Microsoft - MD-102: Endpoint Administrator
Sample Questions
Question: 445
Measured Skill: Protect devices (15–20%)
You have a Microsoft 365 E5 subscription.
You have 500 Windows devices that are NOT onboarded.
You need to connect Microsoft Intune with Microsoft Defender for Endpoint and onboard the devices. The solution must minimize administrative effort.
What should you do?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Enable the connection by using: Microsoft Entra Connect
Onboard the devices by using: The Microsoft Intune admin center |
| B | Enable the connection by using: The Microsoft 365 admin center
Onboard the devices by using: The Microsoft Defender portal |
| C | Enable the connection by using: The Microsoft 365 admin center
Onboard the devices by using: Microsoft Entra Connect |
| D | Enable the connection by using: The Microsoft Defender portal
Onboard the devices by using: The Microsoft Intune admin center |
| E | Enable the connection by using: The Microsoft 365 admin center
Onboard the devices by using: The Microsoft 365 admin center |
| F | Enable the connection by using: The Microsoft Intune admin center
Onboard the devices by using: The Microsoft Defender portal |
Correct answer: DExplanation:
Connecting Microsoft Defender for Endpoint to Intune is a one-time setup per tenant that establishes the service-to-service connection that enables integration features.
To enable the connection you use the Microsoft Defender portal. In the Microsoft Defender portal, go to System > Settings > Endpoints > General > Advanced features. Locate Microsoft Intune connection, toggle it to On, and then select Save preferences.
Device onboarding configures your managed devices to communicate with Microsoft Defender for Endpoint, enabling threat detection and risk assessment. To onboard the devices, you use the the Microsoft Intune admin center.
Reference: Configure Microsoft Defender for Endpoint with Intune and onboard devices
Question: 446
Measured Skill: Prepare infrastructure for devices (25–30%)
You have a Microsoft Entra tenant that contains the groups shown in the following table.
Microsoft Intune is configured with the enrollment restrictions shown in the following table.
You purchase the devices shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | User2 can enroll Device1 by using the Company Portal app: Yes
User1 can enroll Device2 by using automatic enrollment: Yes
User1 can enroll Device3 by using the Company Portal app: Yes |
| B | User2 can enroll Device1 by using the Company Portal app: Yes
User1 can enroll Device2 by using automatic enrollment: Yes
User1 can enroll Device3 by using the Company Portal app: No |
| C | User2 can enroll Device1 by using the Company Portal app: Yes
User1 can enroll Device2 by using automatic enrollment: No
User1 can enroll Device3 by using the Company Portal app: Yes |
| D | User2 can enroll Device1 by using the Company Portal app: No
User1 can enroll Device2 by using automatic enrollment: Yes
User1 can enroll Device3 by using the Company Portal app: No |
| E | User2 can enroll Device1 by using the Company Portal app: No
User1 can enroll Device2 by using automatic enrollment: No
User1 can enroll Device3 by using the Company Portal app: Yes |
| F | User2 can enroll Device1 by using the Company Portal app: No
User1 can enroll Device2 by using automatic enrollment: No
User1 can enroll Device3 by using the Company Portal app: No |
Correct answer: BExplanation:
User2 is a member of Group2. Restriction2 applies. Restriction2 does allow enrollment of personally owned devices and Windows 11 meets the minimum OS version (10.0.22000).
User1 is a member of Group1. Restriction1 applies as it has a higher priority than Restriction2. User1 can use automatic enrollment to enroll devices (company owned) but cannot use the Company Portal app or manually enrollment to enroll devices (personally owned).
Wether a device is supposed to be company owned or personally owned depends on the enrollment method. User initiated methods identify devices as personally owned, while automatic enrollment identifies devices as company owned.
Windows 11 starts at version number 10.0.22000. Any device running Windows 10, regardless of edition, has a version lower than 10.0.22000 A minimum version requirement of 10.0.22000 means Windows 11 only.
References:
What are enrollment restrictions?
Windows 11 release information
Enrollment guide: Microsoft Intune enrollment
Question: 447
Measured Skill: Manage and maintain devices (30–35%)
You have a Microsoft 365 subscription that uses Microsoft Intune and has the following advanced analytics reports enabled:
- Endpoint analytics
- Application reliability
- Work from anywhere
You purchase a new device named Device1 that is enrolled in Intune.
You need to ensure that advanced analytics reports can be generated for Device1.
Which telemetry should you enable for Device1?| A | Hardware specifications |
| B | Device cloud-only identity information |
| C | Endpoint performance and user experience data |
| D | Remote wipe status |
Correct answer: CExplanation:
Microsoft Intune Advanced Analytics delivers deep, actionable insights into the health and performance of your organization's endpoints. Built on the foundation of endpoint analytics, it helps IT teams proactively manage user experience and optimize productivity through data-driven intelligence. By turning raw telemetry into meaningful insights, Advanced Analytics reduces support costs, accelerates problem resolution, and ensures a more reliable technology experience for every user.
Microsoft Intune Advanced Analytics (including Endpoint analytics, Application reliability, and Work from anywhere) is built on endpoint performance and user experience telemetry collected from enrolled devices.
Reference: Advanced Analytics overview
Question: 448
Measured Skill: Protect devices (15–20%)
You have a Microsoft 365 subscription that contains a user named User1 and 500 Windows devices enrolled in Microsoft Intune.
You configure an attack surface reduction (ASR) rule and enable the rule in Warn mode.
User1 downloads a file named file1.exe. When User1 attempts to run file1.exe he receives a prompt that the content has been blocked. The user unblocks the content.
How much time will pass until the user is prompted next to unblock the content?| A | 10 minutes |
| B | One hour |
| C | 24 hours |
| D | One week |
Correct answer: CExplanation:
Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
Attack surface reduction rules target certain software behaviors, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work
Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they're commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.
Warn mode for users
Whenever an attack surface reduction rule blocks content, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.
Reference: Attack surface reduction rules overview
Question: 449
Measured Skill: Manage applications (15–20%)
You have a Microsoft 365 subscription that uses Microsoft Intune and contains a Microsoft Tunnel for Mobile Application.
You have the devices shown in the following table.
You need to ensure that you can use Tunnel for MAM on each device. The solution must minimize the number of apps required on each device.
Which apps should you install on each device?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Device1: Intune Company Portal only
Device2: Intune Company Portal only |
| B | Device1: No additional apps
Device2: No additional apps |
| C | Device1: Microsoft Defender and Intune Company Portal
Device2: Microsoft Defender only |
| D | Device1: Intune Company Portal only
Device2: Microsoft Defender and Intune Company Portal |
| E | Device1: Microsoft Defender only
Device2: No additional apps |
| F | Device1: No additional apps
Device2: Intune Company Portal only |
Correct answer: EExplanation:
When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. With this solution, your users can use a single device that isn't enrolled with Intune to gain secure access to the organizations on-premises apps and resources using modern authentication, single sign-on, and Conditional Access. With Tunnel for MAM, your users can use their own device (BYOD) for both work and personal use, without having to grant the organization's IT department control over that device.
For Microsoft Tunnel for Mobile Application Management (MAM) on Android, the tunnel client is provided by the Microsoft Defender for Endpoint app. This app establishes and manages the VPN tunnel for MAM scenarios on unenrolled (BYOD) devices.
For Microsoft Tunnel for Mobile Application Management (MAM) on iOS/iPadOS, the VPN connection does not rely on a standalone client app such as Microsoft Defender or Intune Company Portal. On iOS/iPadOS, Tunnel for MAM is provided through the Microsoft Tunnel for MAM iOS SDK, which is integrated directly into supported apps, for example, Microsoft Edge or Line-of-Business apps.
References:
Microsoft Tunnel for Mobile Application Management
Microsoft Tunnel for Mobile Application Management for Android
Microsoft Tunnel for Mobile Application Management for iOS/iPadOS