Microsoft - MD-102: Endpoint Administrator

Sample Questions

Explanation:

Device query allows you to quickly gain on-demand information about the state of your devices. When you enter a query on a selected device, Device query runs a query in real time. The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions.

Prerequisites

• To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. Advanced Analytics features are available with:

• The Intune Advanced Analytics Add-on
• Microsoft Intune Suite

• To use Device query on a device, the device must be enrolled in Endpoint Analytics. Learn how to enroll a device in Endpoint Analytics.

• You cannot opt out of cloud notifications (WNS)

• For a user to use Device query, you must assign the Managed Devices - Query permission to them.

• To use Device query, devices must be Intune managed and corporate owned.

• To run remote actions, at a minimum, sign into the Intune admin center with an account that has the Help Desk Operator role. For more information on the different roles, go to Role-based access control (RBAC) with Microsoft Intune.

• To receive the remote action, the device must be connected to the internet and powered on.

Supported platforms

Device query is currently only supported on devices running Windows 10 and later.

Reference: Device query

Explanation:

You can use Microsoft Intune to manage software updates on the following Android Enterprise devices:

• Fully Managed
• Dedicated
• Corporate-Owned Work Profile devices

You have two ways to manage software updates on android:

• Use Firmware Over-the-Air (FOTA), which works for some OEMs.

• If FOTA isn't available you can use Device restrictions profiles, which work for all OEMs.

Firmware Over-the-Air (FOTA) updates allow remotely updating the firmware of devices using a wireless connection, rather than requiring the devices to be physically connected to a computer or network.

A FOTA update can include software and security patches, feature updates, and other changes to the device's firmware. This method is more efficient, convenient, and more secure than manual updates and can be performed on a scheduled or on-demand basis.

In the context of FOTA, a deployment is an update policy that includes instructions about the firmware update to be deployed to devices and other update-related settings. For example, Schedule type, and charging requirements.

In addition, Microsoft Intune supports FOTA update management for supported devices from the following manufacturers.

• Zebra
• Samsung

To enable communication between Intune and the OEM’s firmware update infrastructure, we need to configure a connector.

References:

Android FOTA Updates

Zebra LifeGuard Over-the-Air Integration with Microsoft Intune

• Configure Microsoft Tunnel for managed devices.
• Validate that user devices meet the prerequisites for Tunnel for MAM.
• Create app configuration policies for Microsoft Defender and Microsoft Edge.

Explanation:

When you add Microsoft Tunnel for Mobile Application Management (MAM) to your tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled Android devices to support MAM scenarios. With support for MAM, your unenrolled devices can use Tunnel to securely connect to your organization allowing users and apps safe access to your organizational data.

To extend your existing Microsoft Tunnel configuration to support MAM, create and deploy three profiles that configure this support on your unenrolled devices:

• App configuration policy for Microsoft Defender. This policy configures Microsoft Defender for Endpoint on a device as the VPN tunnel client app.

• App configuration policy for Microsoft Edge. This policy configures Microsoft Edge to support identity-switch, which automatically connects and disconnects the VPN tunnel when switching from a Microsoft "Work or school" account to a Microsoft "personal account" in Microsoft Edge.

• App protection policy to automatically start the connection to Microsoft Tunnel when the MAM enabled app on the device accesses corporate resources.

Reference: Microsoft Tunnel for Mobile Application Management for Android

Explanation:

Before Intune and Defender for Endpoint can work together, you must set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. This is a one-time action per tenant. Setup requires administrative access to both the Microsoft Defender Security Center and the Microsoft Intune admin center.

On the advanced features pane from the Endpoint settings in the Microsoft Defender portal, we need to locate the entry for Microsoft Intune connection and set the toggle to On.

With a connection between Intune and Defender established, Intune automatically receives an onboarding configuration package from Defender that can be used by Intune to onboard Windows devices. This package is used by Intune EDR policy to configure devices to communicate with Microsoft Defender for Endpoint services and to scan files and detect threats.

Onboarding of a device using the configuration package is a one-time action.

To deploy the onboarding package for Windows devices, you can choose to use a preconfigured EDR policy option, which deploys to the All devices group to onboard all applicable Windows devices, or you can manually create the EDR Policy for more granular deployments, which requires you to complete a few additional steps.

References:

Integrate Microsoft Defender for Endpoint with Intune and Onboard Devices

Onboard Windows devices to Defender for Endpoint using Intune

Explanation:

We should create a Policy for Microsoft 365 apps either from the Microsoft 365 Apps admin center or from Microsoft Intune ans set the "Block macros from running in Office files from the INternet" setting to "Enabled".

The policy scope can be configured to all users or to users in a specified group.

References:

Policies for Microsoft 365 apps

Overview of the Microsoft 365 Apps admin center