Microsoft - MD-102: Endpoint Administrator
Sample Questions
Question: 422
Measured Skill: Protect devices (15–20%)
Note: This is a lab or performance-based testing (PBT) question. To answer, you will perform a set of tasks in a live environment. Some functionality (e.g. copy and paste) will not be possible by design. The right mouse button may not be able to be used. Scoring is based on the outcome of performing the tasks stated in the lab. It doesn't matter how you accomplish the goal.
You need to create an endpoint security policy to turn on Windows SmartScreen for all Windows devices.
To complete this task, sign in to the appropriate admin center.
(This question has to be solved in a lab environment. Click on Solution to see a valid example solution. Answer "True" if you can solve the problem, otherwise select "False".)
Correct answer: A
Solution:
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. To turn on Windows SmartScreen using an endpoint security policy, we need to create an application control attack surface reduction (ASR) policy.
Step 01: Sign in to the Microsoft Intune admin center (https://intune.microsoft.com/). Browse to Endpoint security > Manage\Attack surface reduction. Select +Create Policy.
Step 02: Select Windows as the platform and Application control as the Profile type. Then click Create.
Step 03: Enter a name for the new profile. Then click Next.
Step 04: Set Turn on Windows SmartScreen to Yes. Then click Next.
Step 05: On the Scope tags page click Next. On the Assignments page click the +Add all devices link to add All devices as included group. Then click Next.
Step 06: On the Review + create page review your configuration. Then click Create to create the endpoint security policy and to finish the task.
Reference: Microsoft Defender SmartScreen
Question: 423
Measured Skill: Prepare infrastructure for devices (25–30%)
Note: This is a lab or performance-based testing (PBT) question. To answer, you will perform a set of tasks in a live environment. Some functionality (e.g. copy and paste) will not be possible by design. The right mouse button may not be able to be used. Scoring is based on the outcome of performing the tasks stated in the lab. It doesn't matter how you accomplish the goal.
You need to create a Conditional Access policy for the sg-Legal group that requires Android devices to be compliant when they connect to Microsoft Office 365. Access to other apps and devices must NOT be affected.
To complete this task, sign in to the appropriate admin center.
(This question has to be solved in a lab environment. Click on Solution to see a valid example solution. Answer "True" if you can solve the problem, otherwise select "False".)
Correct answer: A
Solution:
We need to create a Conditional Access poicy that applies to Android devices only and requires the devices to be marked as compliant when accessing Microsoft Office 365.
Step 01: Sign in to the Microsoft Entra admin center (https://entra.microsoft.com/). Expand Identity and select Protection > Conditional Access. From Conditional Access select +Create new policy.
Step 02: Enter a name for the new policy and add the sg-Legal group to the assignments.
Step 03: From Target resources, include Office 365.
Step 04: From Conditions configure the Device platforms to include Android devices only.
Step 05: From the Grant Access control, enable Require device to be marked as compliant. Then click Select.
Step 06: Set Enable policy to On. Then click Create to create the policy and to finish the task.
Reference: What is Conditional Access?
Question: 424
Measured Skill: Prepare infrastructure for devices (25–30%)
Note: This is a lab or performance-based testing (PBT) question. To answer, you will perform a set of tasks in a live environment. Some functionality (e.g. copy and paste) will not be possible by design. The right mouse button may not be able to be used. Scoring is based on the outcome of performing the tasks stated in the lab. It doesn't matter how you accomplish the goal.
You need to manually register your computer to Windows Autopilot.
The Get-WindowsAutopilotInfo.ps1 PowerShell script is stored in C:\Scripts.
To complete this task, sign in to the appropriate admin center.
(This question has to be solved in a lab environment. Click on Solution to see a valid example solution. Answer "True" if you can solve the problem, otherwise select "False".)
Correct answer: A
Solution:
We need to run the Get-WindowsAutopilotInfo script locally using PowerShell and upload the output file containing the hardware Id to Windows Autopilot using the Microsoft Intune admin center.
Step 01: Start Windows PowerShell in Administrator mode and enter the commands shown below.
Set-Location -Path "C:\Scripts"
Set-ExecutionPolicy RemoteSigned
.\Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
Step 02: Sign in to the Microsoft Intune admin center (https://intune.microsoft.com/). Browse to Devices > Device onboarding\Enrollment and scroll down to the Windows Autopilot section. Then click Devices.
Step 03: Click the Import link in top navigation bar, browse to the C:\Scripts folder and select the previously generated AutopilotHWID.csv file. Then click the Import button.
Step 04: Our computer was successfully registered to Windows Autopilot. The task is completed.
Reference: Manually register devices with Windows Autopilot
Question: 425
Measured Skill: Prepare infrastructure for devices (25–30%)
Note: This is a lab or performance-based testing (PBT) question. To answer, you will perform a set of tasks in a live environment. Some functionality (e.g. copy and paste) will not be possible by design. The right mouse button may not be able to be used. Scoring is based on the outcome of performing the tasks stated in the lab. It doesn't matter how you accomplish the goal.
You need to join your computer to the Microsoft Entra tenant.
To complete this task, sign in to the appropriate admin center.
(This question has to be solved in a lab environment. Click on Solution to see a valid example solution. Answer "True" if you can solve the problem, otherwise select "False".)
Correct answer: A
Solution:
We will use the Settings app to join our existing Windows device to Microsoft Entra ID.
Step 01: Start the Settings app and click on "Accounts".
Step 02: Select "Access work or school" and click on +Connect
Step 03: Click the Join this device to Microsoft Entra ID link.
Step 04: Provide your username and password and sign in to your Microsoft Entra tenant.
Step 05: Verify the tenant and click on Join to join your computer to the tenant.
Step 06: The computer was successfully joined to Microsoft Entra ID. Click on Done. The task is completed.
Reference: Join your work device to your work or school network
Question: 426
Measured Skill: Prepare infrastructure for devices (25–30%)
Note: This is a lab or performance-based testing (PBT) question. To answer, you will perform a set of tasks in a live environment. Some functionality (e.g. copy and paste) will not be possible by design. The right mouse button may not be able to be used. Scoring is based on the outcome of performing the tasks stated in the lab. It doesn't matter how you accomplish the goal.
You need to configure a policy to ensure that all Microsoft Intune-enrolled Windows devices back up their local admin account password to Microsoft Entra only.
To complete this task, sign in to the appropriate admin center.
(This question has to be solved in a lab environment. Click on Solution to see a valid example solution. Answer "True" if you can solve the problem, otherwise select "False".)
Correct answer: A
Solution:
We need to configure the local admin password solution (Windows LAPS) by creating an account protection policy from the Microsoft Intune admin center.
Step 01: Sign in to the Microsoft Intune admin center (https://intune.microsoft.com). Browse to Endpoint security > Manage\Account protection and click on +Create Policy.
Step 02: Select "Windows" as the platform and "Local admin password solution (LAPS)" as the profile type. Then, click on Create
Step 03: Enter a name for the new policy and click on Next.
Step 04: Set "Backup Directory" to "Backup the password to Azure AD only". Then, click Next.
Step 05: On the "Scope tags" page click Next. On the "Assignments" page add the "All devices" group as included group and click on Next.
Step 06: On the "Review + create" page review your configuration. Click on Save to create the policy. The task is completed.
References:
Microsoft Intune support for Windows LAPS
Manage Windows LAPS policy with Microsoft Intune