown in the following exhibit:
This setting allows users to receive detailed enhanced notification messages about downloaded updates. This option will not allow you to change how updates are downloaded or specify which server to be the source of the updates.
There are also some Windows Update group policy settings that can be configured in User Configuration > Administrative Templates > Windows Components > Windows Update node, as shown in the following exhibit:
The Remove access to use all Windows Update features group policy setting removes all Windows Update features from the operating system’s user interface. It also allows you to configure the types of notifications that occur.
Incorrect
The correct policy settings that should be enabled are shown in the following graphic:
The Maintenance Scheduler group policy settings in the top of the exhibit are located in the Computer Configuration > Administrative Templates > Windows Components > Maintenance Scheduler node. The Windows Update group policy settings in the bottom of the exhibit are located in the Computer Configuration > Administrative Templates > Windows Components > Windows Update node.
You should enable the Configure Automatic Updates policy setting and set this policy to Auto download and schedule the install , as shown in the following exhibit:
For Windows 7 and earlier computers, the schedule configured here would apply. However, Windows 10 controls the scheduling using the Automatic Maintenance feature. For Windows 10, you would need to configure the update schedule in the Maintenance Scheduler group policy section.
You should also enable the Specify intranet Microsoft Update service location policy and specify the intranet update service for detecting updates as srv55.verigon.com , which is a WSUS server. With this configuration, the Windows 10 computer will pull updates from srv55.verigon.com instead of using the Windows update servers.
You should enable the Automatic Maintenance Activation Boundary setting and set it to 2:00 a.m. as shown in the following exhibit:
This will ensure that the Windows 10 computers will be scheduled to perform maintenance at 2:00 a.m. The default settings on Windows 10 computers are to perform maintenance at 3:00 a.m.
You should also enable the Automatic Maintenance Wakeup Policy setting as shown in the following exhibit:
This setting ensures that the wake up policy is configured by group policy settings, not by the local settings. However, if Windows 10 Automatic Maintenance does not have the Allow scheduled maintenance to wake up my computer at the scheduled time option enabled, then the group policy will not work. By default, the Allow scheduled maintenance to wake up my computer at the scheduled time option is enabled. You access this setting by expanding the Maintenance section in Action Center, and clicking the Change maintenance settings option
You should not enable the Turn on Software Notifications group policy setting as shown in the following exhibit:
This setting allows users to receive detailed enhanced notification messages about downloaded updates. This option will not allow you to change how updates are downloaded or specify which server to be the source of the updates.
There are also some Windows Update group policy settings that can be configured in User Configuration > Administrative Templates > Windows Components > Windows Update node, as shown in the following exhibit:
The Remove access to use all Windows Update features group policy setting removes all Windows Update features from the operating system’s user interface. It also allows you to configure the types of notifications that occur.
Unattempted
The correct policy settings that should be enabled are shown in the following graphic:
The Maintenance Scheduler group policy settings in the top of the exhibit are located in the Computer Configuration > Administrative Templates > Windows Components > Maintenance Scheduler node. The Windows Update group policy settings in the bottom of the exhibit are located in the Computer Configuration > Administrative Templates > Windows Components > Windows Update node.
You should enable the Configure Automatic Updates policy setting and set this policy to Auto download and schedule the install , as shown in the following exhibit:
For Windows 7 and earlier computers, the schedule configured here would apply. However, Windows 10 controls the scheduling using the Automatic Maintenance feature. For Windows 10, you would need to configure the update schedule in the Maintenance Scheduler group policy section.
You should also enable the Specify intranet Microsoft Update service location policy and specify the intranet update service for detecting updates as srv55.verigon.com , which is a WSUS server. With this configuration, the Windows 10 computer will pull updates from srv55.verigon.com instead of using the Windows update servers.
You should enable the Automatic Maintenance Activation Boundary setting and set it to 2:00 a.m. as shown in the following exhibit:
This will ensure that the Windows 10 computers will be scheduled to perform maintenance at 2:00 a.m. The default settings on Windows 10 computers are to perform maintenance at 3:00 a.m.
You should also enable the Automatic Maintenance Wakeup Policy setting as shown in the following exhibit:
This setting ensures that the wake up policy is configured by group policy settings, not by the local settings. However, if Windows 10 Automatic Maintenance does not have the Allow scheduled maintenance to wake up my computer at the scheduled time option enabled, then the group policy will not work. By default, the Allow scheduled maintenance to wake up my computer at the scheduled time option is enabled. You access this setting by expanding the Maintenance section in Action Center, and clicking the Change maintenance settings option
You should not enable the Turn on Software Notifications group policy setting as shown in the following exhibit:
This setting allows users to receive detailed enhanced notification messages about downloaded updates. This option will not allow you to change how updates are downloaded or specify which server to be the source of the updates.
There are also some Windows Update group policy settings that can be configured in User Configuration > Administrative Templates > Windows Components > Windows Update node, as shown in the following exhibit:
The Remove access to use all Windows Update features group policy setting removes all Windows Update features from the operating system’s user interface. It also allows you to configure the types of notifications that occur.
Question 47 of 62
47. Question
Users in the PC Support group in the IT department enroll devices for employees in the Nutex Corporation. When the PC Support group accesses the Microsoft Intune company portal, that text appears at the bottom of the sign-in page. You want to ensure that when the PC Support group visits the sign-in page they view the new legal statement that the HR department has released.
Which menu option should you choose to configure this?
Correct
You should choose the Company branding option. The Company branding option is typically used for adding the company name and logo that appears during the Out-of-Box Experience (OOBE) in Windows Autopilot. With the Company branding option, you can configure the following:
A background image for the page. The image is limited to 1920×1080 pixels.
A banner logo, which can be the company or department logo.
A Username hint to help users who may have forgotten their username.
Sign-in page text. This text can contain additional information such as a legal statement or a phone number or email address for the help desk.
You should choose the Company branding option. The Company branding option is typically used for adding the company name and logo that appears during the Out-of-Box Experience (OOBE) in Windows Autopilot. With the Company branding option, you can configure the following:
A background image for the page. The image is limited to 1920×1080 pixels.
A banner logo, which can be the company or department logo.
A Username hint to help users who may have forgotten their username.
Sign-in page text. This text can contain additional information such as a legal statement or a phone number or email address for the help desk.
You should choose the Company branding option. The Company branding option is typically used for adding the company name and logo that appears during the Out-of-Box Experience (OOBE) in Windows Autopilot. With the Company branding option, you can configure the following:
A background image for the page. The image is limited to 1920×1080 pixels.
A banner logo, which can be the company or department logo.
A Username hint to help users who may have forgotten their username.
Sign-in page text. This text can contain additional information such as a legal statement or a phone number or email address for the help desk.
Verigon Corporation will be using Microsoft Intune to control access to Office 365 applications for all their locations. You need to ensure that all Finance group members can access Excel Online from their Windows 10 laptops only via Multi-Factor Authentication (MFA).
Which required settings in your access policy must you configure? (Choose all that apply.)
Correct
You will have to give the policy a name.
You will want to configure Users and Groups in the Assignment section. Here you can choose the Finance group.
You will want to configure the Cloud Apps section to include the desired Office 365 applications. This is where you would choose Excel Online.
You will want to configure Conditions in the Assignment section. This is where you can add the desired device platform.
You will want to configure the Grant portion of the Access Control section. This is where you require MFA.
Note that you will also want to configure the Session section of Access controls.
Finally, you need to enable the policy.
Incorrect
You will have to give the policy a name.
You will want to configure Users and Groups in the Assignment section. Here you can choose the Finance group.
You will want to configure the Cloud Apps section to include the desired Office 365 applications. This is where you would choose Excel Online.
You will want to configure Conditions in the Assignment section. This is where you can add the desired device platform.
You will want to configure the Grant portion of the Access Control section. This is where you require MFA.
Note that you will also want to configure the Session section of Access controls.
Finally, you need to enable the policy.
Unattempted
You will have to give the policy a name.
You will want to configure Users and Groups in the Assignment section. Here you can choose the Finance group.
You will want to configure the Cloud Apps section to include the desired Office 365 applications. This is where you would choose Excel Online.
You will want to configure Conditions in the Assignment section. This is where you can add the desired device platform.
You will want to configure the Grant portion of the Access Control section. This is where you require MFA.
Note that you will also want to configure the Session section of Access controls.
Finally, you need to enable the policy.
Question 49 of 62
49. Question
You have computers running Windows 7 that are domain-joined to the on-premises domain named nutex.com. You need to convert these computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot.
Choose the appropriate steps and place them in the correct order.
– Run Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
– Deploy Content to Distribution Points and deploy the OS with Autopilot Task Sequence
– Create a target collection and an Autopilot task sequence
– Run Install-Module AzureAD -Force
– Run C:\Windows\CCM\SCClient.exe
– Run Install-Module WindowsAutopilotIntune -Force
– Run Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File C:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
– Create a package containing the JSON file
– Run Connect-AutopilotIntune -user .onmicrosoft.com
Correct
You should choose the following order of steps:
1. Run Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
2. Run Install-Module AzureAD -Force
3. Run Install-Module WindowsAutopilotIntune -Force
4. Run Connect-AutopilotIntune -user .onmicrosoft.com
5. Run Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
6. Create a package containing the JSON file
7. Create a target collection and an Autopilot task sequence
8. Deploy Content to Distribution Points and deploy the OS with Autopilot Task Sequence
9. Run C:\Windows\CCM\SCClient.exe
You should ensure that the latest Windows Management Framework is downloaded and installed on the Windows 7 computers.
Run the following PowerShell commands to ensure that the Windows Autopilot is installed:
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module AzureAD -Force
Install-Module WindowsAutopilotIntune -Force
You will then have to provide administrative credentials for Intune:
Connect-AutopilotIntune -user .onmicrosoft.com
You must retrieve and display the Autopilot profile available in the specified Intune tenant in JSON format. You should save the Autopilot profile in the JSON file format. The file has to be named AutopilotConfigurationFile.json and must be encoded as ASCII/ANSI. Any other file name, such as unattend.json, will cause the process to fail. You can use the Get-AutopilotProfile cmdlet to retrieve the Autopilot profile:
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
You can have multiple JSON profiles. Each file must be named AutopilotConfigurationFile.json, but can be stored in a different directory from the other profiles. If you use a name other than AutopilotConfigurationFile.json, Windows 10 OOBE will not follow the Autopilot experience.
Next, you should create a package containing the JSON file. You will use Configuration Manager to create a package that specifies the name of the package and the source folder containing the AutopilotConfigurationFile.json file.
If you have not created an existing collection, you will need to create a target collection. This collection must have a rule to add the target test Windows 7 devices to the new collection.
Next, create an Autopilot for existing devices’ Task Sequence using a boot image for Windows 10 1803 or later. You should configure Autopilot to join a workgroup, not a domain. Autopilot uses the System Preparation Tool (sysprep) when the Prepare Windows for capture task executes. This sysprep will fail if the target machine is joined to a domain.
Next, you will deploy the content to distribution points. The distribution point must contain all content required for the task sequence. You should then deploy the OS with Autopilot Task sequence.
Run C:\Windows\CCM\SCClient.exe on the client computers. This action will open Software Center and allow you to upgrade the operating system on the computer. Content will be downloaded via the Task Sequence. The computer will be rebooted, the drives will be formatted, and Windows 10 will be installed. The computer will be prepared for Autopilot once the task sequence has completed. The device will boot into OOBE and provide an Autopilot experience.
Incorrect
You should choose the following order of steps:
1. Run Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
2. Run Install-Module AzureAD -Force
3. Run Install-Module WindowsAutopilotIntune -Force
4. Run Connect-AutopilotIntune -user .onmicrosoft.com
5. Run Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
6. Create a package containing the JSON file
7. Create a target collection and an Autopilot task sequence
8. Deploy Content to Distribution Points and deploy the OS with Autopilot Task Sequence
9. Run C:\Windows\CCM\SCClient.exe
You should ensure that the latest Windows Management Framework is downloaded and installed on the Windows 7 computers.
Run the following PowerShell commands to ensure that the Windows Autopilot is installed:
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module AzureAD -Force
Install-Module WindowsAutopilotIntune -Force
You will then have to provide administrative credentials for Intune:
Connect-AutopilotIntune -user .onmicrosoft.com
You must retrieve and display the Autopilot profile available in the specified Intune tenant in JSON format. You should save the Autopilot profile in the JSON file format. The file has to be named AutopilotConfigurationFile.json and must be encoded as ASCII/ANSI. Any other file name, such as unattend.json, will cause the process to fail. You can use the Get-AutopilotProfile cmdlet to retrieve the Autopilot profile:
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
You can have multiple JSON profiles. Each file must be named AutopilotConfigurationFile.json, but can be stored in a different directory from the other profiles. If you use a name other than AutopilotConfigurationFile.json, Windows 10 OOBE will not follow the Autopilot experience.
Next, you should create a package containing the JSON file. You will use Configuration Manager to create a package that specifies the name of the package and the source folder containing the AutopilotConfigurationFile.json file.
If you have not created an existing collection, you will need to create a target collection. This collection must have a rule to add the target test Windows 7 devices to the new collection.
Next, create an Autopilot for existing devices’ Task Sequence using a boot image for Windows 10 1803 or later. You should configure Autopilot to join a workgroup, not a domain. Autopilot uses the System Preparation Tool (sysprep) when the Prepare Windows for capture task executes. This sysprep will fail if the target machine is joined to a domain.
Next, you will deploy the content to distribution points. The distribution point must contain all content required for the task sequence. You should then deploy the OS with Autopilot Task sequence.
Run C:\Windows\CCM\SCClient.exe on the client computers. This action will open Software Center and allow you to upgrade the operating system on the computer. Content will be downloaded via the Task Sequence. The computer will be rebooted, the drives will be formatted, and Windows 10 will be installed. The computer will be prepared for Autopilot once the task sequence has completed. The device will boot into OOBE and provide an Autopilot experience.
Unattempted
You should choose the following order of steps:
1. Run Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
2. Run Install-Module AzureAD -Force
3. Run Install-Module WindowsAutopilotIntune -Force
4. Run Connect-AutopilotIntune -user .onmicrosoft.com
5. Run Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
6. Create a package containing the JSON file
7. Create a target collection and an Autopilot task sequence
8. Deploy Content to Distribution Points and deploy the OS with Autopilot Task Sequence
9. Run C:\Windows\CCM\SCClient.exe
You should ensure that the latest Windows Management Framework is downloaded and installed on the Windows 7 computers.
Run the following PowerShell commands to ensure that the Windows Autopilot is installed:
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module AzureAD -Force
Install-Module WindowsAutopilotIntune -Force
You will then have to provide administrative credentials for Intune:
Connect-AutopilotIntune -user .onmicrosoft.com
You must retrieve and display the Autopilot profile available in the specified Intune tenant in JSON format. You should save the Autopilot profile in the JSON file format. The file has to be named AutopilotConfigurationFile.json and must be encoded as ASCII/ANSI. Any other file name, such as unattend.json, will cause the process to fail. You can use the Get-AutopilotProfile cmdlet to retrieve the Autopilot profile:
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
You can have multiple JSON profiles. Each file must be named AutopilotConfigurationFile.json, but can be stored in a different directory from the other profiles. If you use a name other than AutopilotConfigurationFile.json, Windows 10 OOBE will not follow the Autopilot experience.
Next, you should create a package containing the JSON file. You will use Configuration Manager to create a package that specifies the name of the package and the source folder containing the AutopilotConfigurationFile.json file.
If you have not created an existing collection, you will need to create a target collection. This collection must have a rule to add the target test Windows 7 devices to the new collection.
Next, create an Autopilot for existing devices’ Task Sequence using a boot image for Windows 10 1803 or later. You should configure Autopilot to join a workgroup, not a domain. Autopilot uses the System Preparation Tool (sysprep) when the Prepare Windows for capture task executes. This sysprep will fail if the target machine is joined to a domain.
Next, you will deploy the content to distribution points. The distribution point must contain all content required for the task sequence. You should then deploy the OS with Autopilot Task sequence.
Run C:\Windows\CCM\SCClient.exe on the client computers. This action will open Software Center and allow you to upgrade the operating system on the computer. Content will be downloaded via the Task Sequence. The computer will be rebooted, the drives will be formatted, and Windows 10 will be installed. The computer will be prepared for Autopilot once the task sequence has completed. The device will boot into OOBE and provide an Autopilot experience.
Question 50 of 62
50. Question
You are responsible for deploying Office 365 to the users at Nutex Corporation. You want to automate the installation so you decide to use the Office Deployment Tool (ODT).
How can you create the configuration XML file needed to direct the ODT in deploying O365 ProPlus? (Choose all that apply. Each option represents a complete answer.)
Correct
You could use Notepad and type or copy/paste the XML needed for your deployment. You could use sample text from http://bit.ly/ODTOverview or you could write your own.
You could visit https://config.office.com/ and export a configuration file from there. This site is referred to as the Office Configuration Tool (OCT).
You should not execute setup.exe /customize NewConfigFile.XML. Any execution of the Setup.exe command will run the Office Deployment Tool (ODT). This command specifically looks for direction in NewConfigFile.XML to customize an existing installation of office. This will not create a configuration file.
You should not execute setup.exe /configure NewConfigFile.xml. This command specifically looks for direction in NewConfigFile.XML to do an actual Office 365 Installation with all configuration options defined in the xml file.
Incorrect
You could use Notepad and type or copy/paste the XML needed for your deployment. You could use sample text from http://bit.ly/ODTOverview or you could write your own.
You could visit https://config.office.com/ and export a configuration file from there. This site is referred to as the Office Configuration Tool (OCT).
You should not execute setup.exe /customize NewConfigFile.XML. Any execution of the Setup.exe command will run the Office Deployment Tool (ODT). This command specifically looks for direction in NewConfigFile.XML to customize an existing installation of office. This will not create a configuration file.
You should not execute setup.exe /configure NewConfigFile.xml. This command specifically looks for direction in NewConfigFile.XML to do an actual Office 365 Installation with all configuration options defined in the xml file.
Unattempted
You could use Notepad and type or copy/paste the XML needed for your deployment. You could use sample text from http://bit.ly/ODTOverview or you could write your own.
You could visit https://config.office.com/ and export a configuration file from there. This site is referred to as the Office Configuration Tool (OCT).
You should not execute setup.exe /customize NewConfigFile.XML. Any execution of the Setup.exe command will run the Office Deployment Tool (ODT). This command specifically looks for direction in NewConfigFile.XML to customize an existing installation of office. This will not create a configuration file.
You should not execute setup.exe /configure NewConfigFile.xml. This command specifically looks for direction in NewConfigFile.XML to do an actual Office 365 Installation with all configuration options defined in the xml file.
Question 51 of 62
51. Question
You manage 100 computers that run Windows 10 for the Nutex Corporation. All of the computers are enrolled in Microsoft Intune. You manage the servicing channel settings of the computers by using Intune. You need to view detailed information on the following:
Device status for the update ring
User status for the update ring
You need to review the servicing status of a computer.
Choose the correct option that will allow you to do this.
You have a computer named WKS1 that runs Windows 10. Windows Defender Antivirus detects that there is malware on the computer. The malware used a vulnerability in a particular font file to attack the kernel. WKS1 is removed and deallocated.
You need to prevent vulnerabilities in font files from affecting other Windows 10 computers on the network. What should you use?
Correct
Windows Defender Exploit Guard reduces the attack surface of apps used by your users. Windows Defender Antivirus provides virus protection, malware, spyware, and boot-time protection. Antivirus, along with Exploit Guard, helps secure files in folders against changes made by malicious apps such as ransomware and malware. Malware can use vulnerabilities in font files, such as the True Type font, to attack the kernel.
You should not use Windows Defender Application Guard (WDAG). Application Guard isolates untrusted sites. When a user connects to an untrusted site with either Internet Explorer or Microsoft Edge, Edge opens a site in an isolated container. The container is separate from the operating system. If the site is not listed as a trusted web site, cloud resource, or internal network, then the destination is defined as untrusted. If the site turns out to be malicious, the computer is protected because an attacker cannot access the computer’s data or the computer user’s credentials. Application Guard does not protect against malware.
You should not use Windows Defender Credential Guard. Windows Defender Credential Guard, like Windows Defender Application Guard, uses virtualization-based security to protect credentials, but Credential Guard does not check if the destination is an untrusted site. Credential Guard can protect against Pass-the-Hash, Pass-The-Ticket, or other credential thefts. Credential Guard does not protect against malware.
You should not use Windows Defender System Guard. Windows Defender System Guard maintains and protects the integrity of the Windows computer when it boots up via Secure Boot, and maintains its integrity after the system is running with Exploit Guard. System Guard does not protect against malware.
Incorrect
Windows Defender Exploit Guard reduces the attack surface of apps used by your users. Windows Defender Antivirus provides virus protection, malware, spyware, and boot-time protection. Antivirus, along with Exploit Guard, helps secure files in folders against changes made by malicious apps such as ransomware and malware. Malware can use vulnerabilities in font files, such as the True Type font, to attack the kernel.
You should not use Windows Defender Application Guard (WDAG). Application Guard isolates untrusted sites. When a user connects to an untrusted site with either Internet Explorer or Microsoft Edge, Edge opens a site in an isolated container. The container is separate from the operating system. If the site is not listed as a trusted web site, cloud resource, or internal network, then the destination is defined as untrusted. If the site turns out to be malicious, the computer is protected because an attacker cannot access the computer’s data or the computer user’s credentials. Application Guard does not protect against malware.
You should not use Windows Defender Credential Guard. Windows Defender Credential Guard, like Windows Defender Application Guard, uses virtualization-based security to protect credentials, but Credential Guard does not check if the destination is an untrusted site. Credential Guard can protect against Pass-the-Hash, Pass-The-Ticket, or other credential thefts. Credential Guard does not protect against malware.
You should not use Windows Defender System Guard. Windows Defender System Guard maintains and protects the integrity of the Windows computer when it boots up via Secure Boot, and maintains its integrity after the system is running with Exploit Guard. System Guard does not protect against malware.
Unattempted
Windows Defender Exploit Guard reduces the attack surface of apps used by your users. Windows Defender Antivirus provides virus protection, malware, spyware, and boot-time protection. Antivirus, along with Exploit Guard, helps secure files in folders against changes made by malicious apps such as ransomware and malware. Malware can use vulnerabilities in font files, such as the True Type font, to attack the kernel.
You should not use Windows Defender Application Guard (WDAG). Application Guard isolates untrusted sites. When a user connects to an untrusted site with either Internet Explorer or Microsoft Edge, Edge opens a site in an isolated container. The container is separate from the operating system. If the site is not listed as a trusted web site, cloud resource, or internal network, then the destination is defined as untrusted. If the site turns out to be malicious, the computer is protected because an attacker cannot access the computer’s data or the computer user’s credentials. Application Guard does not protect against malware.
You should not use Windows Defender Credential Guard. Windows Defender Credential Guard, like Windows Defender Application Guard, uses virtualization-based security to protect credentials, but Credential Guard does not check if the destination is an untrusted site. Credential Guard can protect against Pass-the-Hash, Pass-The-Ticket, or other credential thefts. Credential Guard does not protect against malware.
You should not use Windows Defender System Guard. Windows Defender System Guard maintains and protects the integrity of the Windows computer when it boots up via Secure Boot, and maintains its integrity after the system is running with Exploit Guard. System Guard does not protect against malware.
Question 53 of 62
53. Question
You are planning to implement Microsoft Intune to ensure protection of sensitive corporate materials on unmanaged user devices. As part of your plan you decide to create security groups in Azure Active Directory to aid in assigning appropriate protections.
What next steps should be part of the plan to ensure that Nutex Corporation’s documents are properly secured when using applications on user devices? (Choose three.)
Correct
Your plan should include the following:
Assign Intune and Office 365 user licenses appropriately
Add and deploy apps to Intune
Create and assign App Protection Policies
Intune and Office 365 user licenses must be assigned appropriately. If an appropriate license is not assigned to a user, Intune cannot manage that user.
The apps must be added and identified to Intune so that Intune can manage application capabilities.
App Protection Policies should be created and assigned. App Protection Policies are the part that makes Mobile Application Management work. The devices do not have to be managed as long as the App Protection Policies are created and appropriately assigned.
Your plan does not require device enrollment. Device Enrollment is necessary for using Intune in a Mobile Device Management (MDM) environment but not for Mobile Application Management (MAM) as described in our scenario.
Your plan does not need to include creating and assigning certificates to user devices. Certificates ensure protected connections over VPN, Wi-Fi, and more secure Email profiles. This, however, is not necessary in our specified scenario.
Your plan does not need to enable device platforms. Device platforms do not need to be enabled for MAM. In an MDM environment this would be required, especially if preparing for iOS or MacOS devices. https://docs.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-intune-setup?_ga=2.226977565.1486813339.1610381523-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions
Incorrect
Your plan should include the following:
Assign Intune and Office 365 user licenses appropriately
Add and deploy apps to Intune
Create and assign App Protection Policies
Intune and Office 365 user licenses must be assigned appropriately. If an appropriate license is not assigned to a user, Intune cannot manage that user.
The apps must be added and identified to Intune so that Intune can manage application capabilities.
App Protection Policies should be created and assigned. App Protection Policies are the part that makes Mobile Application Management work. The devices do not have to be managed as long as the App Protection Policies are created and appropriately assigned.
Your plan does not require device enrollment. Device Enrollment is necessary for using Intune in a Mobile Device Management (MDM) environment but not for Mobile Application Management (MAM) as described in our scenario.
Your plan does not need to include creating and assigning certificates to user devices. Certificates ensure protected connections over VPN, Wi-Fi, and more secure Email profiles. This, however, is not necessary in our specified scenario.
Your plan does not need to enable device platforms. Device platforms do not need to be enabled for MAM. In an MDM environment this would be required, especially if preparing for iOS or MacOS devices. https://docs.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-intune-setup?_ga=2.226977565.1486813339.1610381523-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions
Unattempted
Your plan should include the following:
Assign Intune and Office 365 user licenses appropriately
Add and deploy apps to Intune
Create and assign App Protection Policies
Intune and Office 365 user licenses must be assigned appropriately. If an appropriate license is not assigned to a user, Intune cannot manage that user.
The apps must be added and identified to Intune so that Intune can manage application capabilities.
App Protection Policies should be created and assigned. App Protection Policies are the part that makes Mobile Application Management work. The devices do not have to be managed as long as the App Protection Policies are created and appropriately assigned.
Your plan does not require device enrollment. Device Enrollment is necessary for using Intune in a Mobile Device Management (MDM) environment but not for Mobile Application Management (MAM) as described in our scenario.
Your plan does not need to include creating and assigning certificates to user devices. Certificates ensure protected connections over VPN, Wi-Fi, and more secure Email profiles. This, however, is not necessary in our specified scenario.
Your plan does not need to enable device platforms. Device platforms do not need to be enabled for MAM. In an MDM environment this would be required, especially if preparing for iOS or MacOS devices. https://docs.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-intune-setup?_ga=2.226977565.1486813339.1610381523-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions
Question 54 of 62
54. Question
As a security administrator for Dreamsuites Incorporated, you are responsible for protecting company data. It is especially important when using Office 365 applications on mobile devices. The company has decided to allow users to bring their own devices if desired (BYOD). You have implemented Mobile Application Management (MAM) via Intune. You do not want corporate app policies to apply to users’ personal data.
In what step is MAM triggered to apply the corporate MAM policies to Outlook mobile access?
Correct
The policy for Outlook is triggered after the user enters a PIN. This Intune PIN prompt will appear when using the Outlook mobile app as part of Microsoft’s “multi-identity” approach. The appearance and re-appearance timing of this prompt can be configured by an administrator.
The policy for Outlook is not triggered by the work (corporate) account login. A work (corporate) account is a required when accessing corporate email.
The policy for Outlook is not triggered when a separate MAM policy is configured. Even though MAM is based on user identity, MAM policies do not differentiate between personal accounts login vs corporate usage. However, you can assign policies to groups of corporate users.
The app protection policy for Outlook is not triggered when the user logs in using their personal account. Logging in with a work account is required when accessing corporate email.
The policy is not triggered when Intune marks the data as “corporate.” That determination is made by the data location. https://docs.microsoft.com/en-us/archive/blogs/cbernier/microsoft-intune-mobile-application-management-mam-standalone?_ga=2.238496512.1486813339.1610381523-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/apps/mam-faq?_ga=2.238496512.1486813339.1610381523-512178102.1610381523
Incorrect
The policy for Outlook is triggered after the user enters a PIN. This Intune PIN prompt will appear when using the Outlook mobile app as part of Microsoft’s “multi-identity” approach. The appearance and re-appearance timing of this prompt can be configured by an administrator.
The policy for Outlook is not triggered by the work (corporate) account login. A work (corporate) account is a required when accessing corporate email.
The policy for Outlook is not triggered when a separate MAM policy is configured. Even though MAM is based on user identity, MAM policies do not differentiate between personal accounts login vs corporate usage. However, you can assign policies to groups of corporate users.
The app protection policy for Outlook is not triggered when the user logs in using their personal account. Logging in with a work account is required when accessing corporate email.
The policy is not triggered when Intune marks the data as “corporate.” That determination is made by the data location. https://docs.microsoft.com/en-us/archive/blogs/cbernier/microsoft-intune-mobile-application-management-mam-standalone?_ga=2.238496512.1486813339.1610381523-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/apps/mam-faq?_ga=2.238496512.1486813339.1610381523-512178102.1610381523
Unattempted
The policy for Outlook is triggered after the user enters a PIN. This Intune PIN prompt will appear when using the Outlook mobile app as part of Microsoft’s “multi-identity” approach. The appearance and re-appearance timing of this prompt can be configured by an administrator.
The policy for Outlook is not triggered by the work (corporate) account login. A work (corporate) account is a required when accessing corporate email.
The policy for Outlook is not triggered when a separate MAM policy is configured. Even though MAM is based on user identity, MAM policies do not differentiate between personal accounts login vs corporate usage. However, you can assign policies to groups of corporate users.
The app protection policy for Outlook is not triggered when the user logs in using their personal account. Logging in with a work account is required when accessing corporate email.
The policy is not triggered when Intune marks the data as “corporate.” That determination is made by the data location. https://docs.microsoft.com/en-us/archive/blogs/cbernier/microsoft-intune-mobile-application-management-mam-standalone?_ga=2.238496512.1486813339.1610381523-512178102.1610381523 https://docs.microsoft.com/en-us/mem/intune/apps/mam-faq?_ga=2.238496512.1486813339.1610381523-512178102.1610381523
Question 55 of 62
55. Question
The Nutex Corporation is headquartered in Atlanta, GA. It has branch offices in Knoxville, TN and Dallas, TX. Nutex manufactures and distributes pet toys for cats and dogs.
All desktop computers in all offices run Windows 10.
All server computers run Windows Server 2016 except the database servers, which run Windows Server 2012 R2.
Nutex has an Active Directory domain, and all offices have an organizational unit (OU) in the domain.
Nutex has recently implemented an Azure Active Directory domain.
Because the members of the sales and engineering department will sometimes work remotely, they have been issued Android devices.
Planned Changes
The Atlanta office will expand the lobby of the building to accommodate customers and partners. Kiosk computers will be stationed there for customers and partners to use.
The accounting department has complained that end-of-quarter reports are taking too long to run. The accounting software runs on SQL Server 2014.
The CAD software that is used to build plastic pet toys must be upgraded.
The manager of the sales tax department wants her department members to be able to modify their desktops.
50 computers that run Windows 10 will be deployed to Azure Active Directory. These computers will be joined to the Microsoft Azure Active Directory (Azure AD) domain and enrolled in Microsoft Intune.
Nutex has implement Mobile Application Management (MAM) using Microsoft Intune to protect corporate data when using Excel Online, PowerPoint Online, and several other Office 365 applications. Nutex wants to protect these apps on both personal devices and company-owned devices.
Technical Issues
Recently, users in the Atlanta office have been complaining about the lack of a backup system for the documents stored on their Windows 10 computers. Management has asked you to implement a solution that will ensure that user documents are stored in a central location on a file server named NUTEXDC.
For the engineering department, a MAM policy was created to protect corporate data when using Excel Online, PowerPoint Online, and Word Online. The policy is causing problems when Engineering users try to use Excel Online on mobile devices.
Technical Requirements
The accounting department plans an upgrade of the accounting software. The database servers will need to be upgraded to SQL Server 2016 to support the new accounting software.
The kiosk computers must use Windows 10 and only use a wired connection instead of a wireless connection.
Several 3D printers must be installed and be ready for full production within the next 5 weeks.
You decide to implement a File Redirection group policy for users in the Atlanta office. You must ensure that all user documents are moved to NUTEXDC.
The 50 computers that will be deployed to Azure Active Directory need to be configured with the following device restrictions:
Stop users from visiting sites that host unsafe content
Real-time monitoring for unwanted software that can affect Microsoft Edge
Prevent users from interacting with Cortana after the Windows 10 device has been locked
User Requirements
The kiosk computers must not allow a user to connect to the nutex.com domain.
Users in the sales tax department should not be able to save changes to their desktop when they log off.
You must configure a device restriction policy for the 50 deployed computers in Azure Active Directory. Which three settings should you configure in Device restrictions?
Correct
The configuration of Intune device policy is similar to the following graphic:
However, in this scenario, you should choose the following device restrictions:
Windows Defender Antivirus settings
Windows Defender Smart Screen settings
Locked Screen experience settings
Windows Defender Antivirus settings allows you to scan all scripts loaded into Microsoft Edge and enable real-time monitoring for malware, spyware, or other unwanted software and scripts.
Windows Defender Smart Screen allows you to enable SmartScreen which protects users from potential phishing scams. It also can prevent users from going to known malicious sites, and preventing users from downloading unverified files.
Locked Screen experience settings will allow you prevent a user from interacting with Cortana after the active user has stepped away from the device and the locked screen appears.
All other settings are incorrect:
App store settings allow you allow apps from the Microsoft store that are installed to be automatically updated.
Cloud and storage settings allow you to prevent end users from using a Microsoft account the device.
Cloud printer settings allow you to configure the printer discovery URL, the printer access authority URL, and other settings.
Display settings allow you to enable GDI DPI scaling for applications that are not DPI aware.
Microsoft Edge Browser settings allow you to configure the browser such as running the browser in kiosk mode, configuring the start experience, configuring the favorites, configuring the default search engine, allowing InPrivate browsing, or configuring browser history settings.
Windows Spotlight settings will disable Windows Spotlight on Windows Tips, Microsoft consumer features, or on the locked screen.
Start settings allow you to override the Start menu layout.
Personalization settings allow you to configure a background picture URL for the desktop.
Password settings allow you to specify the minimum password length, number of sign-in failures before wiping the device, and other password settings.
Network proxy settings allow you detect proxy settings or use a manual proxy server.
Reference https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10?_ga=2.205285392.1486813339.1610381523-512178102.1610381523
Incorrect
The configuration of Intune device policy is similar to the following graphic:
However, in this scenario, you should choose the following device restrictions:
Windows Defender Antivirus settings
Windows Defender Smart Screen settings
Locked Screen experience settings
Windows Defender Antivirus settings allows you to scan all scripts loaded into Microsoft Edge and enable real-time monitoring for malware, spyware, or other unwanted software and scripts.
Windows Defender Smart Screen allows you to enable SmartScreen which protects users from potential phishing scams. It also can prevent users from going to known malicious sites, and preventing users from downloading unverified files.
Locked Screen experience settings will allow you prevent a user from interacting with Cortana after the active user has stepped away from the device and the locked screen appears.
All other settings are incorrect:
App store settings allow you allow apps from the Microsoft store that are installed to be automatically updated.
Cloud and storage settings allow you to prevent end users from using a Microsoft account the device.
Cloud printer settings allow you to configure the printer discovery URL, the printer access authority URL, and other settings.
Display settings allow you to enable GDI DPI scaling for applications that are not DPI aware.
Microsoft Edge Browser settings allow you to configure the browser such as running the browser in kiosk mode, configuring the start experience, configuring the favorites, configuring the default search engine, allowing InPrivate browsing, or configuring browser history settings.
Windows Spotlight settings will disable Windows Spotlight on Windows Tips, Microsoft consumer features, or on the locked screen.
Start settings allow you to override the Start menu layout.
Personalization settings allow you to configure a background picture URL for the desktop.
Password settings allow you to specify the minimum password length, number of sign-in failures before wiping the device, and other password settings.
Network proxy settings allow you detect proxy settings or use a manual proxy server.
Reference https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10?_ga=2.205285392.1486813339.1610381523-512178102.1610381523
Unattempted
The configuration of Intune device policy is similar to the following graphic:
However, in this scenario, you should choose the following device restrictions:
Windows Defender Antivirus settings
Windows Defender Smart Screen settings
Locked Screen experience settings
Windows Defender Antivirus settings allows you to scan all scripts loaded into Microsoft Edge and enable real-time monitoring for malware, spyware, or other unwanted software and scripts.
Windows Defender Smart Screen allows you to enable SmartScreen which protects users from potential phishing scams. It also can prevent users from going to known malicious sites, and preventing users from downloading unverified files.
Locked Screen experience settings will allow you prevent a user from interacting with Cortana after the active user has stepped away from the device and the locked screen appears.
All other settings are incorrect:
App store settings allow you allow apps from the Microsoft store that are installed to be automatically updated.
Cloud and storage settings allow you to prevent end users from using a Microsoft account the device.
Cloud printer settings allow you to configure the printer discovery URL, the printer access authority URL, and other settings.
Display settings allow you to enable GDI DPI scaling for applications that are not DPI aware.
Microsoft Edge Browser settings allow you to configure the browser such as running the browser in kiosk mode, configuring the start experience, configuring the favorites, configuring the default search engine, allowing InPrivate browsing, or configuring browser history settings.
Windows Spotlight settings will disable Windows Spotlight on Windows Tips, Microsoft consumer features, or on the locked screen.
Start settings allow you to override the Start menu layout.
Personalization settings allow you to configure a background picture URL for the desktop.
Password settings allow you to specify the minimum password length, number of sign-in failures before wiping the device, and other password settings.
Network proxy settings allow you detect proxy settings or use a manual proxy server.
Reference https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10?_ga=2.205285392.1486813339.1610381523-512178102.1610381523
Question 56 of 62
56. Question
The Dreamsuites Corporation wants all Windows 10 users in the Sales department to have the same desktop settings. Users will be allowed to temporarily change these settings, but Dreamsuites does not want the altered settings to be saved when the user logs off. You will implement user profiles to achieve this goal.
Which steps will be involved in the process? (Choose all that apply.)
Correct
You will need to log in to a Windows 10 device as a local administrator, not as a member of the domain admins group or any other domain account.
You should then configure the computer settings that will be needed in the profile. For example, you can configure the desktop background, install line-of-business apps, and uninstall default applications that come with the device.
You will then create an answer file named unattend.xml that enables the CopyProfile parameter. You will configure the CopyProfile parameter to copy the signed-on user’s profile to the default user profile.
You could copy that user profile to another user that has logged into the computer by using the System applet in Control Panel. You can click Settings in the User Profiles section. You will see the default profile, and you can choose the Copy To button to select a user.
In the Copy profile to field, you must use the correct extension for the operating system. If your clients are using Windows 10 version 1607 or higher, the folder must end with .v6.
You will make the profile mandatory by renaming NTuser.dat as NTuser.man. This is what prevents user changes from permanence as desired in the scenario. Under Advanced system settings,
You can also make a “super-mandatory” profile by renaming the entire profile path folder name to end in “man.” For example, you could rename \\NutexSrv\Share\Profile.v6 to \\NutexSrv\Share\Profile.man. With a “super-mandatory” profile, the user will not be able to log in if the server that stores the profile is unavailable.
You should not log in to a Windows 10 device as a member of Domain Admins. The process of creating a mandatory user profile removes all domain accounts from the computer. Use a non-production device to perform these actions, as this will be creating a default user profile.
There is no requirement to turn off Windows Spotlight locally indicated in the scenario. Windows Spotlight is a feature that downloads images to the Windows lock screen.
Reference 1 https://docs.microsoft.com/en-us/windows/client-management/mandatory-user-profile
Reference 2 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile?_ga=2.226782237.1486813339.1610381523-512178102.1610381523
Incorrect
You will need to log in to a Windows 10 device as a local administrator, not as a member of the domain admins group or any other domain account.
You should then configure the computer settings that will be needed in the profile. For example, you can configure the desktop background, install line-of-business apps, and uninstall default applications that come with the device.
You will then create an answer file named unattend.xml that enables the CopyProfile parameter. You will configure the CopyProfile parameter to copy the signed-on user’s profile to the default user profile.
You could copy that user profile to another user that has logged into the computer by using the System applet in Control Panel. You can click Settings in the User Profiles section. You will see the default profile, and you can choose the Copy To button to select a user.
In the Copy profile to field, you must use the correct extension for the operating system. If your clients are using Windows 10 version 1607 or higher, the folder must end with .v6.
You will make the profile mandatory by renaming NTuser.dat as NTuser.man. This is what prevents user changes from permanence as desired in the scenario. Under Advanced system settings,
You can also make a “super-mandatory” profile by renaming the entire profile path folder name to end in “man.” For example, you could rename \\NutexSrv\Share\Profile.v6 to \\NutexSrv\Share\Profile.man. With a “super-mandatory” profile, the user will not be able to log in if the server that stores the profile is unavailable.
You should not log in to a Windows 10 device as a member of Domain Admins. The process of creating a mandatory user profile removes all domain accounts from the computer. Use a non-production device to perform these actions, as this will be creating a default user profile.
There is no requirement to turn off Windows Spotlight locally indicated in the scenario. Windows Spotlight is a feature that downloads images to the Windows lock screen.
Reference 1 https://docs.microsoft.com/en-us/windows/client-management/mandatory-user-profile
Reference 2 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile?_ga=2.226782237.1486813339.1610381523-512178102.1610381523
Unattempted
You will need to log in to a Windows 10 device as a local administrator, not as a member of the domain admins group or any other domain account.
You should then configure the computer settings that will be needed in the profile. For example, you can configure the desktop background, install line-of-business apps, and uninstall default applications that come with the device.
You will then create an answer file named unattend.xml that enables the CopyProfile parameter. You will configure the CopyProfile parameter to copy the signed-on user’s profile to the default user profile.
You could copy that user profile to another user that has logged into the computer by using the System applet in Control Panel. You can click Settings in the User Profiles section. You will see the default profile, and you can choose the Copy To button to select a user.
In the Copy profile to field, you must use the correct extension for the operating system. If your clients are using Windows 10 version 1607 or higher, the folder must end with .v6.
You will make the profile mandatory by renaming NTuser.dat as NTuser.man. This is what prevents user changes from permanence as desired in the scenario. Under Advanced system settings,
You can also make a “super-mandatory” profile by renaming the entire profile path folder name to end in “man.” For example, you could rename \\NutexSrv\Share\Profile.v6 to \\NutexSrv\Share\Profile.man. With a “super-mandatory” profile, the user will not be able to log in if the server that stores the profile is unavailable.
You should not log in to a Windows 10 device as a member of Domain Admins. The process of creating a mandatory user profile removes all domain accounts from the computer. Use a non-production device to perform these actions, as this will be creating a default user profile.
There is no requirement to turn off Windows Spotlight locally indicated in the scenario. Windows Spotlight is a feature that downloads images to the Windows lock screen.
Reference 1 https://docs.microsoft.com/en-us/windows/client-management/mandatory-user-profile
Reference 2 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile?_ga=2.226782237.1486813339.1610381523-512178102.1610381523
Question 57 of 62
57. Question
You are a desktop administrator for Verigon Corporation based in Orlando, FL. You are responsible for deploying Windows 10 to all desktops and laptops in the London branch office. There are no servers in London, but over 500 computers have been deployed in waves. You need to confirm that all of these devices have the latest Windows security updates.
What would be the best way to monitor these updates?
Correct
You will use the Update Compliance component of Windows Analytics. This component can monitor Windows 10 security, quality, and feature updates. This component performs the following:
– Monitors devices running the Windows 10 Professional, Education, and Enterprise editions for security, quality, and feature updates
– Creates a report of compliance issues relating to devices and updates that need attention
– Shows status of Windows Defender Antivirus signatures, as well as threats
– Displays bandwidth savings used by Delivery Optimization across multiple content types.
You would not use the Upgrade Readiness component of Windows Analytics. That component determines if a computer is ready to upgrade to Windows 10.
You would not use Windows Autopilot. Autopilot would be useful for deploying the OS to new devices, but it is not used to monitor the status of update delivery.
You could use Windows Update for Business to collect diagnostic information, but by itself it is not a complete monitoring solution. It only gathers data that is used by the Update Compliance component of Windows Analytics.
You would not use System Center Configuration Manager (SCCM) in this scenario. There is no server in the branch location. This would not be the best scenario to deliver and monitor these updates. The Windows Update for Business component is a better way to deliver updates as it offers a peer-to-peer delivery option that is monitored by the Update Compliance component of Windows Analytics.
Incorrect
You will use the Update Compliance component of Windows Analytics. This component can monitor Windows 10 security, quality, and feature updates. This component performs the following:
– Monitors devices running the Windows 10 Professional, Education, and Enterprise editions for security, quality, and feature updates
– Creates a report of compliance issues relating to devices and updates that need attention
– Shows status of Windows Defender Antivirus signatures, as well as threats
– Displays bandwidth savings used by Delivery Optimization across multiple content types.
You would not use the Upgrade Readiness component of Windows Analytics. That component determines if a computer is ready to upgrade to Windows 10.
You would not use Windows Autopilot. Autopilot would be useful for deploying the OS to new devices, but it is not used to monitor the status of update delivery.
You could use Windows Update for Business to collect diagnostic information, but by itself it is not a complete monitoring solution. It only gathers data that is used by the Update Compliance component of Windows Analytics.
You would not use System Center Configuration Manager (SCCM) in this scenario. There is no server in the branch location. This would not be the best scenario to deliver and monitor these updates. The Windows Update for Business component is a better way to deliver updates as it offers a peer-to-peer delivery option that is monitored by the Update Compliance component of Windows Analytics.
Unattempted
You will use the Update Compliance component of Windows Analytics. This component can monitor Windows 10 security, quality, and feature updates. This component performs the following:
– Monitors devices running the Windows 10 Professional, Education, and Enterprise editions for security, quality, and feature updates
– Creates a report of compliance issues relating to devices and updates that need attention
– Shows status of Windows Defender Antivirus signatures, as well as threats
– Displays bandwidth savings used by Delivery Optimization across multiple content types.
You would not use the Upgrade Readiness component of Windows Analytics. That component determines if a computer is ready to upgrade to Windows 10.
You would not use Windows Autopilot. Autopilot would be useful for deploying the OS to new devices, but it is not used to monitor the status of update delivery.
You could use Windows Update for Business to collect diagnostic information, but by itself it is not a complete monitoring solution. It only gathers data that is used by the Update Compliance component of Windows Analytics.
You would not use System Center Configuration Manager (SCCM) in this scenario. There is no server in the branch location. This would not be the best scenario to deliver and monitor these updates. The Windows Update for Business component is a better way to deliver updates as it offers a peer-to-peer delivery option that is monitored by the Update Compliance component of Windows Analytics.
Question 58 of 62
58. Question
As an administrator for Verigon Corporation, you are responsible for maintaining essential Windows 10 updates. The main office has several Windows Server 2016 servers. Verigon has a branch office consisting of only Windows 10 Enterprise Edition laptops and network connectivity hardware. You want keep these laptops current with essential updates. In this small office, network utilization is high and you do not have much bandwidth available.
What is the best way to keep these laptops updated?
Correct
You would use Delivery Optimization. This would allow the branch laptops to get Windows Updates from other laptops on the local network. Delivery Optimization creates a local cache to temporarily store files that have been downloaded.
There would be no benefit to using Windows Analytics with the Update Compliance solution. This would not address the bandwidth issue.
You would not configure BranchCache in hosted mode. Hosted mode would require access to a server in the main office for the updates. That would not alleviate the bandwidth issue. However, BranchCache in distributed mode would be an alternative to Delivery Optimization. You cannot use both, however.
You would not deploy the updates with System Center Configuration Manager (SCCM). There are no SSCM or WUS servers in the branch office so this would not alleviate the bandwidth issue.
You would not use the Windows Analytics with Upgrade Readiness solution. You are not upgrading the operating systems of the laptops.
Incorrect
You would use Delivery Optimization. This would allow the branch laptops to get Windows Updates from other laptops on the local network. Delivery Optimization creates a local cache to temporarily store files that have been downloaded.
There would be no benefit to using Windows Analytics with the Update Compliance solution. This would not address the bandwidth issue.
You would not configure BranchCache in hosted mode. Hosted mode would require access to a server in the main office for the updates. That would not alleviate the bandwidth issue. However, BranchCache in distributed mode would be an alternative to Delivery Optimization. You cannot use both, however.
You would not deploy the updates with System Center Configuration Manager (SCCM). There are no SSCM or WUS servers in the branch office so this would not alleviate the bandwidth issue.
You would not use the Windows Analytics with Upgrade Readiness solution. You are not upgrading the operating systems of the laptops.
Unattempted
You would use Delivery Optimization. This would allow the branch laptops to get Windows Updates from other laptops on the local network. Delivery Optimization creates a local cache to temporarily store files that have been downloaded.
There would be no benefit to using Windows Analytics with the Update Compliance solution. This would not address the bandwidth issue.
You would not configure BranchCache in hosted mode. Hosted mode would require access to a server in the main office for the updates. That would not alleviate the bandwidth issue. However, BranchCache in distributed mode would be an alternative to Delivery Optimization. You cannot use both, however.
You would not deploy the updates with System Center Configuration Manager (SCCM). There are no SSCM or WUS servers in the branch office so this would not alleviate the bandwidth issue.
You would not use the Windows Analytics with Upgrade Readiness solution. You are not upgrading the operating systems of the laptops.
Question 59 of 62
59. Question
Your company has purchased several used computers at an auction. These computers will be upgraded to Windows 10. You want to ensure all personal data, settings, and applications are retained after the upgrade. Here is a sample of the computer configurations:
Which of the following statements are true? (Choose all that apply.)
Correct
The following statements are true:
You can upgrade WKS1 to the 32-bit version of Windows 10 Education edition
You can upgrade WKS2 to the 64-bit version of Windows 10 Enterprise edition
You cannot upgrade a 64-bit version of Windows to a 32-bit version of Windows because a 32-bit processor cannot support a 64-bit application. However, you can upgrade a 32-bit version of Windows to a 64-bit version of Windows if the computer has a 64-bit processor. A 64-bit processor can support a 32-bit application, but a 32-bit processor cannot support a 64-bit application.
You cannot upgrade WKS3 to the 64-bit version of Windows 10 Pro edition. You cannot downgrade the edition from Enterprise to Pro.
This is a list of compatible versioning:
You can upgrade WKS4 to the 64-bit version of Windows 10 Pro edition. WKS4 has a 32-bit processor. It cannot support a 64-bit version of Windows.
Incorrect
The following statements are true:
You can upgrade WKS1 to the 32-bit version of Windows 10 Education edition
You can upgrade WKS2 to the 64-bit version of Windows 10 Enterprise edition
You cannot upgrade a 64-bit version of Windows to a 32-bit version of Windows because a 32-bit processor cannot support a 64-bit application. However, you can upgrade a 32-bit version of Windows to a 64-bit version of Windows if the computer has a 64-bit processor. A 64-bit processor can support a 32-bit application, but a 32-bit processor cannot support a 64-bit application.
You cannot upgrade WKS3 to the 64-bit version of Windows 10 Pro edition. You cannot downgrade the edition from Enterprise to Pro.
This is a list of compatible versioning:
You can upgrade WKS4 to the 64-bit version of Windows 10 Pro edition. WKS4 has a 32-bit processor. It cannot support a 64-bit version of Windows.
Unattempted
The following statements are true:
You can upgrade WKS1 to the 32-bit version of Windows 10 Education edition
You can upgrade WKS2 to the 64-bit version of Windows 10 Enterprise edition
You cannot upgrade a 64-bit version of Windows to a 32-bit version of Windows because a 32-bit processor cannot support a 64-bit application. However, you can upgrade a 32-bit version of Windows to a 64-bit version of Windows if the computer has a 64-bit processor. A 64-bit processor can support a 32-bit application, but a 32-bit processor cannot support a 64-bit application.
You cannot upgrade WKS3 to the 64-bit version of Windows 10 Pro edition. You cannot downgrade the edition from Enterprise to Pro.
This is a list of compatible versioning:
You can upgrade WKS4 to the 64-bit version of Windows 10 Pro edition. WKS4 has a 32-bit processor. It cannot support a 64-bit version of Windows.
Question 60 of 62
60. Question
The Verigon Corporation wants to take full advantage of Azure. They have a new Premium Azure AD subscription. They would like to allow Windows 10 desktop users to synchronize their user and universal application settings (such as Edge settings) to the cloud. All Windows 10 devices have been Azure AD joined.
What should be part of this implementation? (Choose all that apply.)
Correct
You will implement Enterprise State Roaming. This will allow the user settings to synchronize with Azure AD. This is a simple selection in the Azure AD admin center.
The scenario does not indicate a need to implement Azure AD Connect, as a hybrid environment was not mentioned.
You would not implement User Experience Virtualization (UE-V). While this would allow centralizing user settings, they would be stored on a file share, not in Azure AD as required.
You do not need to purchase an Enterprise Mobility + Security license. Enterprise State Roaming is included with a Premium Azure AD subscription.
You do not need to purchase a subscription to Azure Rights Management to meet the scenario. A limited free license is included to encrypt and decrypt the data as needed when Enterprise State Roaming is activated.
Note that enterprise-owned Windows 10 devices that are connected to Azure AD cannot connect their Microsoft accounts to a domain account.
Incorrect
You will implement Enterprise State Roaming. This will allow the user settings to synchronize with Azure AD. This is a simple selection in the Azure AD admin center.
The scenario does not indicate a need to implement Azure AD Connect, as a hybrid environment was not mentioned.
You would not implement User Experience Virtualization (UE-V). While this would allow centralizing user settings, they would be stored on a file share, not in Azure AD as required.
You do not need to purchase an Enterprise Mobility + Security license. Enterprise State Roaming is included with a Premium Azure AD subscription.
You do not need to purchase a subscription to Azure Rights Management to meet the scenario. A limited free license is included to encrypt and decrypt the data as needed when Enterprise State Roaming is activated.
Note that enterprise-owned Windows 10 devices that are connected to Azure AD cannot connect their Microsoft accounts to a domain account.
Unattempted
You will implement Enterprise State Roaming. This will allow the user settings to synchronize with Azure AD. This is a simple selection in the Azure AD admin center.
The scenario does not indicate a need to implement Azure AD Connect, as a hybrid environment was not mentioned.
You would not implement User Experience Virtualization (UE-V). While this would allow centralizing user settings, they would be stored on a file share, not in Azure AD as required.
You do not need to purchase an Enterprise Mobility + Security license. Enterprise State Roaming is included with a Premium Azure AD subscription.
You do not need to purchase a subscription to Azure Rights Management to meet the scenario. A limited free license is included to encrypt and decrypt the data as needed when Enterprise State Roaming is activated.
Note that enterprise-owned Windows 10 devices that are connected to Azure AD cannot connect their Microsoft accounts to a domain account.
Question 61 of 62
61. Question
A recent audit of the help desk showed that 40% of help desk personnel time was spent dealing with password issues from employees. After implementing smart card readers with employee computers that run Windows 7, your company has decided to replace all the old computers with new computers that run Windows 10. Your company has decided to implement Windows Hello on all of the company’s Windows 10 computers. All of the new computers are equipped with a IR camera.
One of the computers used by an employee, Jack Smith, was stolen by his twin brother who works for a rival company. Jack’s twin brother was able to easily access all files on the computer.
You must implement a plan to ensure a data theft like this will not happen again. The solution should cost as little money as possible since the budget has already been improved. You also must ensure that users do not have to memorize any passwords or keys. What should you recommend?
Correct
The most cost effective option is to require the employees to set up Windows Hello again and configure the options under Improve recognition. Microsoft introduced a facial recognition feature named Windows Hello in Windows 10. The facial recognition feature has been proven to distinguish between identical twins in field tests. To ensure an identical twin cannot use the facial scan of the other twin, it is recommended that you configure the options under the Improve recognition setting:
You should not add fingerprint scanners to all Windows 10 computers, and require the employees to set up Windows Hello again with a fingerprint. Windows Hello does support fingerprint authentication, along with facial recognition and iris recognition. One of the requirements in this scenario was that you did not want to make additional purchases because of the budget.
You cannot add a chemical biometric device to a Windows 10 computer. Although these biometric devices can provide a DNA print that would be unique to a user, the devices are not currently supported by Windows 10 and would require an extra expense.
You should not add HD audio microphones to all Windows 10 computers or use the existing microphone on all Windows 10 computers to create a voice print. Windows Hello does not support voice print as an authentication method.
You should not add a smart card reader to all Windows 10 computers, and configure Group Policy to ensure that employees must use the smart card to login. Although you do not have to purchase smart card readers because you used them with the old Windows XP computers, the use of smart cards will require the user to know a PIN to log on. One of the requirements was that you would not require users to remember a password or possess a key.
Incorrect
The most cost effective option is to require the employees to set up Windows Hello again and configure the options under Improve recognition. Microsoft introduced a facial recognition feature named Windows Hello in Windows 10. The facial recognition feature has been proven to distinguish between identical twins in field tests. To ensure an identical twin cannot use the facial scan of the other twin, it is recommended that you configure the options under the Improve recognition setting:
You should not add fingerprint scanners to all Windows 10 computers, and require the employees to set up Windows Hello again with a fingerprint. Windows Hello does support fingerprint authentication, along with facial recognition and iris recognition. One of the requirements in this scenario was that you did not want to make additional purchases because of the budget.
You cannot add a chemical biometric device to a Windows 10 computer. Although these biometric devices can provide a DNA print that would be unique to a user, the devices are not currently supported by Windows 10 and would require an extra expense.
You should not add HD audio microphones to all Windows 10 computers or use the existing microphone on all Windows 10 computers to create a voice print. Windows Hello does not support voice print as an authentication method.
You should not add a smart card reader to all Windows 10 computers, and configure Group Policy to ensure that employees must use the smart card to login. Although you do not have to purchase smart card readers because you used them with the old Windows XP computers, the use of smart cards will require the user to know a PIN to log on. One of the requirements was that you would not require users to remember a password or possess a key.
Unattempted
The most cost effective option is to require the employees to set up Windows Hello again and configure the options under Improve recognition. Microsoft introduced a facial recognition feature named Windows Hello in Windows 10. The facial recognition feature has been proven to distinguish between identical twins in field tests. To ensure an identical twin cannot use the facial scan of the other twin, it is recommended that you configure the options under the Improve recognition setting:
You should not add fingerprint scanners to all Windows 10 computers, and require the employees to set up Windows Hello again with a fingerprint. Windows Hello does support fingerprint authentication, along with facial recognition and iris recognition. One of the requirements in this scenario was that you did not want to make additional purchases because of the budget.
You cannot add a chemical biometric device to a Windows 10 computer. Although these biometric devices can provide a DNA print that would be unique to a user, the devices are not currently supported by Windows 10 and would require an extra expense.
You should not add HD audio microphones to all Windows 10 computers or use the existing microphone on all Windows 10 computers to create a voice print. Windows Hello does not support voice print as an authentication method.
You should not add a smart card reader to all Windows 10 computers, and configure Group Policy to ensure that employees must use the smart card to login. Although you do not have to purchase smart card readers because you used them with the old Windows XP computers, the use of smart cards will require the user to know a PIN to log on. One of the requirements was that you would not require users to remember a password or possess a key.
Question 62 of 62
62. Question
You have to install several custom Universal Windows Platform (UWP) apps on your Windows 10 computer. You will have to develop, test, and debug the apps before the apps are used by other people in your company. Since you are developing the applications, you do not have a trusted certificate for the application.
What actions should you perform on your Windows 10 computer?
Correct
You should go to Settings > Update & Security > For developers and choose Developer mode.
Developer mode enables a user to debug Universal Windows Platform (UWP) app and add other deployment options using Visual Studio. Choosing Sideload apps is more secure than choosing Developer mode. Turning on developer mode does not require a certificate from a trusted source, which is required for sideloading an app. However, both sideloading apps and using developer mode could expose your device and personal data to security risks since you are installing apps outside the Windows Store.
You cannot find Developer mode under the System or Personalization options under Settings. Under System, you can change display options, notification options, application options, and power options. Under Personalization, you can set the background, lock screen options, and colors.
Incorrect
You should go to Settings > Update & Security > For developers and choose Developer mode.
Developer mode enables a user to debug Universal Windows Platform (UWP) app and add other deployment options using Visual Studio. Choosing Sideload apps is more secure than choosing Developer mode. Turning on developer mode does not require a certificate from a trusted source, which is required for sideloading an app. However, both sideloading apps and using developer mode could expose your device and personal data to security risks since you are installing apps outside the Windows Store.
You cannot find Developer mode under the System or Personalization options under Settings. Under System, you can change display options, notification options, application options, and power options. Under Personalization, you can set the background, lock screen options, and colors.
Unattempted
You should go to Settings > Update & Security > For developers and choose Developer mode.
Developer mode enables a user to debug Universal Windows Platform (UWP) app and add other deployment options using Visual Studio. Choosing Sideload apps is more secure than choosing Developer mode. Turning on developer mode does not require a certificate from a trusted source, which is required for sideloading an app. However, both sideloading apps and using developer mode could expose your device and personal data to security risks since you are installing apps outside the Windows Store.
You cannot find Developer mode under the System or Personalization options under Settings. Under System, you can change display options, notification options, application options, and power options. Under Personalization, you can set the background, lock screen options, and colors.
X
The End of Exam. SkillCertPro Wishes you all the best for your exam.