Your company has an Azure AD tenant named contoso.com that contains several Windows 10 devices. When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin. You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com. Solution: From the Microsoft Entra admin center, you modify the User settings and the Device settings. Does this meet the goal?
I noticed a lot of folks lean toward SCEP, but that's only when you need to enroll and issue user or device certs (not just distribute trust anchors). For just deploying the root CA so devices trust your internal CA, you use Configuration profiles and the Trusted certificate template. If the question said anything about auto-enrollment for client auth, then SCEP would be correct instead. Makes a difference based on what's being provisioned-trust or full certs.
Configuration profiles with the Trusted certificate template is the combo you want. That pushes just the root CA cert out so devices trust your internal CA. SCEP or PKCS templates are only for actual user/device cert enrollment, not for establishing trust. I think this matches what most exam guides say, but let me know if someone has another scenario where it’s different.
