Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has a number of Windows 10 Microsoft Azure Active Directory (Azure AD) joined workstations. These workstations have been enrolled in Microsoft
Intune.
You have been tasked with making sure that the workstations are only able to run applications that you have explicitly permitted.
Solution: You make use of Windows Defender Application Guard.
Does the solution meet the goal?
Answer : B
Instead use Windows Defender Application Control (WDAC).
Windows Defender Application Control and virtualization-based protection of code integrity.
Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
1. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and software drivers, and even code that runs as part of
Windows.
2. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
3. Etc.
Note: Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.
For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources.
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows- defender-application-control https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows- defender-application-control
You are currently making use of the Antimalware Assessment solution in Microsoft Azure Log Analytics.
You have accessed the Protection Status dashboard and find that there is a device that has no real time protection.
Which of the following could be a reason for this occurring?
Answer : A
Microsoft Defender Antivirus is usually the primary antivirus/antimalware product on your device.
To review protection status -
1. On the Antimalware dashboard, you will review the Protection Status blade and click no real time protection.
You are currently making use of the Antimalware Assessment solution in Microsoft Azure Log Analytics.
You have accessed the Protection Status dashboard and find that there is a device that is not reporting.
Which of the following could be a reason for this occurring?
Answer : B
Azure Diagnostics extension is an agent in Azure Monitor that collects monitoring data from the guest operating system of Azure compute resources including virtual machines.
Note: As the Azure Diagnostic extension can only be used for Virtual Machines a better answer would be that the Microsoft Monitoring Agent (MMA) is missing.
Incorrect:
Not A: Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in
Windows security. It's designed to make these security guarantees:
Protect and maintain the integrity of the system as it starts up
Validate that system integrity has truly been maintained through local and remote attestation
Not C: For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the
Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated
Hyper-V-enabled container.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/tutorial-logs-dashboards
You need to consider the underlined segment to establish whether it is accurate.
To enable Windows Defender Credential Guard on Windows 10 computers, the computers must have Hyper-V installed.
Select `No adjustment required` if the underlined segment is accurate. If the underlined segment is inaccurate, select the accurate option.
What should you install on the computers?
Answer : A
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
Note: Hardware and software requirements
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows
Defender Credential Guard uses:
Support for Virtualization-based security (required)
Secure boot (required)
Trusted Platform Module (TPM, preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware
UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
The Virtualization-based security requires:
64-bit CPU
CPU virtualization extensions plus extended page tables
Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements
You manage one hundred Microsoft Azure Active Directory (Azure AD) joined Windows 10 devices.
You want to make sure that users are unable to join their home PC's to Azure AD.
Which of the following actions should you take?
Answer : C
Azure Active Directory (Azure AD) provides a central place to manage device identities and monitor related event information.
Configure device settings.
You need to consider the underlined segment to establish whether it is accurate.
To enable sideloading in Windows 10, you should navigate to the For developers setting via Update & Security in the Settings app.
Select `No adjustment required` if the underlined segment is accurate. If the underlined segment is inaccurate, select the accurate option.
Answer : A
How to allow Windows 10 to sideload apps on your computer
1. Open Settings.
2. Click on Update & security.
3. Click on For developers.
4. Under "Use developer features," select the Sideload apps option.
Reference:
https://www.windowscentral.com/how-enable-windows-10-sideload-apps-outside-store https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10
You need to consider the underlined segment to establish whether it is accurate.
To enable sideload a LOB application in Windows 10, you should run the Install-Package cmdlet.
Select `No adjustment required` if the underlined segment is accurate. If the underlined segment is inaccurate, select the accurate option.
Answer : D
Install the app -
From the folder with the .msix package, run the Windows PowerShell Add-AppxPackage command to install the .msix package.
Reference:
https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company's environment includes a Microsoft 365 subscription.
Users in the company's sales division have personal iOS or Android devices that are enrolled in Microsoft Intune. New users are added to the sales division on a monthly basis.
After a mobile application is created for users in the sales division, you are instructed to make sure that the application can only be downloaded by the sales division users
Solution: You start by adding the application to Microsoft Store for Business.
Does the solution meet the goal?
Answer : B
Before you can configure, assign, protect, or monitor apps, you must add them to Microsoft Intune.
Reference:
https://docs.microsoft.com/en-us/intune/apps-add
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company's environment includes a Microsoft 365 subscription.
Users in the company's sales division have personal iOS or Android devices that are enrolled in Microsoft Intune. New users are added to the sales division on a monthly basis.
After a mobile application is created for users in the sales division, you are instructed to make sure that the application can only be downloaded by the sales division users
Solution: You start by assigning the application to a group.
Does the solution meet the goal?
Answer : B
Before you can configure, assign, protect, or monitor apps, you must add them to Microsoft Intune.
Reference:
https://docs.microsoft.com/en-us/intune/apps-add
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company's environment includes a Microsoft 365 subscription.
Users in the company's sales division have personal iOS or Android devices that are enrolled in Microsoft Intune. New users are added to the sales division on a monthly basis.
After a mobile application is created for users in the sales division, you are instructed to make sure that the application can only be downloaded by the sales division users.
Solution: You start by adding the application to Intune.
Does the solution meet the goal?
Answer : A
Before you can configure, assign, protect, or monitor apps, you must add them to Microsoft Intune.
Reference:
https://docs.microsoft.com/en-us/intune/apps-add
You company has a Microsoft Azure Active Directory (Azure AD) tenant that includes Microsoft Intune. All of the Windows 10 devices are enrolled in Intune.
You are preparing to configure a Windows Information Protection (WIP) policy:
You need to make sure that the policy is configured to allow for the logging of unacceptable data sharing, but not blocking the action.
Which of the following is the WIP protection mode that you should use?
Answer : B
Silent: WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow
Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune
Your company has an Active Directory domain, named weylandindustries.com, and a Microsoft Office 365 subscription. The domain is also synced to Microsoft
Azure Active Directory (Azure AD).
All company computers are domain-joined, and are running the most recent Microsoft OneDrive sync client.
You are currently configuring OneDrive group policy settings.
Which of the following is the setting that will minimize the disk space consumed by a user profile, when enabled?
Answer : A
OneDrive Files On-Demand enables users to view, search for, and interact with files stored in OneDrive from within File Explorer without downloading them and taking up space on the local hard drive.
Reference:
https://docs.microsoft.com/en-us/onedrive/plan-onedrive-enterprise
You manage your company's Microsoft 365 subscription.
You are tasked with creating an app protection policy for the Microsoft Outlook app on iOS devices that are not enrolled in Microsoft 365 Device Management.
You have to make sure that the policy is configured to prohibit the users from using the Outlook app if the operating system version is less than 12.0.0. You also have to make sure that an alphanumeric passcode is required for users to access the Outlook app.
Which of the following is policy settings that you should configure? (Choose two.)
Answer : AD
Conditional launch -
Configure conditional launch settings to set sign-in security requirements for your access protection policy.
By default, several settings are provided with pre-configured values and actions. You can delete some of these, like the Min OS version. You can also select additional settings from the Select one dropdown.
Access requirements -
PIN for access Select Require to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context.
The PIN is applied when working either online or offline.
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios
You are responsible for your company's Microsoft 365 environment, with co-management enabled.
All company computers have been deployed via Microsoft Deployment Toolkit (MDT), and have Windows 10 installed.
You have been tasked devising a strategy for deploying Microsoft Office 365 ProPlus to new computers. You have to make sure that most recent version is installed at all times, while also reducing the effort required to meet the prerequisites.
Which of the following actions should you take?
Answer : C
The Office Deployment Tool (ODT) is a command-line tool that you can use to download and deploy Microsoft 365 Apps to your client computers. The ODT gives you more control over an Office installation: you can define which products and languages are installed, how those products should be updated, and whether or not to display the install experience to your users.
Reference:
https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.
You plan to transfer the computer to a user named User2.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting and to agree to the license agreement.
Solution: You create a new Windows Autopilot self-deploying deployment profile.
Does this meet the goal?
Answer : B
Instead:
Windows Autopilot user-driven mode lets you configure new Windows devices to automatically transform them from their factory state to a ready-to-use state. This process doesn't require that IT personnel touch the device.
The process is very simple. Devices can be shipped or distributed to the end user directly with the following instructions:
Unbox the device, plug it in, and turn it on.
Choose a language (only required when multiple languages are installed), locale, and keyboard.
Connect it to a wireless or wired network with internet access. If using wireless, the user must establish the Wi-Fi link.
Specify your e-mail address and password for your organization account.
The rest of the process is automated. The device will:
Join the organization.
Enroll in Intune (or another MDM service)
Get configured as defined by the organization.
Have any questions or issues ? Please dont hesitate to contact us