Microsoft - MD-102: Endpoint Administrator
Sample Questions
Question: 368
Measured Skill: Manage and maintain devices (30–35%)
You have a Microsoft 365 E5 tenant that contains Windows devices enrolled in Microsoft Intune as shown in the following table.
You create an Endpoint Privilege Management (EPM) elevation settings policy named ElevationSettings1 that has the following settings:
- Endpoint Privilege Management: Enabled
- Default elevation response: Require user confirmation
- Validation: Business justification
- Assignments: Group1
Each device contains a file named File1.exe that can be run only by an administrator.
You create an EPM elevation rules policy named ElevationRules1 that has the following settings:
- Rule name: Rule1
- Elevation type: Automatic
- File name: File1.exe
- File hash:
- Assignments: Group2
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)A | A user on Device1 must provide a business justification to run File1.exe: Yes
A user on Device2 can run File1.exe: Yes
A user on Device3 can run File1.exe without providing a business justification: Yes |
B | A user on Device1 must provide a business justification to run File1.exe: Yes
A user on Device2 can run File1.exe: Yes
A user on Device3 can run File1.exe without providing a business justification: No |
C | A user on Device1 must provide a business justification to run File1.exe: Yes
A user on Device2 can run File1.exe: No
A user on Device3 can run File1.exe without providing a business justification: No |
D | A user on Device1 must provide a business justification to run File1.exe: No
A user on Device2 can run File1.exe: Yes
A user on Device3 can run File1.exe without providing a business justification: No |
E | A user on Device1 must provide a business justification to run File1.exe: No
A user on Device2 can run File1.exe: No
A user on Device3 can run File1.exe without providing a business justification: Yes |
F | A user on Device1 must provide a business justification to run File1.exe: No
A user on Device2 can run File1.exe: No
A user on Device3 can run File1.exe without providing a business justification: No |
Correct answer: EExplanation:
With Microsoft Intune Endpoint Privilege Management (EPM) your organization’s users can run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.
The EPM elevation settings policy enables EPM for all members of Group1 only and sets a default response for an elevation request of any file that isn't managed by a Windows elevation rule policy. For this setting to have an effect, no rule can exist for the application AND an end user must explicitly request elevation through the Run with elevated access right-click menu.
Device1 is a member of Group1 and Group2. Device1 has EPM enabled through the settings policy. The response for elevation requests of File1.exe are configured to Automatic by the EPM elevation rules policy.
Device2 is not a member of Group1 and does not have EPM enabled. A standard user can't run File1.exe.
Device3 is a member of Group1 and Group2. Device3 has EPM enabled through the settings policy. The response for elevation requests of File1.exe are configured to Automatic by the EPM elevation rules policy.
References:
Use Endpoint Privilege Management with Microsoft Intune
Configure policies for Endpoint Privilege Management
Question: 369
Measured Skill: Prepare infrastructure for devices (25–30%)
You have a Microsoft 365 subscription.
You plan to enroll devices in Microsoft Intune.
You need to meet the following requirements:
- Only allow the enrollment of devices that have a specific international mobile equipment identifier (IMEI).
- Support the enrollment and management of up to 1,000 devices.
Which enrollment setting should you configure for each requirement?
(To answer, drag the appropriate settings to the correct requirements. Each setting may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)A | Only allow the enrollment of devices with a specific IMEI: Device limit restriction
Support the enrollment and management of up to 1,000 devices: Device enrollment managers |
B | Only allow the enrollment of devices with a specific IMEI: CNAME Validation
Support the enrollment and management of up to 1,000 devices: Device platform restriction |
C | Only allow the enrollment of devices with a specific IMEI: Corporate device identifiers
Support the enrollment and management of up to 1,000 devices: Device enrollment managers |
D | Only allow the enrollment of devices with a specific IMEI: Device limit restriction
Support the enrollment and management of up to 1,000 devices: Device enrollment managers |
E | Only allow the enrollment of devices with a specific IMEI: Device platform restriction
Support the enrollment and management of up to 1,000 devices: CNAME Validation |
F | Only allow the enrollment of devices with a specific IMEI: Device platform restriction
Support the enrollment and management of up to 1,000 devices: Corporate device identifiers |
Correct answer: CExplanation:
Only allow the enrollment of devices with a specific IMEI is a two part configuration. We need to make use of corporate device identifiers and device platform restrictions.
Corporate device identifiers ensure that corporate devices are marked as corporate-owned as soon as they enroll by adding their corporate identifiers (IMEI or serial number) ahead of time in the Microsoft Intune admin center. Devices that enroll without corporate identifiers are marked as personal. To prevent users from enrolling personal devices we should additionally configure device platform restrictions.
A device enrollment manager (DEM) is a nonadministrator user who can enroll devices in Intune. Device enrollment managers are useful to have when you need to enroll and prepare many devices for distribution. People signed in to a DEM account can enroll and manage up to 1,000 devices, while a standard nonadmin account can only enroll 15.
References:
Identify devices as corporate-owned
Add device enrollment managers
Question: 370
Measured Skill: Prepare infrastructure for devices (25–30%)
You have a hybrid environment that contains a Microsoft Entra tenant and an on-premises Active Directory Domain Services (AD DS) domain. The environment contains the devices shown in the following table.
Which Microsoft Entra join type can each device use?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)A | Device1: Microsoft Entra joined only
Device2: Microsoft Entra registered only |
B | Device1: Microsoft Entra registered only
Device2: Microsoft Entra joined or Microsoft Entra registered only |
C | Device1: Microsoft Entra hybrid joined only
Device2: Microsoft Entra hybrid joined only |
D | Device1: Microsoft Entra joined or Microsoft Entra registered only
Device2: Microsoft Entra registered, Microsoft Entra joined, or Microsoft Entra hybrid joined |
E | Device1: Microsoft Entra joined or Microsoft Entra registered only
Device2: Microsoft Entra registered only |
F | Device1: Microsoft Entra registered, Microsoft Entra joined, or Microsoft Entra hybrid joined
Device2: Microsoft Entra registered only |
Correct answer: FExplanation:
Windows devices can be Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined. The Microsoft Entra hybrid join type requires a device to be a member of an on-premises Active Directory domain and to be synched to Entra ID using either Microsoft Entra Connect or Microsoft Entra Cloud Synch. Device1 can either be joined to the on-premises domain resulting in a Microsoft Entra hybrid joined state, joined to Entra ID, resulting in a Microsoft Entra joined state, or registered to Microsoft Entra.
Devices running macOS, iOS, Android, or Linux can be Microsoft Entra registered but neither Microsoft Entra joined nor Microsoft Entra hybrid joined.
References:
Microsoft Entra registered devices
Microsoft Entra joined devices
Microsoft Entra hybrid joined devices
Question: 371
Measured Skill: Prepare infrastructure for devices (25–30%)
You have a Microsoft Entra tenant named contoso.com that contains a Windows 11 device named Device1 and a user named User1.
User1 registers Device1 in contoso.com.
Which capability is available to Device1 after registering in contoso.com?A | Authenticating to cloud resources by using single sign-on (SSO) |
B | Enforcing compliance policies |
C | Enforcing software updates |
D | Enforcing hard drive encryption |
Correct answer: AExplanation:
The goal of Microsoft Entra registered - also known as Workplace joined - devices is to provide your users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization's resources using a personal device.
Key capabilities after registering a device are:
- Single sign-on (SSO) to cloud resources
- Conditional Access when enrolled into Intune
- Conditional Access via App protection policy
- Enables Phone sign in with Microsoft Authenticator app
Reference: Microsoft Entra registered devices
Question: 372
Measured Skill: Prepare infrastructure for devices (25–30%)
You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.
You need to create two dynamic device groups named Group1 and Group2. The solution must meet the following requirements:
- Group1 must contain Device1 and Device2 only.
- Group2 must contain Device1 and Device3 only.
Which device membership rule should you configure for each group?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)A | Group1: (device.deviceTrustType -eq "AzureAD")
Group2: (device.deviceOSType -eq "iPhone") or (device.deviceOSType -eq "Windows") |
B | Group1: (device.deviceTrustType -eq "AzureAD")
Group2: (device.deviceTrustType -eq "AzureAD") or (device.deviceOSType -eq "iPhone") |
C | Group1: (device.displayName -eq "Device1") and (device.displayName -eq "Device2")
Group2: (device.deviceOSType -eq "iPhone") and (device.deviceOSType -eq "Windows") |
D | Group1: (device.displayName -eq "Device1") and (device.displayName -eq "Device2")
Group2: (device.deviceOSType -eq "iPhone") or (device.deviceOSType -eq "Windows") |
E | Group1: (device.displayName -startsWith "Device") and (device.deviceOSType -eq "Windows")
Group2: (device.deviceTrustType -eq "AzureAD") or (device.deviceOSType -eq "iPhone") |
F | Group1: (device.displayName -startsWith "Device") and (device.deviceOSType -eq "Windows")
Group2: (device.deviceOSType -eq "iPhone") and (device.deviceOSType -eq "Windows") |
Correct answer: EExplanation:
You can create user or device attribute-based rules to enable membership for dynamic membership groups in Microsoft Entra ID, part of Microsoft Entra. You can add and remove dynamic membership groups automatically using membership rules based on member attributes. In Microsoft Entra, a single tenant can have a maximum of 15,000 dynamic membership groups.
When the attributes of a user or a device change, the system evaluates all rules for dynamic membership groups in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they're added as a member of that group. If they no longer satisfy the rule, they're removed. You can't manually add or remove a member of a dynamic membership group.
- You can create a dynamic membership groups for users or devices, but you can't create a rule that contains both users and devices.
- You can't create a device membership group based on the user attributes of the device owner. Device membership rules can reference only device attributes.
When using deviceTrustType
to create dynamic membership groups for devices, you need to set the value equal to
AzureAD
to represent Microsoft Entra joined devices
ServerAD
to represent Microsoft Entra hybrid joined devices
Workplace
to represent Microsoft Entra registered devices
Reference: Manage rules for dynamic membership groups in Microsoft Entra ID