Free MD 102 Practice Questions – 2026 Updated

The evaluation of these statements hinges on understanding how Microsoft Intune applies enrollment restrictions based on user group membership and priority. Statement 1: User2 is a member of Group2. The only restriction that applies to Group2 is Restriction2 (Priority 2). Restriction2 allows personally owned devices to enroll and requires a minimum Windows version of 10.0.22000. Device1 runs Windows 11, which has a build number of 10.0.22000 or higher, thus meeting the version requirement. Since all conditions of Restriction2 are met, User2 can enroll the personally owned Device1. Statement 2: User1 is a member of Group1. User1 is targeted by both Restriction1 (via Group1) and Restriction2 (via Group1). When multiple restrictions apply, the one with the highest priority (lowest number) is enforced. In this case, Restriction1 (Priority 1) takes precedence over Restriction2 (Priority 2). Restriction1 explicitly blocks personally owned devices. Automatic enrollment for a user's device (not provisioned via AutoPilot or DEM) is treated as a personal enrollment. Therefore, the enrollment is blocked. Statement 3: Similar to the previous statement, User1 is subject to Restriction1 due to its higher priority. Enrolling a device using the Company Portal app is the standard method for personally owned (BYOD) devices. As Restriction1 blocks the enrollment of personally owned devices, User1 cannot enroll Device3.

Microsoft Intune Documentation: Create a device platform enrollment restriction - This

document explains how to configure platform restrictions, including settings for personally

owned devices and OS versions. It also clarifies how priorities are applied when a user or

device is in multiple groups.

URL: https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set#create-adevice-platform-restriction

Microsoft Intune Documentation: Scenario: Block personal Windows devices - This guide

provides a direct example of creating a policy with the highest priority (1) to block personally

owned Windows devices from enrolling, which is the exact scenario affecting User1.

URL: https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictionsscenarios#scenario--block-personal-windows-devices

Windows 11 Release Information: This official documentation confirms that the initial

release version of Windows 11 corresponds to build 10.0.22000, which satisfies the

condition in Restriction2.

URL: https://docs.microsoft.com/en-us/windows/release-health/release-information

To collect and analyze Windows events in Azure, a Log Analytics workspace must be created. This workspace serves as the central repository for log data and provides the query and analysis tools necessary for creating alerts. To send event data from the Windows 10 computers to the Log Analytics workspace, the Azure Monitor Agent (AMA) must be installed and configured on them. The AMA is the modern, recommended agent for collecting telemetry from Windows client and server operating systems for Azure Monitor. It is configured using Data Collection Rules (DCRs) to specify which events to collect and the destination workspace.

1. Microsoft Learn | Log Analytics workspace overview: "A Log Analytics workspace is a

unique environment for log data from Azure Monitor... The workspace provides a

geographic location for the data, data isolation, and scope for configurations like data

retention."

URL: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspaceoverview

2. Microsoft Learn | Azure Monitor Agent overview: "The Azure Monitor agent (AMA) collects

monitoring data from the guest operating system of Azure and hybrid virtual machines and

delivers it to Azure Monitor... The Azure Monitor agent replaces the Log Analytics agent..."

URL: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agentoverview

3. Microsoft Learn | Collect Windows events with Azure Monitor Agent: "This article

describes how to collect Windows events from virtual machines with the Azure Monitor

Agent... You can collect events from the standard Windows event logs... To collect Windows

events, you create a data collection rule (DCR)."

URL: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collectionwindows-events

Remote actions in Microsoft Intune, such as Locate device (Action1) and Remote lock (Action2), require that a device be enrolled in and managed by Intune. Statement 1 is No: Device1 is not managed by Intune (MDM is set to None). Therefore, Intune cannot perform any remote actions on it, including locating the device. The device must be enrolled in MDM for such actions to be available. Statement 2 is Yes: Device2 is a Windows 11 device that is managed by Microsoft Intune. The Remote lock action is fully supported for Windows devices that are enrolled in Intune. Statement 3 is Yes: Device3 is an Android device that is managed by Microsoft Intune. The Remote lock action is also supported for Android devices enrolled in Intune.

Microsoft Intune Documentation - Remotely run actions on devices: This document provides

an overview of remote actions, explicitly stating they are run on devices managed by Intune.

Source: Microsoft Learn

URL: https://learn.microsoft.com/en-us/mem/intune/remote-actions/device-management

Microsoft Intune Documentation - Locate device: This source confirms that the "Locate

device" action is only available for devices managed by Intune and lists supported

platforms, which include Windows.

Source: Microsoft Learn

URL: https://learn.microsoft.com/en-us/mem/intune/remote-actions/device-locate

Microsoft Intune Documentation - Remote lock: This document lists the platforms that

support the "Remote lock" action, including Android and Windows, and confirms the action

requires device enrollment in Intune.

Source: Microsoft Learn

URL: https://learn.microsoft.com/en-us/mem/intune/remote-actions/device-remote-lock

To enforce the use of specific passwordless MFA methods, the "Require authentication strength" grant control must be used. This control allows administrators to select a built-in or custom authentication strength that includes only passwordless methods (like FIDO2 security keys or Passwordless phone sign-in). The generic "Require multifactor authentication" option would permit any registered MFA method, not just passwordless ones. The policy must target the "Windows Azure Service Management API" cloud app. This app represents access to the Azure portal, Azure PowerShell, and the Azure CLI, which are all interfaces for managing Azure resources through the Azure Resource Manager.

Microsoft Learn | Conditional Access - Grant: This document details the "Require

authentication strength" control, explaining that it allows administrators to specify the exact

authentication methods required for access. It explicitly lists "Passwordless MFA" as a built-

in authentication strength.

URL: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-accessgrant#require-authentication-strength

Section: "Require authentication strength"

Microsoft Learn | Conditional Access - Cloud apps or actions: This documentation identifies

common cloud apps for Conditional Access policies. It specifies that to secure Microsoft

Azure Management—which includes the Azure portal, Azure PowerShell, and the Azure

CLI—the correct application to select is "Windows Azure Service Management API."

URL: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-accesscloud-apps#microsoft-azure-management

Section: "Microsoft Azure Management"

The available authentication methods for each user are determined by what they have registered in Microsoft Entra ID. Verification code: This method relies on a time-based one-time password (TOTP) generated by a software or hardware OATH token. In this scenario, User2, User3, and User4 are all registered to use a "Software OATH token," which provides such a code. Therefore, they can all use the "Use a verification code" option. Text: This method sends a verification code via an SMS message to a registered phone number. Only User1 has "Mobile phone" listed as their registered method, which enables authentication via text message or phone call. The other users are registered with app- based methods, not SMS.

Microsoft Entra Authentication Methods Documentation: This official documentation outlines

the various authentication methods available in Microsoft Entra ID.

SMS-based authentication: "With SMS-based authentication, users can sign in without

providing, or even knowing, their user name and password. The user instead enters their

phone number, receives a text message with a verification code, and enters that code in the

sign-in interface." This corresponds to User1.

OATH tokens: "Microsoft Entra ID supports the use of OATH-TOTP SHA-1 tokens...

Customers can get these tokens from the vendor of their choice. OATH software tokens are

typically available in applications such as the Microsoft Authenticator app and other

authenticator apps." This corresponds to User2, User3, and User4.

Source: Microsoft Learn, "Authentication methods and features," available at:

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods (Refer to

sections on SMS and OATH tokens).

Remote Help is a cloud-based solution available in Microsoft Intune that enables administrators to establish a secure, shared-screen connection to a user's device. This allows for direct, interactive assistance where both the administrator and the user can see the session. Endpoint Privilege Manager (EPM) is a component of the Intune Suite designed to support a zero-trust architecture and the principle of least privilege. It allows a standard user to perform tasks that require administrative rights. When an administrator is in a Remote Help session and needs to run a process with elevated permissions, EPM provides a mechanism to grant just-in-time elevation for that specific task without making the user a permanent local administrator.

Microsoft Learn | Remote Help: "Remote Help is a cloud-based solution for secure help

desk connections with role-based access controls... With the connection, your support staff

can remote connect to the user's device. During the session, the support staff can view the

device's display and if permitted by the user, take full control."

Source: Microsoft, "Use Remote Help with Microsoft Intune," Microsoft Learn,

(learn.microsoft.com/en-us/mem/intune/remote-actions/remote-help).

Microsoft Learn | Endpoint Privilege Manager: "With Microsoft Intune Endpoint Privilege

Management (EPM), your organization's users can run as a standard user (without

administrator rights) and complete tasks that require elevated privileges... When Remote

Help is used to assist a standard user, the helper can seamlessly request elevation for a

specific application on the user's device."

Source: Microsoft, "Overview of Endpoint Privilege Management with Microsoft Intune,"

Microsoft Learn, (learn.microsoft.com/en-us/mem/intune/protect/endpoint-privilege-

management).

The membership of each device is determined by mapping its "Join type" to the device.deviceTrustType attribute used in the dynamic group rules. Microsoft Entra joined maps to deviceTrustType "AzureAD". Microsoft Entra hybrid joined maps to deviceTrustType "ServerAD". Microsoft Entra registered maps to deviceTrustType "Workplace". Device1: No Device1 is Microsoft Entra hybrid joined, so its deviceTrustType is "ServerAD". It does not match the rule for Group1 ("AzureAD") or Group2 ("Workplace"). Therefore, it is not a member of either group. Device2: No Device2 is Microsoft Entra joined (deviceTrustType is "AzureAD") and its OS is Windows. It matches both conditions for Group1. However, it does not match the rule for Group2 ("Workplace"). Therefore, it is a member of Group1 only, making the statement false. Device3: Yes Device3 is Microsoft Entra registered, so its deviceTrustType is "Workplace". It matches the rule for Group2. It does not match the deviceTrustType rule for Group1 ("AzureAD"). Therefore, it is a member of Group2 only.

Microsoft Entra Documentation: Dynamic membership rules for groups in Microsoft Entra

ID. This official documentation lists the properties available for device rules. Under the

deviceTrustType property, it specifies the possible values: "The trust type of the device. The

possible values are AzureAD, ServerAD (for hybrid joined), or Workplace (for registered)."

URL: https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership

The CustomSettings.ini file contains the rules that govern the deployment process. To prompt for the local Administrator password, the AdminPassword property is left blank in this file, which causes the deployment wizard to display the corresponding page. To define a computer naming convention, the OSDComputerName property is set in CustomSettings.ini (e.g., OSDComputerName=PC-%SerialNumber%). Modifications to CustomSettings.ini are processed after the Windows Preinstallation Environment (WinPE) connects to the deployment share, and therefore do not require updating the WinPE boot image, satisfying all requirements of the question. The Bootstrap.ini file is processed by WinPE itself, and changes to it would necessitate a WinPE image update.

1. Microsoft Learn. (2023). Configure MDT deployment share rules. This document explicitly

shows how to configure rules like computer naming (OSDComputerName) in the

CustomSettings.ini file. It also explains that the wizard will prompt for information not

supplied in the rules.

URL: https://learn.microsoft.com/en-us/windows/deployment/deploy-windowsmdt/configure-mdt-deployment-share-rules

2. Microsoft Learn. (2023). MDT toolkit reference. This reference details the properties used

in MDT rules. It lists AdminPassword and OSDComputerName as properties configured in

the rules files (CustomSettings.ini). It also clarifies the distinction between Bootstrap.ini (for

connecting to the share) and CustomSettings.ini (for controlling the deployment).

URL: https://learn.microsoft.com/en-us/mem/configmgr/mdt/toolkit-reference#properties

URL: https://learn.microsoft.com/en-us/mem/configmgr/mdt/toolkitreference#understanding-rules-files

Microsoft Tunnel for Mobile Application Management (MAM) has specific operating system version requirements. It is supported on Android 10.0 and later and iOS/iPadOS 14.0 and later. Therefore, Device2 (Android 13) and Device3 (iOS 15.8.3) meet these criteria, while Device1 (iOS 13.7) does not. A standard per-app VPN is a broader capability supported by Microsoft Intune's device management for modern mobile operating systems. All three devices listed—Device1 (iOS 13.7), Device2 (Android 13), and Device3 (iOS 15.8.3)—support the configuration of a per- app VPN tunnel through Intune device configuration policies.

Microsoft Learn | Microsoft Tunnel for MAM: This official documentation specifies the

prerequisites for using Tunnel for MAM.

Source: Microsoft Official Documentation

URL: https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-mam

Specific Section: Under the "Prerequisites" section, it explicitly lists the supported platforms

and versions: "iOS/iPadOS 14.0 and later" and "Android Enterprise 10.0 and later."

Microsoft Learn | Create per-app VPN profiles: This document outlines how to set up per-

app VPN for various platforms, confirming its availability for the listed operating systems.

Source: Microsoft Official Documentation

URL: https://learn.microsoft.com/en-us/mem/intune/configuration/vpn-settings-per-app

Specific Section: The article provides configuration guidance for both "Android Enterprise"

and "iOS/iPadOS," demonstrating that this is a standard feature for both platforms managed

by Intune.

Based on the provided iOS app protection policy settings: The Access requirements section has both PIN for access and Work or school account credentials for access set to Require. The setting Recheck the access requirements after /minutes of inactivity is configured for 30 minutes. Therefore, after 30 minutes of inactivity, the user must satisfy all the required access settings, which includes providing both their PIN and their work or school account credentials. The Conditional launch section specifies the actions taken based on certain conditions. The setting Max PIN attempts is set to 5, and the corresponding Action is explicitly defined as Reset PIN. This means that after five incorrect PIN attempts, the system will force a reset of the application PIN.

Source: Microsoft Learn | Official Microsoft Intune Documentation

Reference 1: iOS/iPadOS app protection policy settings - Access requirements. This

document details the access settings for Intune app protection policies. It specifies that

when multiple access requirements like 'PIN for access' and 'Work or school account

credentials for access' are set to 'Require', and the 'Recheck the access requirements after

(minutes of inactivity)' timer expires, the user will be prompted to satisfy those requirements.

URL: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settingsios#access-requirements

Section: Access requirements > "Recheck the access requirements after (minutes of

inactivity)"

Reference 2: iOS/iPadOS app protection policy settings - Conditional launch. This

document explains the conditional launch settings. It confirms that the Max PIN attempts

setting, when reached, triggers the configured action. The available actions are Reset PIN

or Wipe data. The exhibit shows Reset PIN is the configured action.

URL: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settingsios#conditional-launch

Section: Conditional launch > "App PIN" settings > "Max PIN attempts"

/apps/app-protection-policy-settings-ios#restrict-cut-copy-and-paste-between-other-apps

The goal is to implement Microsoft Tunnel for Mobile Application Management (MAM), which is specifically designed for devices not enrolled in Intune. Device1 is an Android device that is correctly "Not enrolled". To enable Tunnel for MAM, three applications are required: the Intune Company Portal, Microsoft Edge, and Microsoft Defender for Endpoint. The table shows that Device1 already has the Company Portal and Edge installed. Therefore, the only remaining action is to install the Microsoft Defender for Endpoint app, which functions as the tunnel client. The table indicates Device2 is an iOS device that is "Enrolled" in Intune. Microsoft Tunnel for MAM is exclusively for unenrolled devices. To meet the goal, the device must be unenrolled. Assuming this blocking issue is resolved, the device must also have the required applications. Device2 only has the Intune Company Portal installed. For a user to access an on-premises web app like App1 on iOS via Tunnel for MAM, they must use the Microsoft Edge browser. While the Defender for Endpoint app is also required to create the tunnel, installing Edge is the most direct action to enable the specific user task of accessing the web app.

Microsoft Learn: Microsoft Tunnel for Mobile Application Management

This document explicitly states, "Microsoft Tunnel for Mobile Application Management

(MAM) extends the Microsoft Tunnel VPN gateway to support devices that run Android or

iOS, and that are not enrolled with Microsoft Intune." It also lists the required applications

for both platforms.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-mam

Microsoft Learn: Use Microsoft Tunnel for MAM with iOS/iPadOS devices

This source details the prerequisites for iOS, which include Microsoft Edge, Microsoft

Defender for Endpoint, and the Intune Company Portal. It clarifies the architecture where

Edge is the application used to access on-premises resources through the tunnel.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-mam-ios

The Microsoft Intune MDM user scope is set to GroupA. User1 is a member of GroupA. Therefore, when User1 performs an Azure AD join, the device will be automatically enrolled in Intune as per the configured automatic enrollment settings. The MDM user scope for automatic enrollment is limited to GroupA. User2 is a member of GroupB but not GroupA. Consequently, a device joined to Azure AD by User2 will not be automatically enrolled in Intune. User2 is in the MAM scope, which applies to application management, not full device MDM enrollment. User3 is a member of both GroupA and GroupB. Since the MDM user scope is configured for GroupA, User3 meets the criteria for automatic Intune enrollment upon joining a device to Azure AD. Membership in the MAM scope (GroupB) does not prevent MDM enrollment.

1. Set up automatic enrollment for Windows devices: Microsoft Learn, Enroll Windows

devices in Intune by using the Company Portal, Section: "Set up automatic enrollment for

Windows devices". This document explains that configuring the MDM user scope allows

devices to be automatically enrolled in Intune when they are joined to Azure AD by a user

who is a member of the scoped group.

2. Quickstart - Set up automatic enrollment for Windows 10/11 devices: Microsoft Learn,

Intune enrollment and compliance, Section: "Prerequisites". This guide details how to

configure MDM and MAM scopes and clarifies that for Windows 10/11 devices, the MDM

user scope setting enables automatic enrollment for Azure AD joined devices.

Microsoft Intune allows you to define dependencies for Win32 apps to control the installation order. To ensure App1 is installed before App2, you must configure App2 to have a dependency on App1. This is done within the properties of the App2 application in the Intune admin center. When the policy for App2 is received by a device, the Intune management extension will first check for the presence of App1. If App1 is not installed, it will be installed first, after which the installation of App2 will proceed.

the App1 deployment configurations: Dependencies are defined on the application that requires a prerequisite (the dependent app), not on the prerequisite app itself. a dynamic device group: Device groups are used for targeting assignments (i.e., which devices should receive the app), not for managing the installation order between different applications.

Microsoft Learn: "Win32 app management in Microsoft Intune". This document details the

process of adding and configuring Win32 apps, including the "Dependencies" step. It states,

"Win32 app dependencies are apps that must be installed before your Win32 app can be

installed." This configuration is part of the dependent app's properties.

URL: https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-dependencies

Microsoft Learn: "Add, assign, and monitor a Win32 app in Microsoft Intune". In the section

"Step 5: Dependencies," it explicitly shows how to add a dependency to an app, confirming

this is configured on the dependent application (App2).

URL: https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add#step-5dependencies

To enable the self-service password reset (SSPR) link on the Windows sign-in screen for Azure AD-joined devices managed by Intune, an administrator must create and deploy a device configuration profile. This profile pushes the necessary policy settings to the targeted Windows devices, which modifies the local operating system to display the "Reset password" option. This is a direct device configuration task, not a function of enrollment, compliance, or access policies.

Device enrollment: This section manages how devices are initially onboarded into Intune, not the specific features configured on them after enrollment. Conditional access: This enforces access control policies for cloud applications based on conditions, but it does not configure client-side features like the sign-in screen UI. Device compliance: This is used to define and evaluate the health and security posture of a device, not to deploy functional settings to it.

1. Microsoft Learn: "Enable Azure Active Directory self-service password reset at the

Windows sign-in screen". This document explicitly states, "To configure a Windows 11 or

Windows 10 device for SSPR at the sign-in screen, you can use Microsoft Intune. [...] In

Intune, you create a device configuration profile to enable the SSPR link."

URL: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-ssprwindows#configure-for-sspr-using-microsoft-intune

2. Microsoft Learn: "Create a device profile in Microsoft Intune". This document describes

the purpose of device configuration profiles: "Use device configuration profiles to manage

settings on your devices. [...] For example, you can create a profile that enables the SSPR

link on the sign-in screen."

URL: https://learn.microsoft.com/en-us/mem/intune/configuration/device-profiles-create

In a Microsoft Deployment Toolkit (MDT) deployment, the task sequence orchestrates the entire installation process. It is a series of steps that partitions the disk, applies the operating system image, installs drivers, and configures Windows settings. The product key is a specific configuration setting for the operating system. This key is typically specified as a variable (e.g., ProductKey=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX) within the CustomSettings.ini file, which is processed by the task sequence during the deployment. Therefore, configuring the task sequence (and its associated rules) is the correct method to ensure the product key is applied during installation.

the Device settings in Azure AD: These settings manage how devices join and are managed within Azure AD. They are unrelated to on-premises OS installation and product key configuration via MDT. a WDS boot image: A boot image (WinPE) is used to start the computer and connect to the deployment share. It does not contain configuration settings for the target operating system being installed. a Windows Autopilot deployment profile: Windows Autopilot is a separate, cloud-based deployment technology. It is not used when deploying images with MDT and WDS as specified in the scenario.

Microsoft Deployment Toolkit documentation: The official MDT documentation outlines the

use of task sequences and the CustomSettings.ini file to automate deployment. The

ProductKey property is a standard configuration item. See "Use the Microsoft Deployment

Toolkit" on Microsoft Learn.

Microsoft Learn, "Create a Windows 11 reference image": This guide, while for a reference

image, demonstrates the MDT process. It states, "The task sequence is a list of steps that

need to run to deploy the operating system... The task sequence also contains settings that

were configured in the CustomSettings.ini and Bootstrap.ini files." This confirms the task

sequence is the central component that applies these settings. (URL:

https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-awindows-11-reference-image)

Microsoft Learn, "MDT settings (.ini) file": This page details the configuration files used by

MDT. It lists ProductKey as a property that can be set in CustomSettings.ini to "specify the

product key to use for Windows installation." The task sequence reads this file to apply the

setting. (URL: https://learn.microsoft.com/en-us/mem/configmgr/mdt/toolkit-reference#mdtsettings-ini-file)

In Microsoft Intune, each unique combination of applications within the Microsoft 365 Apps suite constitutes a distinct app configuration that must be created as a separate deployment. The scenario requires three unique software configurations: 1. Microsoft 365 Apps + Project + Visio (for Department1 and Department2). 2. Microsoft 365 Apps + Project (for Department3). 3. Microsoft 365 Apps only (for all other users). Therefore, a minimum of three separate app deployments must be created. Each deployment will be assigned to its respective group, using exclusions for the "all other users" deployment to prevent conflicts with the more specific group assignments.

1: A single deployment cannot deliver three different combinations of applications to different user groups. 2: Two deployments are insufficient as there are three unique software configurations required by the different groups. 4: This is not the minimum number. Department1 and Department2 have identical requirements and can be targeted by a single deployment, making three the minimum.

Microsoft Learn: Add Microsoft 365 apps to Windows 10/11 devices with Microsoft Intune.

This document details the process of creating a Microsoft 365 Apps deployment. The "Step

2: Configure app suite" section shows that the selection of apps (including additional ones

like Project and Visio) is part of a single app configuration. To deploy a different set of apps,

a new app configuration must be created.

URL: https://learn.microsoft.com/en-us/mem/intune/apps/apps-add-office365

Microsoft Learn: Assign apps to groups with Microsoft Intune. This document explains how

to assign apps and use include/exclude assignments. To fulfill the scenario's requirements,

one deployment would be assigned to "All Users" while excluding Department1,

Department2, and Department3 to avoid deployment conflicts.

URL: https://learn.microsoft.com/en-us/mem/intune/apps/apps-assign

In a co-managed environment where a Windows device receives policies from both traditional Group Policy Objects (GPOs) and Microsoft Intune, conflicts can occur if the same setting is configured in both. To ensure that Intune's settings take precedence, an administrator must configure the MDMWinsOverGP policy. This policy is deployed to devices using a device configuration profile in Intune. Specifically, you create a custom profile and use the Open Mobile Alliance - Uniform Resource Identifier (OMA-URI) to target and enable this specific setting from the Policy Configuration Service Provider (CSP). This explicitly tells the device's configuration manager to apply the MDM (Intune) policy when a conflict with a GPO policy exists.

B. a device compliance policy: A compliance policy does not configure settings on a device. Instead, it evaluates the device against a set of rules (e.g., is encryption enabled?) to determine if it is "compliant." This status is then used by Conditional Access policies to grant or deny access to resources. It does not resolve setting conflicts. C. an MDM Security Baseline profile: While a security baseline is a type of configuration profile, it is a pre-configured template of security-focused settings recommended by Microsoft. The specific MDMWinsOverGP setting is not part of these standard baselines and must be configured manually using a custom device configuration profile. Therefore, "device configuration profile" is the more accurate and fundamental answer. D. a Group Policy Object (GPO): This is incorrect because the goal is to make Intune settings override GPO settings. The configuration must be done within Intune to signal its priority. Using a GPO would be managing the device from the Active Directory side, which is the system we are seeking to override in case of conflict.

Microsoft Learn | Intune documentation: Discussion on policy conflicts between GPO and

MDM, explicitly mentioning the "MDM Wins over GPO" policy setting.

URL: https://learn.microsoft.com/en-us/mem/intune/configuration/group-policy-vs-csp

Reference: Review the section titled "MDM Wins over GPO".

Microsoft Learn | Windows Client Management: Official documentation for the Policy CSP,

detailing the MDMWinsOverGP setting.

URL: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict

Reference: The section ControlPolicyConflict/MDMWinsOverGP states, "This policy allows the IT

admin to set MDM policy to win over Group Policy."

Microsoft Learn | Intune documentation: Guide on how to create a custom device

configuration profile to deploy OMA-URI settings.

URL: https://learn.microsoft.com/en-us/mem/intune/configuration/custom-settings-windows-10

Reference: The "Create a custom profile" section outlines the steps to create the necessary

profile type to deploy the MDMWinsOverGP policy.

In Microsoft Intune, the ability to use network locations (also known as a network fence) as a condition for compliance policies is exclusively available for Windows 10/11 devices. This feature allows an administrator to define a corporate network by its IP address ranges. A Windows device is then checked for compliance based on whether it is connected to this defined network location. This specific network location-based compliance feature is not supported for Android or iOS platforms. Therefore, only Device1, which runs Windows 10, can utilize the compliance policy tied to Location1.

B. Device2 only: This is incorrect. The Android device administrator platform does not support network location-based compliance policies in Intune. This is a legacy management mode with more limited capabilities compared to Android Enterprise. C. Device1 and Device2 only: This is incorrect because the network location compliance feature is not supported on the Android device administrator platform. D. Device2 and Device3 only: This is incorrect as neither the Android device administrator nor the iOS platform supports Intune's network location compliance feature. E. Device1, Device2, and Device3: This is incorrect because the feature is not available for Android device administrator or iOS devices.

Microsoft Learn: Use locations (network fence) as a compliance policy condition for Intune.

This document explicitly states which platforms support this feature.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/network-locations-add

Reference: Under the "Prerequisites" section, it clearly lists "Windows 10 or later" as the

only supported platform.

Microsoft Learn: Create a compliance policy in Microsoft Intune. This guide details the

settings available for compliance policies across different platforms.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/create-compliance-policy

Reference: In the "Before you begin" section, under the "Locations" setting description, it is

specified as a "Windows 10/11" only feature.

Apple ’s MDM framework lets admins hide (defer) software-update notifications for up to 90 days by setting the enforcedSoftwareUpdateDelay key. In Intune, that key is exposed only in an iOS/iPadOS Device restrictions configuration profile (DevicesiOS/iPadOSConfiguration profilesTemplatesDevice restrictionsSoftware updates). Creating such a profile and setting Delay major/minor OS updates to 30 days meets the requirement. Update-policy objects schedule installation but do not control notification visibility.

A. an iOS app provisioning profile: This is incorrect. An app provisioning profile is used by developers to install and test an application on iOS devices. Its purpose is related to app deployment and permissions, not managing the device's operating system updates. B. a device configuration profile based on the Device features templates: This is incorrect. The "Device features" template in Intune is used to configure settings for AirPrint, notifications, shared device wallpaper, and other user-experience features. It does not contain settings for managing or deferring OS updates. D. a device configuration profile based on the Device restrictions template: While the "Device restrictions" template controls a wide array of settings, the specific functionality to create managed update policies with deferral periods was moved to the dedicated "Update policies for iOS/iPadOS" section. While some older restriction settings might relate to updates, the primary and correct method is the dedicated update policy.

1. Microsoft Learn iOS/iPadOS device restriction settings in Microsoft Intune, Software

updates

https://learn.microsoft.com/intune/configuration/device-restrictions-ios#software-updates

(see Delay major/minor OS updates (in days))

2. Apple Platform Deployment Delay visibility of software updates

https://support.apple.com/guide/deployment/delay-visibility-of-software-updatesdep93d7f4f9/web

3. Microsoft Learn Manage software updates for iOS/iPadOS devices with Intune (Update

policies lack deferral)

https://learn.microsoft.com/intune/os-update-policies-configure-ios#about-update-policies

Update rings for Windows 10 and later in Microsoft Intune are the designated feature for managing the deployment of Windows quality and feature updates. This policy allows an administrator to create phased deployments by assigning different rings to different groups of devices. To meet the requirements, you would create two update rings: one for the test computers with a 0-day deferral for quality updates, and a second ring for all other computers with a 15-day deferral. This directly addresses the need for a quality assurance phase followed by a delayed, automatic production rollout.

A. a device configuration profile: While some update settings can be configured here, update rings are the specific, purpose-built policy for managing the cadence and deferral of Windows updates as described. B. a feature update policy: This policy is used to upgrade devices to a specific Windows version (e.g., 22H2 to 23H2), not for deploying monthly security (quality) updates. C. a security baseline: This is a pre-configured group of security settings to harden devices. It is not the primary tool for managing the schedule and phased deployment of updates.

1. Microsoft Learn | Intune. (2024). Use Windows Update rings for Windows 10/11 devices

in Intune. "Update rings for Windows 10 and later policy is a collection of settings that

configures when and how Windows 10/11 devices get updated... For example, you can

configure a group of devices to install updates as soon as they're available. Then, for

another group of devices, you can configure them to install updates 15 days later."

URL: https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-for-businessconfigure

2. Microsoft Learn | Intune. (2024). Use Windows feature updates policy in Intune. "With

feature updates for Windows 10 and later policy, you can select the Windows version that

you want devices to remain on... This is different from using update rings, which can provide

a steady channel for updates."

URL: https://learn.microsoft.com/en-us/mem/intune/protect/windows-feature-updatesconfigure

Microsoft Intune provides comprehensive capabilities to manage software updates across multiple operating systems. You can create and deploy policies to control how and when updates are installed on devices. Windows: Use Update rings and Feature updates policies. iOS/iPadOS: Use software update policies to manage OS updates. Android Enterprise: Use device restriction profiles to manage system updates. macOS: Use software update policies to manage OS and built-in app updates. Since Intune supports update management for all the operating systems listed in the table (Windows, iOS/iPadOS, Android Enterprise, and macOS), you can manage updates for all four devices.

Device1 only: This is incorrect. Intune's update management capabilities extend beyond Windows to include iOS/iPadOS, Android, and macOS devices. Device1 and Device2 only: This is incorrect. Intune also provides robust update management policies for Android Enterprise and macOS devices. Device1 and Device3 only: This is incorrect. Update management is a key feature for Apple platforms (iOS/iPadOS and macOS) within Intune. Device1, Device3, and Device4 only: This is incorrect. Intune fully supports creating and deploying software update policies for iOS/iPadOS devices.

1. Windows Updates: Microsoft Learn. (2024). Manage Windows 10 and Windows 11

software updates in Intune. Retrieved from https://learn.microsoft.com/enus/mem/intune/protect/windows-update-for-business-configure

2. iOS/iPadOS Updates: Microsoft Learn. (2024). Manage iOS/iPadOS software update

policies in Intune. Retrieved from https://learn.microsoft.com/enus/mem/intune/protect/software-updates-ios

3. Android Enterprise Updates: Microsoft Learn. (2024). Manage Android Enterprise system

updates with Microsoft Intune. Retrieved from https://learn.microsoft.com/enus/mem/intune/protect/android-enterprise-system-updates

4. macOS Updates: Microsoft Learn. (2024). Manage macOS software update policies in

Intune. Retrieved from https://learn.microsoft.com/en-us/mem/intune/protect/softwareupdates-macos

The proposed solution is incorrect. Microsoft Entra Connect is a tool designed to synchronize on-premises Active Directory Domain Services (AD DS) identities with Microsoft Entra ID. It is used for hybrid identity scenarios and does not have the functionality to register mobile devices like Android. Android device registration is typically accomplished by enrolling the device in a Mobile Device Management (MDM) solution like Microsoft Intune, often by using the Microsoft Intune Company Portal app. This enrollment process registers the device directly with Microsoft Entra ID.

1. Microsoft Entra Connect Documentation: Microsoft Learn. (2023). What is Microsoft Entra

Connect? This document explicitly states that Microsoft Entra Connect is for synchronizing

on-premises directories to Microsoft Entra ID to enable hybrid identity. It does not mention

mobile device registration as a feature.

URL: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-adconnect

2. Microsoft Entra Device Registration Overview: Microsoft Learn. (2023). What is a device

identity? This document explains that Microsoft Entra registration enables users to access

organizational resources from personal devices, and the registration process is typically

initiated when accessing a work application or through MDM enrollment.

URL: https://learn.microsoft.com/en-us/entra/identity/devices/overview#getting-devices-inmicrosoft-entra-id

3. Android Enrollment Guide: Microsoft Learn. (2024). Enroll your Android device. This

guide details the steps for enrolling an Android device, which involves installing the Intune

Company Portal app and signing in with a work or school account, thereby registering the

device in Microsoft Entra.

URL: https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-device-androidcompany-portal

Windows Autopilot self-deploying mode is supported only when all of the following are true: Windows 10 version 1809 or later is pre-installed. The deployment profile is Azure AD join (Hybrid Azure AD join is not supported). The device has TPM 2.0 for attestation and a wired network path. From the table, only Device3 meets every requirement (Windows 10 1903, Azure AD join, TPM 2.0, Ethernet). Device1 is on an unsupported OS build (1709). Device2 is configured for Hybrid Azure AD join, which self-deploying does not allow. Therefore, only Device3 can be delivered by Windows Autopilot self-deploying mode.

A. Device2 fails Hybrid Azure AD join not permitted for self-deploying mode. C. Device1 fails Windows 10 1709 is below the required 1809 build. D. Device1 and Device2 each violate at least one mandatory requirement, so all three cannot be supported.

1. Microsoft Learn. Windows Autopilot self-deploying mode. Requirements section.

https://learn.microsoft.com/en-us/mem/autopilot/self-deploying

2. Microsoft Learn. Windows Autopilot deployment scenarios.

https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot

An app protection policy (APP) from the Microsoft Intune admin center is the correct

solution. APP, also known as Mobile Application Management (MAM), is specifically

designed to protect organizational data within applications on personal, unenrolled devices

(BYOD). These policies can enforce access requirements, such as requiring a PIN to open

a managed app like Outlook. They also provide data protection by controlling data transfer,

such as restricting users from copying data from a corporate app to an unmanaged app or a

personal cloud storage location. This directly fulfills all the security requirements outlined in

the scenario without needing to enroll the personal devices in Intune.

A. a device configuration profile from the Microsoft Intune admin center: This is incorrect

because device configuration profiles apply settings to the entire device and require the

device to be enrolled in Intune, which contradicts the policy.

B. a data loss prevention (DLP) policy from the Microsoft Purview compliance portal: This is

incorrect as Purview DLP policies primarily focus on data within Microsoft 365 services, not

on enforcing application-level access controls like a PIN on unmanaged mobile devices.

C. an insider risk management policy from the Microsoft Purview compliance portal: This is

incorrect because insider risk management is a detective control to identify risky user

behavior, not a preventative control to enforce app access and data handling rules.

1. Microsoft Intune Documentation, "What are app protection policies?": "App protection

policies (APP) are rules that ensure an organization's data remains safe or contained in a

managed app... An app protection policy can be applied when the device is enrolled or not

enrolled in a device management solution." This source confirms APP works on unenrolled

devices.

URL: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy

2. Microsoft Intune Documentation, "iOS/iPadOS app protection policy settings": This

document details the specific settings available in an APP. Under "Access requirements," it

lists "PIN for access." Under "Data protection," it lists settings to "Restrict cut, copy, and

paste between other apps" and control saving copies of org data.

URL: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios

3. Microsoft Intune Documentation, "What is Microsoft Intune device management?": "In

Intune, you manage devices using an approach that's right for you. For organization-owned

devices, you might want full control over the devices, including settings, features, and

security. In this approach, devices and users of these devices 'enroll' in Intune." This source

clarifies that device-level management requires enrollment.

URL: https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-devicemanagement

To migrate Group Policy Object (GPO) settings for Microsoft Office to Microsoft Intune, the administrator must first replicate these settings within an Intune configuration profile. The process begins in the Microsoft Intune admin center by creating a configuration profile. This profile acts as a container for the settings. For GPO-like settings, the administrator would typically choose the "Administrative Templates" or "Settings Catalog" profile type for the Windows 10 and later platform. Next, the administrator must configure the Administrative Templates settings within the newly created profile. This involves navigating through the available settings (which are based on ADMX files, just like GPOs) and configuring the Microsoft Office settings to match those in the on-premises GPO. Finally, after the settings are configured, the administrator must assign the profile to an Azure AD group containing the target users or devices. Without this assignment, the configured settings will not be applied to any computers. Incorrect Options: Import an ADMX file: This action is only necessary if you need to configure settings using ADMX templates that are not already built into Intune (e.g., for third-party apps or custom settings). Standard Microsoft Office settings are natively available in Intune's Administrative Templates and Settings Catalog, making this step unnecessary for a typical migration. Create a compliance policy: Compliance policies are used to evaluate whether a device meets certain security and configuration requirements (e.g., OS version, disk encryption). They do not push specific application settings like a GPO does, so this is not the correct tool for this task. Set a scope tag to the policy: Scope tags are an optional feature used for role-based access control (RBAC) in Intune. They allow you to control which administrators can view and manage specific Intune objects. This is related to administrative management, not the technical migration and application of policy settings. Assign the policy: This is a generic term. "Assign the profile" is the more precise and correct final action in this specific workflow.

Microsoft Learn: Use Windows 10/11 Administrative Template templates to configure group

policy settings in Microsoft Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templateswindows

Reference: The article outlines the process under the "Create the template" section: "1.

Sign in to the Microsoft Intune admin center. 2. Select Devices > Configuration profiles >

Create profile... 3. In Basics, enter a name... 4. In Configuration settings, select a setting...

5. In Assignments, select the group(s) that will receive this profile." This directly supports the

correct sequence: Create, Configure, and Assign.

Microsoft Learn: Overview: Manage policies and profiles in Microsoft Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/configuration/device-profiles

Reference: This document explains that a "profile" is the object created in Intune to manage

settings and that once created, it must be "assigned or 'deployed' to different user and

device groups." This confirms the fundamental workflow.

Microsoft Learn: Use ADMX templates on Windows PCs in Microsoft Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templatesimport-custom

Reference: The "Before you begin" section clarifies that you should "Use the built-in

Administrative Templates" first and that importing custom ADMX files is for settings that

"aren't available natively." This justifies why "Import an ADMX file" is not the correct first

step for migrating standard Office settings.

Enforces compliance: An Intune connection To enforce compliance using Microsoft Defender for Endpoint risk signals within a Conditional Access policy, you must first establish a service-to-service connection between Microsoft Intune and Microsoft Defender for Endpoint. This connection allows Defender to send device risk data to Intune. Intune then uses this data in a device compliance policy to mark devices as compliant or non-compliant. Finally, Conditional Access policies can leverage this compliance status to grant or block access to corporate resources, thereby enforcing compliance based on the device's threat level. Prevents suspicious scripts: An attack surface reduction (ASR) rule Attack surface reduction (ASR) rules are a component of Microsoft Defender for Endpoint designed to mitigate actions and application behaviors commonly used by malware. The specific ASR rule, "Block execution of potentially obfuscated scripts," directly addresses the requirement to prevent suspicious scripts. When enabled, this rule analyzes scripts and blocks those that appear to be intentionally obscured, a common technique used by attackers to hide malicious code. These rules are configured within Intune under the Endpoint security workload. Incorrect Options: A device restriction policy: While these Intune policies configure a wide variety of device settings, they are a general mechanism. ASR rules are the specific feature designed to block behaviors like suspicious scripts and are typically managed in a dedicated Attack Surface Reduction policy within Intune's Endpoint security section. A security baseline: This is a pre-configured group of recommended security settings (which can include ASR rules). However, the baseline itself is a deployment template, not the underlying feature that performs the action. The feature that actively prevents the script is the ASR rule itself.

Microsoft Learn: Enforce compliance for Microsoft Defender for Endpoint with Conditional

Access in Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protectionconfigure

Reference: The "Before you begin" and "To connect Microsoft Defender for Endpoint to

Intune" sections explicitly state that the first step is to set up the service-to-service

connection. The "Workflow" diagram on the page illustrates this dependency.

Microsoft Learn: Attack surface reduction rules overview.

URL: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attacksurface-reduction-rules-reference

Reference: The table of ASR rules lists the rule "Block execution of potentially obfuscated

scripts" and describes its function as detecting and blocking scripts that appear obfuscated.

Microsoft Learn: Use Intune to manage Microsoft Defender security settings on devices.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy

Reference: The "Attack surface reduction" section under "Endpoint security policies"

explains that these policies are used to manage ASR rules on devices. This distinguishes

ASR policy from general device restriction policies.

To prevent the initial MDT Welcome wizard screen from appearing and to achieve a more automated ("zero-touch") deployment, you need to configure specific settings and then regenerate the boot media. Modify the Bootstrap.ini file: This file is processed first by the Lite Touch environment (WinPE). To skip the initial welcome screen shown in the exhibit, you must add the property SkipBDDWelcome=YES to the [Default] section of this file. You also typically add credentials here so WinPE can connect to the deployment share without prompting. Modify the CustomSettings.ini file: After skipping the welcome screen, MDT would normally prompt for other information (e.g., which task sequence to run, computer name, etc.). To prevent these subsequent wizard screens, you must define rules in the CustomSettings.ini file. For example, you would add SkipTaskSequence=YES and specify a TaskSequenceID. Update the deployment share: Any changes to Bootstrap.ini or CustomSettings.ini are not automatically included in the boot images. You must perform the Update the deployment share action. This process regenerates the boot files (LiteTouchPE_x64.iso and .wim), incorporating all the new settings from your .ini configuration files.

Microsoft Deployment Toolkit documentation - Toolkit reference: This official document

explains the purpose of the core MDT files.

URL: https://learn.microsoft.com/en-us/mem/configmgr/mdt/toolkit-reference

Reference: Under the section "Properties," find the SkipBDDWelcome property, which

explicitly states it is used to "cause the initial wizard Welcome screen to be skipped" and is

processed from Bootstrap.ini. The document also details the roles of Bootstrap.ini and

CustomSettings.ini (rules).

Prepare for deployment with MDT - Configure the MDT deployment share: This guide

details the steps to configure and prepare the deployment share.

URL: https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/preparefor-deployment-with-mdt

Reference: Step 5: Configure the rules and Step 6: Configure the Bootstrap.ini file show that

these files are configured first. The final action is "Update Deployment Share," which

"generates the Lite Touch boot files."

Create a Windows 10 reference image - Step 7-2: Configure the deployment share: This

tutorial provides a practical example of the configuration sequence.

URL: https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-awindows-10-reference-image

Reference: The section "Step 7-2: Configure the deployment share for the reference image"

clearly shows the process of editing both CustomSettings.ini and Bootstrap.ini files before

right-clicking the deployment share and selecting "Update Deployment Share" to generate

the boot media.

The most appropriate method for retaining user settings and data during a wipe-and-load installation is using the User State Migration Tool (USMT). This process involves capturing the user's state before wiping the device and restoring it after the new operating system is installed. Run scanstate.exe: The first step is to run the ScanState command-line tool on the source Windows 10 computer. This tool scans the machine, collects user files, application settings, and operating system settings, and then saves this information into a compressed migration store. Deploy Windows 11: With the user state safely backed up, the "wipe and load" procedure is performed. The existing Windows 10 installation is erased, and a fresh installation of Windows 11 is deployed to the computer. Run loadstate.exe: After Windows 11 is successfully deployed, the LoadState command-line tool is run. This tool reads the migration store created by ScanState and applies the user files and settings to the new Windows 11 environment, completing the migration. Incorrect Options: Configure known folder redirection in Microsoft OneDrive: While OneDrive Known Folder Move is excellent for syncing and protecting data in the Desktop, Documents, and Pictures folders, it does not capture the full spectrum of user settings, such as application-specific configurations or other user profile data that USMT handles. Enable Enterprise State Roaming: This Azure AD Premium feature synchronizes a user's Windows settings (like theme, language p

, and passwords) across their devices.

However, it is not designed for migrating user data (files, documents, etc.) and is not a

comprehensive solution for a wipe-and-load scenario.

Create a system image Backup / Restore a system image backup: A system image is an

exact copy of an entire drive, including the operating system. Restoring a Windows 10

system image onto a new Windows 11 installation would overwrite Windows 11 and revert

the computer back to Windows 10, defeating the purpose of the upgrade.

References:

Microsoft Docs, "User State Migration Tool (USMT) overview": This document provides a

high-level overview of USMT and its components, stating, "USMT includes three command-

line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe... First, run ScanState.exe on

the source computer... Second, on the destination computer, install Windows... Finally, run

LoadState.exe on the destination computer."

URL: https://learn.microsoft.com/en-us/windows/deployment/usmt/usmt-overview

Section: Introduction, How USMT works.

Microsoft Docs, "Common Migration Scenarios": This page describes the "PC-Refresh"

(wipe-and-load) scenario. It details the process where data is collected from a computer, a

new OS is installed, and the data is then migrated back to the same computer using

ScanState before the wipe and LoadState after.

URL: https://learn.microsoft.com/en-us/windows/deployment/usmt/usmt-common-migrationscenarios

Section: PC-Refresh.

Microsoft Docs, "What is Enterprise State Roaming?": This official documentation clarifies

that Enterprise State Roaming syncs settings but not user files. "The primary user data for

most apps, such as Microsoft Office documents, isn't roamed."

URL: https://learn.microsoft.com/en-us/azure/active-directory/devices/enterprise-stateroaming-overview

Section: Which data is roamed?

To configure certificate autoenrollment using PKCS, you must first establish a chain of trust on the target devices. This process begins by exporting the root certificate from your on- premises Enterprise Certification Authority (CA). Next, this root certificate must be deployed to the devices. This is accomplished by creating a trusted certificate configuration profile in Microsoft Intune and assigning it to the appropriate device group. Only after the devices trust the CA can they successfully request and validate a certificate from it. The final step is to create a PKCS certificate configuration profile. This profile instructs the devices to request a certificate from the CA (via the Intune connector) and configures the certificate's parameters. This profile relies on the trusted root already being present on the device. Incorrect Options: From the Microsoft Intune admin center, configure enrollment restrictions: Enrollment restrictions are used to control which devices can be enrolled into Intune management based on platform, version, or manufacturer. While important for overall device management, it is not a direct step in the sequence of deploying a PKCS certificate to already managed devices. From the Enterprise CA, configure certificate managers: This is not a standard procedure for this configuration. To allow Intune to issue certificates, you grant "Issue and Manage Certificates" permissions to the service account running the Intune Certificate Connector on the specific certificate template on the Enterprise CA. The term "configure certificate managers" is not a recognized action in this workflow.

Microsoft Learn: Use PKCS certificates with Microsoft Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/use-pkcs-certificates-with-intune

Reference: Under the "How to configure and use PKCS certificates with Intune" section, the

workflow clearly shows the sequence: 1. Export the trusted root CA certificate. 2. Create a

trusted certificate profile. 3. Create a PKCS certificate profile.

Microsoft Learn: Create a trusted certificate profile in Microsoft Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure-trustedroot

Reference: The "Overview" section explicitly states, "Before you create a SCEP, PKCS, or

PKCS imported certificate profile, you need a trusted certificate profile to deploy to devices.

This trusted certificate profile is used to deploy the Trusted Root CA certificate to devices."

This sequence represents the correct chronological order of operations, starting from the foundational administrative requirement and proceeding to the technical configuration needed to establish the data pipeline. Purchase an Azure subscription: This is the mandatory first step. All Azure resources, including Log Analytics workspaces, are billed to an Azure subscription. Without a subscription linked to your tenant, you cannot create any resources. This is the primary prerequisite. Create a Log Analytics workspace: Once you have a subscription, you can begin creating resources. A Log Analytics workspace is the dedicated environment in Azure Monitor required to store and query the "raw Microsoft Intune data" using "custom queries." It must be created before data can be sent to it. Add diagnostic settings: With the destination (the workspace) now in place, the final step is to configure the source (Intune) to send data to it. Adding a diagnostic setting for the Intune service establishes this data flow, completing the pipeline for data collection and analysis. The primary goal of this sequence is to set up the backend data pipeline. Visualization is a subsequent task that consumes data from this pipeline. Incorrect Options: Install Microsoft Power BI Desktop: While Power BI is used for "visualizations," it's a client-side tool that connects to the data source after the pipeline is configured. The core task is setting up the data flow into Log Analytics; therefore, the three steps provided are more fundamental to the initial setup. Create a Microsoft SharePoint Online site: SharePoint is a collaboration platform and is not used for querying raw log data or advanced analytics in this context. Add a certificate connector to Microsoft Intune: This component is for deploying certificates to devices and is completely unrelated to log collection or reporting.

Microsoft Learn | Subscription design considerations: This document highlights that

a subscription is the fundamental unit for management and scale in Azure.

URL: https://learn.microsoft.com/en-us/azure/cloud-adoptionframework/ready/landing-zone/design-area/azure-billing-ad-tenant

Reference: The "Subscription design" section emphasizes that subscriptions are the

first step in creating a management boundary for governance and billing before

deploying resources.

Microsoft Learn | Design a Log Analytics workspace architecture: This guide clearly

states the dependency on a subscription.

URL: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/design-loganalytics-workspace

Reference: The "Prerequisites" section implicitly requires a subscription to operate

within Azure, and the entire article is about creating and managing workspaces

within that subscription context.

Microsoft Learn | Use Azure Monitor to review Intune logs:

URL: https://learn.microsoft.com/en-us/mem/intune/fundamentals/review-logs-usingazure-monitor

Reference: The section "Create a diagnostic setting to send logs to your workspace"

confirms that after creating a workspace, the next step is to create the diagnostic

setting to link Intune to it.

Validating a device's BIOS version is not a standard setting available in Intune; therefore, a custom compliance policy is required. The first step is to create the necessary components: a PowerShell script to read the BIOS version from the devices and a JSON file to define the setting name and the compliant BIOS version(s) for Intune. The next steps involve creating the policy in the Microsoft Intune admin center. During this process, you must upload the PowerShell discovery script. You then create and assign the custom compliance policy, which uses the uploaded script and the rules defined in the JSON file to evaluate devices. Finally, after the policy has been assigned and devices have reported their status, you review the compliance dashboard to monitor the results and identify non-compliant devices. Incorrect Options: Create and assign a compliance policy that has System Security settings configured: This is incorrect because the built-in "System Security" settings for a Windows compliance policy do not include an option to specify and check for a particular BIOS version. Upload the JSON file to Azure AD: This action is incorrect. The JSON file defining the custom compliance rules is uploaded directly to Microsoft Intune during the policy creation process, not to Azure Active Directory. Review the Conditional Access Insights and Reporting workbook for results: This tool is used to troubleshoot and monitor the impact of Conditional Access policies. While a device's compliance state can be used by Conditional Access, this workbook is not the primary or correct tool for viewing detailed results of a specific compliance policy, such as which BIOS version is installed.

Microsoft Learn | Use custom compliance settings in Microsoft Intune: This document

outlines the end-to-end process for creating and using custom compliance policies.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-use-custom-settings

Reference: See the section "The process to use custom compliance settings," which details

creating the script and JSON, creating the policy, and uploading the files. The "Monitor

custom compliance settings" section details how to check the results.

Microsoft Learn | Windows 10/11 compliance policy settings in Microsoft Intune: This page

lists all the built-in compliance settings for Windows devices.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-createwindows

Reference: Review the "System Security" section to confirm that a BIOS version check is

not an available setting.

Microsoft Learn | Conditional Access insights and reporting: This document explains the

purpose of the workbook.

URL: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howtoconditional-access-insights-reporting

Reference: The overview section explains that the workbook helps "understand the impact

of Conditional Access policies in your organization over time," confirming it's not for detailed

compliance setting reports.

The process of deploying a custom image using the Microsoft Deployment Toolkit (MDT) follows a logical sequence. Create a deployment share: This is the first and most fundamental step after installing MDT. The deployment share is a network share that serves as the central repository for all deployment assets, including operating systems, device drivers, applications, and scripts. Add the Windows 11 image: Once the deployment share is established, you must import the custom Windows 11 operating system image (.wim file) into it. This makes the OS available for deployment. Create a task sequence: A task sequence is a set of automated steps that MDT executes on a target computer. It defines the entire deployment process, from partitioning the disk and applying the OS image to installing applications and running final configurations. You must have an OS image imported before you can create a task sequence to deploy it. Incorrect Options: Enable multicast: Multicast is a feature of Windows Deployment Services (WDS) used to efficiently deploy an image to multiple computers simultaneously, reducing network bandwidth. It is an optional optimization configured within WDS and not a core, prerequisite step for setting up the MDT deployment content itself. Install Windows Deployment Services (WDS): While commonly used with MDT to provide Pre-Boot Execution Environment (PXE) boot capabilities, WDS is a separate service. MDT can function without it (e.g., by using bootable USB media). The core MDT configuration of creating a share, adding an image, and creating a task sequence must be done regardless of the boot method.

Microsoft Docs, Get started with the Microsoft Deployment Toolkit: This document outlines

the high-level steps for deploying Windows using MDT, showing the creation of a

deployment share as the first step, followed by importing the operating system, and then

creating a task sequence.

URL: https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/getstarted-with-the-microsoft-deployment-toolkit

Reference: See the list of "Next steps" in the introduction.

Microsoft Docs, Create a deployment share: This guide explicitly states that creating a

deployment share is the initial action after installing MDT.

URL: https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-adeployment-share

Reference: Paragraph 1.

Microsoft Docs, Deploy a Windows image using MDT: This article demonstrates that

creating a task sequence is done after importing operating system source files into the

deployment share.

URL: https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-awindows-image-using-mdt

Reference: Section "Create a task sequence", Paragraph 1.

Both Data Execution Prevention (DEP) and Force randomization for images (Mandatory ASLR) are system-level mitigations managed under the Exploit protection feature in Windows. The settings for Exploit protection are located within the App & browser control section of the Windows Security app. To configure these specific options, an administrator would navigate to Windows Security > App & browser control > Exploit protection settings, and then select the System settings tab. From there, both DEP and Mandatory ASLR can be configured before exporting the settings as an XML template file for deployment via Intune. Incorrect Options: Account protection: This area is incorrect as it manages user sign-in options, such as Windows Hello and Dynamic Lock, and account security. It does not contain settings for system memory protection like DEP or ASLR. Device security: This area is incorrect because it focuses on hardware-level security features. This includes Core isolation (Virtualization-based security), Secure Boot, and security processor (TPM) status, not software-based exploit mitigations. Virus & threat protection: This area is incorrect. It contains the settings for Microsoft Defender Antivirus, including real-time scanning, cloud-delivered protection, and Controlled folder access for ransomware protection. Exploit protection is a separate but complementary feature.

Microsoft Learn: Exploit protection.

URL: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploitprotection?view=o365-worldwide

Reference: Under the "Compare Exploit protection with EMET" section, the document

explicitly lists "Data Execution Prevention (DEP)" and "Mandatory ASLR" as mitigations

available in Exploit Protection.

Microsoft Learn: Enable Exploit protection.

URL: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enableexploit-protection?view=o365-worldwide

Reference: The section "Enable Exploit protection by using the Windows Security app"

states, "Open the Windows Security app by selecting the shield icon in the task bar or

searching the start menu for Windows Security... Select the App & browser control tile (or

the app icon on the left menu bar) and then select Exploit protection settings."

Microsoft Learn: Import, export, and deploy Exploit protection configurations.

URL: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/importexport-exploit-protection-configurations?view=o365-worldwide

Reference: The "Export the configuration file from a test device" section shows the

PowerShell cmdlet Get-ProcessMitigation -RegistryConfigFilePath which exports the

settings configured in the Exploit Protection UI, including DEP and ASLR, into an XML file

for deployment.

To meet the requirements while adhering to the principle of least privilege, each user must be assigned to the group that grants the necessary permissions with the fewest additional privileges. User1: Requires the ability to change the system date and time. This action is governed by the "Change the system time" user right. By default in Windows, both the Administrators and Power Users groups have this right. To apply the principle of least privilege, Power Users is the correct choice as it has significantly fewer permissions than the Administrators group. User2: Requires the ability to clear Windows logs. This is a high-privilege task controlled by the "Manage auditing and security log" user right. Of the groups listed, only the Administrators group holds this right by default. The Event Log Readers group can only read logs, not modify or clear them. Incorrect Options: Administrators (for User1): While members of the Administrators group can change the system time, this group provides full control over the system. Assigning User1 to this group would grant excessive permissions, violating the principle of least privilege. Event Log Readers (for User2): This group is explicitly designed to allow members to read event logs. It does not grant the necessary permissions to clear or otherwise manage the logs. Performance Log Users: This group allows members to manage performance counters, alerts, and logs. It does not grant permissions to change system time or clear the security event log. System Managed Accounts Group: This is a built-in group used by the operating system to manage Group Managed Service Accounts (gMSAs) and is not intended for assigning permissions to standard user accounts.

Microsoft Documentation - Change the system time: This source confirms that the Power

Users group has the "Change the system time" user right by default.

URL: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policysettings/change-the-system-time

Reference: See the "Default values on" table.

Microsoft Documentation - Manage auditing and security log: This document verifies that

only the Administrators group has the right to manage and clear the security log by default.

URL: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policysettings/manage-auditing-and-security-log

Reference: See the "Default on" column in the table.

Microsoft Documentation - Active Directory security groups: This document describes the

default permissions for various built-in security groups, including Event Log Readers.

URL: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understandsecurity-groups#event-log-readers

Reference: The section on "Event Log Readers" states members can "read event logs from

local computers

The deployment of Microsoft 365 Apps using the Office Deployment Tool (ODT) follows a logical, multi-step process. Download the ODT: The first step is to acquire the necessary toolset from the Microsoft Download Center. Running the self-extracting file unpacks the setup.exe executable and sample configuration.xml files. Edit the XML file: To customize the installation, you must modify the configuration.xml file. This file dictates which products and languages to install, the update channel, architecture (32-bit or 64-bit), and other deployment settings. Download Installation Files: Next, you run setup.exe /download . This command reads the configuration file and downloads the necessary source files from the Office Content Delivery Network (CDN) to the location specified in the XML. This step allows you to stage the installation files on a local network share. Configure (Install) Apps: The final step is to run setup.exe /configure on the client computers. This command uses the settings in the XML file and the previously downloaded source files to install Microsoft 365 Apps. Incorrect Options: Run setup.exe and specify the /packager switch: This switch is used to create an App-V package for virtualized environments. It is not part of the standard Click-to-Run installation workflow that is implied by the other steps. The /packager mode is a distinct function of the ODT for a different deployment scenario.

Microsoft Documentation: "Deploy Microsoft 365 Apps with the Office Deployment Tool".

This official guide explicitly outlines the procedure.

URL: https://learn.microsoft.com/en-us/deployoffice/officedeploymenttool-microsoft-365apps

Reference: Review the sections "Step 1: Download the Office Deployment Tool," "Step 2:

Create the configuration file," "Step 3: Download the installation files for Microsoft 365

Apps," and "Step 4: Install Microsoft 365 Apps." These sections directly correspond to the

correct answer sequence.

Microsoft Documentation: "Overview of the Office Deployment Tool". This document

provides a summary of the ODT's purpose and modes.

URL: https://learn.microsoft.com/en-us/deployoffice/overview-office-deployment-tool

Reference: The section "Download and install Microsoft 365 Apps" describes the two main

modes: /download and /configure. The section "ODT command line" lists /packager as a

separate mode used to "create an App-V package."