Microsoft - MS-101: Microsoft 365 Mobility and Security
Sample Questions
Question: 448
Measured Skill: Manage Microsoft 365 Governance and Compliance (35-40%)
Note: This questions is based on a case study. The case study is not shown in this demo.
You need to configure the Information governance settings to meet the technical requirements.
Which type of policy should you configure, and how many policies should you configure?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
A | Policy type: Label
Number of required policies: 2 |
B | Policy type: Label
Number of required policies: 3 |
C | Policy type: Retention
Number of required policies: 1 |
D | Policy type: Retention
Number of required policies: 2 |
E | Policy type: Auto-labeling
Number of required policies: 1 |
F | Policy type: Auto-labeling
Number of required policies: 3 |
Correct answer: DExplanation:
The Technical Requirements section contains the following.
Retention settings must be applied automatically to all the data stored in SharePoint Online sites, OneDrive accounts, and Microsoft Teams channel messages, and the data must be retained for five years.
We need to create one retention policy that applies to SharePoint Online sites and OneDrive accounts and a second retention policy that applies to Teams channel messages. Configuring a single policy that applies to all three locations is not possible.
If you select the Teams or Yammer locations when you create a retention policy, the other locations are automatically excluded.
Reference: Create and configure a retention policy
Question: 449
Measured Skill: Implement Microsoft 365 Security and Threat Management (20-25%)
You have a Microsoft 365 E5 subscription that uses Microsoft Intune and contains the devices shown in the following table.

You need to onboard Device1 and Device2 to Microsoft Defender for Endpoint.
What should you use to onboard each device?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
A | Device1: A local script
Device2: Microsoft Endpoint Manager |
B | Device1: Group Policy
Device2: Integration with Microsoft Defender for Cloud |
C | Device1: Microsoft Endpoint Manager
Device2: Microsoft Endpoint Manager |
D | Device1: Microsoft Endpoint Manager
Device2: A local script |
E | Device1: An app from the Google Play store
Device2: A local script |
F | Device1: Integration with Microsoft Defender for Cloud
Device2: An app from the Google Play store |
Correct answer: DExplanation:
You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
To onboard devices to the service:
- Verify that the device fulfills the minimum requirements
- Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
- Use the appropriate management tool and deployment method for your devices
- Run a detection test to verify that the devices are properly onboarded and reporting to the service
The following table lists the available tools based on the endpoint that you need to onboard.

Reference: Onboard devices and configure Microsoft Defender for Endpoint capabilities
Question: 450
Measured Skill: Implement Modern Device Services (40-45%)
Your network contains an on-premises Active Directory domain and a Microsoft Endpoint Configuration Manager site.
You have a Microsoft 365 E5 subscription that uses Microsoft Intune. Configuration Manager and Intune are configured to support co-management.
The Configuration Manager co-management settings are configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
(NOTE: Each correct selection is worth one point.)
A | Client apps can be installed on managed devices by using the Software Center, Company Portal or My Apps portal.
Compliance policies are applied to the device collection on the Enablement tab. |
B | Client apps can be installed on managed devices by using the Company Portal only.
Compliance policies are applied to the device collection on the Enablement tab. |
C | Client apps can be installed on managed devices by using the Software Center or Company Portal only.
Compliance policies are applied to the device collection on the Staging tab. |
D | Client apps can be installed on managed devices by using the My Apps portal only.
Compliance policies are applied to the device collection on the Staging tab. |
E | Client apps can be installed on managed devices by using the Software Center, Company Portal or My Apps portal.
Compliance policies are applied to the device collection on the Tenant onboarding tab. |
F | Client apps can be installed on managed devices by using the Software Center only.
Compliance policies are applied to the device collection on the Tenant onboarding tab. |
Correct answer: CExplanation:
Intune is used to manage client apps and PowerShell scripts on co-managed Windows 10 or later devices. After you transition this workload, any available apps deployed from Intune are available in the Company Portal. Apps that you deploy from Configuration Manager are available in Software Center.
Compliance policies are applied to the co-management Pilot group. The phrase Pilot group is used throughout the co-management feature and configuration dialogs. A pilot group is a collection containing a subset of your Configuration Manager devices. Use a pilot group for your initial testing, adding devices as needed, until you're ready to move the workloads for all Configuration Manager devices. There isn't a time limit on how long a pilot group can be used for workloads. A pilot group can be used indefinitely if you don't wish to move the workload to all Configuration Manager devices. You can change the Pilot collections on the Staging tab of the co-management properties page.
References:
Client apps
How to enable co-management in Configuration Manager
Switch workloads
Question: 451
Measured Skill: Implement Modern Device Services (40-45%)
Your on-premises network contains the device types shown in the following table.
You plan to deploy an in-place upgrade to a 64-bit version of Windows 10 Enterprise by using the Microsoft Deployment Toolkit (MDT).
Which device types will support an in-place upgrade?
A | Type4 and Type5 only |
B | Type3, Type4, and Type5 only |
C | Type1, Type4, and Type5 only |
D | Type1, Type2, and Type5 only |
Correct answer: BExplanation:
MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.
In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with Microsoft Endpoint Configuration Manager.
In order to perform an in-place upgrade to the 64-bit version of Windows 10, it is required that the computer to be upgraded is running the 64-bit version of Windows 7, Windows 8 or Windows 8.1.
To start the MDT Deployment Wizard, start the operating system on the computer to be upgraded and run the script file from the following network path: \\MDTHost\DeploymentShare$\Scripts\LiteTouch.vbs.
It doesn't matter whether the computer to be upgraded was installed from a standard installation image or from a custom image. However, a custom image version cannot be used for upgrade. An in-place upgrade requires using the default installation image install.wim.
Operating systems installed on a native virtual hard disk (Type2) cannot be upgraded.
References:
Get started with MDT
Perform an in-place upgrade to Windows 10 with MDT
Question: 452
Measured Skill: Implement Modern Device Services (40-45%)
You have a Microsoft 365 E5 subscription. You plan to use Windows Autopilot to deploy 100 new Windows 10 devices.
You need to collect device information to register the devices with Autopilot.
What should you do?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

A | Device information to collect: Hardware hash
Script to run: Get-AutoPilotDiagnostic.ps1 |
B | Device information to collect: Hardware hash
Script to run: Get-WindowsAutoPilotInfo.ps1 |
C | Device information to collect: IP address
Script to run: Get-AutoPilotDiagnostic.ps1 |
D | Device information to collect: MAC address
Script to run: Get-CMAutoPilotHashes.ps1 |
E | Device information to collect: MAC address
Script to run: Get-WindowsAutoPilotInfo.ps1 |
F | Device information to collect: TPM certificate
Script to run: Get-CMAutoPilotHashes.ps1 |
Correct answer: BExplanation:
To register existing computers for Windows Autopilot, the serial number of the device and a hardware ID (also referred to as hardware hash) are required. To collect the hardware ID from existing devices, the Get-WindowsAutopilotInfo PowerShell script is used.
The script can be downloaded and executed using the following commands:
md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
Reference: Adding devices to Windows Autopilot