Microsoft - MD-102: Endpoint Administrator
Sample Questions
Question: 325
Measured Skill: Manage, maintain, and protect devices (40–45%)
You have a Microsoft 365 E5 subscription and use Microsoft Intune.
You purchase 50 Windows devices.
You configure automatic enrollment to Intune for Microsoft Entra joined devices.
You need to use a provisioning package to join the devices to Microsoft Entra.
What should you use to create the provisioning package, and what is the maximum amount of time you can use the package for bulk enrollment?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Use: Intune Company Portal
Maximum amount of time: 90 days |
| B | Use: Intune Company Portal
Maximum amount of time: 30 days |
| C | Use: Microsoft Deployment Toolkit (MDT)
Maximum amount of time: 365 days |
| D | Use: Windows Configuration Designer
Maximum amount of time: 30 days |
| E | Use: Windows Configuration Designer
Maximum amount of time: 180 days |
| F | Use: Windows Setup
Maximum amount of time: 365 days |
Correct answer: EExplanation:
To bulk enroll devices for your Microsoft Entra tenant, you create a provisioning package with the Windows Configuration Designer (WCD) app. Applying the provisioning package to corporate-owned devices joins the devices to your Microsoft Entra tenant and enrolls them for Intune management. Once the package is applied, it's ready for your Microsoft Entra users to sign in.
The token validity period of the provisioning package is 180 days.
Reference: Bulk enrollment for Windows devices
Question: 326
Measured Skill: Manage, maintain, and protect devices (40–45%)
You have a Microsoft 365 E5 subscription.
You need to configure the automated investigation and response (AIR) remediation level for a device named Device1 to require approval for all folders.
What should you create?| A | A security group |
| B | A device group |
| C | An administrative unit |
| D | An action group |
Correct answer: BExplanation:
The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. All remediation actions, whether pending or completed, are tracked in the Action center. In the Action center, pending actions are approved (or rejected), and completed actions can be undone if needed.
The AIR remediation level is configured per Defender for Endpoint device group.
References:
Overview of automated investigations
Automated investigation and response (AIR) in Microsoft Defender for Office 365
Question: 327
Measured Skill: Manage identity and compliance (15–20%)
You have a Microsoft 365 E5 subscription that includes Microsoft Intune.
You need to configure a compliance policy for the iOS/iPadOS platform. The solution must meet the following requirements:
- Require jailbroken devices to be marked as noncompliant.
- Mark devices without a password lock as noncompliant.
Which compliance policy settings should you configure for each requirement?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Require jailbroken devices to be marked as noncompliant: Device Health
Require a password to unlock mobile devices: Device Properties |
| B | Require jailbroken devices to be marked as noncompliant: Device Health
Require a password to unlock mobile devices: System Security |
| C | Require jailbroken devices to be marked as noncompliant: Device Properties
Require a password to unlock mobile devices: Device Health |
| D | Require jailbroken devices to be marked as noncompliant: Device Properties
Require a password to unlock mobile devices: System Security |
| E | Require jailbroken devices to be marked as noncompliant: System Security
Require a password to unlock mobile devices: Device Health |
| F | Require jailbroken devices to be marked as noncompliant: System Security
Require a password to unlock mobile devices: Device Properties |
Correct answer: BExplanation:
To mark jailbroken devices as noncompliant, we need to configure the Device Health setting. To mark devices without a password lock as noncompliant, we need to configure the System Security settings.
Question: 328
Measured Skill: Manage identity and compliance (15–20%)
You have a Microsoft 365 tenant that uses Microsoft Intune to manage the devices shown in the following table.
You need to deploy a compliance solution that meets the following requirements:
- Marks the devices as Not Compliant if they do not meet compliance policies.
- Remotely locks noncompliant devices.
What is the minimum number of compliance policies required, and which devices support the remote lock action?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Minimum number of compliance policies required: 1
Devices that support the remote lock action: Device4 and Device5 only |
| B | Minimum number of compliance policies required: 2
Devices that support the remote lock action: Device2 and Device3 only |
| C | Minimum number of compliance policies required: 3
Devices that support the remote lock action: Device1 only |
| D | Minimum number of compliance policies required: 3
Devices that support the remote lock action: Device1, Device2, Device3, Device4, and Device5 |
| E | Minimum number of compliance policies required: 4
Devices that support the remote lock action: Device2, Device3, Device4, and Device5 only |
| F | Minimum number of compliance policies required: 5
Devices that support the remote lock action: Device1 only |
Correct answer: EExplanation:
We need to create one compliance policy for Windows 10 and later, One for Android device administrator, one for Android Enterprise and one for iOS/iPadOS.
The Remote lock device action locks the device. To unlock the device, the device owner enters their passcode. You can remotely lock devices that have a PIN or password set. Devices that don't have a PIN or password can't be remotely locked.
When Remote lock is applied to a device that doesn’t have a PIN or password, the device’s screen will turn off but the device will not be locked and the user will be able to wake the device and start using it again without entering a PIN or password. Ensure devices have a PIN or password policy enforced before using the Remote lock action to lock the device.
Remote lock is supported for the following platforms:
- Android
- Android Enterprise kiosk devices
- Android Enterprise work profile devices
- Android Enterprise fully managed devices
- Android Enterprise corporate-owned with work profile devices
- Android Open Source Project (AOSP) devices
- iOS
- macOS
Remote lock isn't supported for:
Reference: Remotely lock devices with Intune
Question: 329
Measured Skill: Manage identity and compliance (15–20%)
Your network contains an on-premises Active Directory Domain Services (AD DS) domain.
You have a Microsoft 365 E5 subscription that includes Microsoft Intune and syncs with the AD DS domain.
Windows Local Administrator Password Solution (Windows LAPS) is enabled in Microsoft Entra ID.
The subscription has the custom roles shown in the following table.
Microsoft Entra contains the users shown in the following table.
You have the devices shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | User1 can use Microsoft Entra to read the local administrator password of Device1: Yes
User2 can use Microsoft Entra to read the local administrator password of Device2: Yes
User3 can use Microsoft Entra to read the local administrator password of Device3: Yes |
| B | User1 can use Microsoft Entra to read the local administrator password of Device1: Yes
User2 can use Microsoft Entra to read the local administrator password of Device2: Yes
User3 can use Microsoft Entra to read the local administrator password of Device3: No |
| C | User1 can use Microsoft Entra to read the local administrator password of Device1: No
User2 can use Microsoft Entra to read the local administrator password of Device2: Yes
User3 can use Microsoft Entra to read the local administrator password of Device3: No |
| D | User1 can use Microsoft Entra to read the local administrator password of Device1: No
User2 can use Microsoft Entra to read the local administrator password of Device2: Yes
User3 can use Microsoft Entra to read the local administrator password of Device3: Yes |
| E | User1 can use Microsoft Entra to read the local administrator password of Device1: No
User2 can use Microsoft Entra to read the local administrator password of Device2: No
User3 can use Microsoft Entra to read the local administrator password of Device3: Yes |
| F | User1 can use Microsoft Entra to read the local administrator password of Device1: No
User2 can use Microsoft Entra to read the local administrator password of Device2: No
User3 can use Microsoft Entra to read the local administrator password of Device3: No |
Correct answer: EExplanation:
LAPS is supported on Microsoft Entra joined or Microsoft Entra hybrid joined devices only.
Required roles or permission
Other than the built-in Microsoft Entra roles like Cloud Device Administrator and Intune Administrator that are granted device.LocalCredentials.Read.All, you can use Microsoft Entra custom roles or administrative units to authorize local administrator password recovery. For example:
Custom roles must be assigned the microsoft.directory/deviceLocalCredentials/password/read permission to authorize local administrator password recovery. You can create a custom role and grant permissions using the Microsoft Entra admin center, Microsoft Graph API or PowerShell. Once you create a custom role, you can assign it to users.
You can also create a Microsoft Entra ID administrative unit, add devices, and assign the Cloud Device Administrator role scoped to the administrative unit to authorize local administrator password recovery.
References:
Get started with Windows LAPS and Microsoft Entra ID
Windows Local Administrator Password Solution in Microsoft Entra ID