Explore MDM Flashcards

Question

what is retire?

Answer 1

Retire. Removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management

Answer 2

Wipe. Restores a device to its factory default settings. The user data is kept if you choose the Retain enrollment

Answer 3

In the Endpoint Manager admin center, select Devices, then select Windows platform, then select Configuration Profiles. Select Create Profile. Enter the following properties: Platform: Choose which versions of Windows to include. Profile type: Select the type you want to create.

Answer 4

Configuration Service Provider (CSP)

Answer 5

In the Endpoint Manager admin center, select Devices. On the Devices overview page, select Monitor , then select Assignment status

Answer 6

The Sync device action forces the selected device to immediately check in with Intune. When a device checks in, it immediately receives any pending actions or policies that have been assigned to it

Answer 7

Devices > Monitor > Device actions

Answer 8

Commonly used to manage security settings and features on your devices, including access to company resources. Get started at Intune device profiles.

Answer 9

Define the rules and settings that a device must comply with to be considered compliant by conditional access policies. You can also use compliance policies to monitor and remediate the compliance of devices independent of conditional access.

Answer 10

Help secure email and other services, depending on conditions that you enter.

Answer 11

Intune supports the enrollment of corporate-owned iOS devices using the Apple Device Enrollment Program (DEP) or the Apple Configurator tool running on a Mac computer.

Answer 12

lets you upload PowerShell scripts in Intune to run on Windows devices, as well as shell scripts for the macOS

Answer 13

Windows Version 1607 or later. version 10.12 or later Devices must be joined to Azure AD, including Hybrid AD joined devices. Devices are managed by Intune. Automatic MDM enrollment must be enabled in Azure AD. mac Shell scripts begin with #! and must be in a valid location such as #!/bin/sh or #!/usr/bin/env zsh. Command-line interpreters for the applicable shells are installed.

Answer 14

A user profile is a set of files and folders. It is personal to each user who has signed in to the computer, and it’s stored in the Users folder

Answer 15

A default profile is a pre-configured baseline profile, which contains all of the initial settings to be included, whenever a new profile is created.

Answer 16

Local User Profile. This type is available on a single computer only. Roaming User Profile. This type can roam between computers that are domain members. Mandatory User Profile. This is a special type of pre-configured user profile that does not store user changes between sign-ins. Temporary User Profiles. A temporary profile is issued each time that an error condition prevents the user's profile from loading.

Answer 17

Windows 8.1 Windows Server 2012 R2 V4 Windows 10, version 1607 and later. Windows Server 2016 and later V6

Answer 18

An option to limit user profile sizes is to use quotas. You can use the same approach to limit the disk space that a user consumes in general, and it applies to limiting user profile sizes. You can set a disk quota on a local Windows volume by using volume properties

Answer 19

Folder Redirection is a Group Policy setting that is most often used for configuring user profiles. Administrators can use Folder Redirection to redirect individual folders from a user profile to a new location

Answer 20

13 folders

Answer 21

Enterprise State Roaming can sync only settings and not data

Answer 22

Enterprise State Roaming syncs settings across Azure AD joined devices and provides users with the same experience across their devices. Enterprise State Roaming provides the following benefits Enterprise State Roaming syncs only state of the business UWP apps.

Answer 23

Encrypt data settings

Answer 24

Enterprise State Roaming (ESR) does not provide a mechanism for synchronizing user files, such as documents and pictures

Answer 25

Favorites Passwords Form-fill History Open tabs (sessions) Settings (preferences) Extensions

Answer 26

User Experience Virtualization (UE-V) is a Windows Enterprise edition feature that enables the synchronization of operating-system settings, desktop-application settings, Microsoft Store app settings, network printers, and user credentials between Windows Enterprise edition computers in the same AD DS domain environment.

Answer 27

azure Active Directory > Devices > Enterprise State Roaming All or Selected next to Users may sync settings and app data across devices

Answer 28

Theme, which includes features such as desktop theme and taskbar settings. Internet Explorer settings, including recently opened tabs and favorites. Passwords, including Internet passwords, Wi-Fi profiles, and others. Language preferences, which include settings for keyboard layouts, system language, date and time, and more. Ease of access features, such as high-contrast theme, Narrator, and Magnifier. Other Windows settings, such as mouse settings.

Answer 29

Intune Mobile Application Management (MAM) refers to the suite of Intune management features you can use to publish, push, configure, secure, monitor, and update mobile apps for your users

Answer 30

IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune MDM.

Answer 31

MAM without device enrollment (MAM-WE) allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers. Also, apps can be managed by Intune on devices enrolled with third-party EMM providers or not enrolled with an MDM at all.

Answer 32

The important benefits of using app protection policies are: Protecting your company data at the app level. Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management. End-user productivity isn't affected, and policies don't apply when using the app in a personal context. The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.

Answer 33

You can enable your apps to use app protection policies by using either the Intune App Wrapping Tool or the Intune App SDK.

Answer 34

The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps. The tool is a command-line application that creates a wrapper around the app, which then allows the app to be managed by an Intune app protection policy.

Answer 35

The Intune App SDK is designed mainly for customers who have apps in the Apple App Store or Google Play Store, and want to be able to manage the apps with Intune. However, any app can take advantage of integrating the SDK, even line-of-business apps.

Answer 36

App protection policy settings include:

Answer 37

You can't deploy apps to the device. The end user has to get the apps from the store. You can't provision certificate profiles on these devices. You can't provision company Wi-Fi and VPN settings on these devices.

Answer 38

Azure portal

Answer 39

Azure AD joined, hybrid domain joined, group policy enrolled devices are supported.

Answer 40

allows customers to install and manage private organization apps, as well as setup thier own private repository

Answer 41

Microsoft Store for Business account must be a global administrator in Azure AD

Answer 42

Configuration Manager The Office Deployment Tool The Office Customization Tool End-user installation

Answer 43

Windows Information Protection (WIP) is a set of technologies that protect your organization from accidental or malicious data leaks, without significant changes to your enterprise environment or apps. It provides this protection to both enterprise-owned devices and BYOD devices, and it does so without interfering with employees’ regular workflows

Answer 44

Azure Rights Management (Azure RMS), as a key part of Azure Information Protection, provides an IRM system that works with WIP to extend protection after data leaves a user’s device

Answer 45

Block or Hide overrides Prevents employees from performing data-sharing actions when blocked by the policy. In some Microsoft documentation, this is referred to as Hide overrides mode. Allow overrides Warns employees when they are performing a potentially risky action, but they can choose to complete the action. The action records to the audit log. Silent Works like Allow overrides mode, except that it only records any action that an employee can override to the audit log. Any action that would be blocked is still blocked. Off WIP is turned off and does not protect data.

Answer 46

EFS is a component of the NTFS file system, and it uses advanced, standard cryptographic algorithms to allow transparent file encryption and decryption EFS is based on user certificates, and their public and private keys. Without proper certificate management, you can easily get into a situation where encrypted data is not accessible. You can issue EFS certificates only to individual users. You cannot issue EFS certificates to groups.

Answer 47

Selective Wipe. A feature of Windows in a corporate environment is Selective Wipe. If a device is lost or stolen, an administrator can revoke the EFS key that was used to protect the files on the device. Revoking a key prevents all access to data files that are stored on a user’s device.

Answer 48

As with any security technology that you implement, centralized management is recommended. You can centrally manage BitLocker by using Group Policy, but with limited functionality. Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go with full functionality. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:

Answer 49

Microsoft Defender for Endpoint (formerly Windows Defender Advanced Threat Protection) is an additional cloud-based online service that assists organizations in detecting, investigating, and responding to advanced persistent threats. Windows Defender Advanced Threat Protection provides behavior-based advanced attack detection, a forensic timeline, and a unique threat intelligence knowledge base.

Answer 50

Microsoft 365 Security Center

Answer 51

Device Guard combines the features of Application Control with the ability to leverage the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. While WDAC doesn't require specific hardware or software, enabling Hypervisor protected code integrity (HVCI) requires compatible hardware and drivers

Answer 52

Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive

Answer 53

Microsoft Defender Exploit Guard (formerly Windows Defender Exploit Guard) is a new set of host intrusion prevention capabilities for Windows, allowing you to manage and reduce the attack surface of apps used by your employees.

Answer 54

Windows uses a container type called Windows Defender System Guard to protect critical resources, such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module.

Answer 55

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them

Answer 56

Microsoft Defender Antivirus helps protect your computer from spyware, malware, and viruses. Microsoft Defender Antivirus also is Hyper-V–aware, which means that it detects if Windows is running as a virtual machine

Answer 57

Windows Hello for Business is an exclusive Windows 10 or later feature – it is not supported on earlier versions of Windows.

Answer 58

Azure AD Identity Protection is a Microsoft implementation of identity protection technology targeted at users of Microsoft 365 and other Microsoft cloud services. It’s a feature of the Azure AD Premium P2 license

Answer 59

Azure AD Identity Protection is a Microsoft implementation of identity protection technology targeted at users of Microsoft 365 and other Microsoft cloud services. It’s a feature of the Azure AD Premium P2 license

Answer 60

By using RAS Gateway, you can deploy VPN connections to provide end users with remote access to your organization's network and resources. If your clients are running Windows 10 or later, you can deploy Always On VPN, which maintains a persistent connection between clients and your organization network whenever remote computers are connected to the internet.

Answer 61

Always On VPN is exclusively a Windows 10 or later feature–devices using other platforms would need to use traditional client VPN solutions

Answer 62

Device Security policy in Microsoft 365 or Device Compliance in Intune

Answer 63

Compliance policies define the rules and settings that should be configured on a device for it to be considered compliant. After you configure and deploy a compliance policy, you can monitor device compliance status, as well as individual devices that are configured in an expected way.

Answer 64

Intune compliance policies are created in the Devices section of the Endpoint Manager admin center The device compliance dashboard for monitoring can be found under Reports.

Answer 65

Before an organization can implement device compliance policies, it must first satisfy the following prerequisites: It must be licensed for Azure AD Premium P1 or Azure AD Premium P2 and Intune. Both are part of Microsoft 365 or Enterprise Mobility + Security, but they can also be obtained separately. Its devices run one of the following supported platforms: Android Android Enterprise iOS/iPadOS macOS Windows 8.1 or later Its devices must be enrolled in Intune to be eligible for compliance management.

Answer 66

Compliance policy settings can be found in the Endpoint Manager admin center, in Devices > Compliance policie

Answer 67

If the conditional access policy says that noncompliant devices can't access a resource, the access request is denied. If access is denied, the user is prompted to enroll the device and fix the compliance problems.

Answer 68

conditional access policy is a definition of an access scenario using the When this happens: Then do this pattern.

Answer 69

Desktop Analytics is a cloud-based service that collects application and hardware data from clients. It helps identify known issue apps based on data from multiple sources, and provided recommended remediation or testing information, based on data from developers and deployment data from other customers. It provides graphical representation of which devices are current and which need updates, and report on the health of devices as well.

Answer 70

Endpoint analytics is a cloud-based service that provides insights for measuring how your organization is working and the quality of the experience you're delivering to your users. Endpoint Analytics provides Windows 11 hardware readiness reports in the Work from Anywhere report

Answer 71

Application Compatibility Toolkit (ACT) is a set of tools used during the inventory, analyze, and mitigate phases of the application compatibility testing process. ACT consists of several features, including:

Answer 72

Delivery Optimization is a cloud-managed solution; therefore, access to the Delivery Optimization cloud service is a requirement. In addition, devices must have access to the internet to use the peer-to-peer functionality of Delivery Optimization.

Answer 73

By default in Windows 10 or later Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing only on the organization's own network (specifically, all of the devices must be behind the same NAT). However, you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.

Answer 74

Distributed Cache mode. In Distributed Cache mode, each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. This is similar to the Delivery Optimization feature in Windows.

Answer 75

Hosted Cache mode. In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. So rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.

Answer 76

Branch Cache replicates files from a central location to a local device, such as a server. This enable clients to download locally hosted data instead of consuming WAN bandwidth

Answer 77

Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares. BITS takes the cost of the transfer and the network usage into consideration so that the user's foreground work has as little impact as possible.

Answer 78

The Windows installation files include the default OS image, install.wim This image is a basic OS image that contains a standard set of drivers. When you use the default OS image, configuring the OS and installing applications must be done separately and after the image is deployed.

Answer 79

Configurations and applications can be included in custom images. Tools such as Deployment Image Servicing and Management (DISM.exe) can be used to service and prepare Windows images. DISM is a command line tool that can capture the image of a reference computer with the desired OS, settings, and applications. DISM can also be used to mount the image and make modifications.

Answer 80

Sysprep is then used to generalize the image prior to deployment. Before you can deploy a Windows image to new PCs, you have to first generalize the image. This process removes computer-specific information such as installed drivers and the computer security identifier (SID). Generalizing the image makes it ready for deployment.

Answer 81

The Microsoft Deployment Toolkit (MDT) is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.

Answer 82

Boot images are the Windows PE images that start the OS deployment

Answer 83

Task Sequences. Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are in the Templates folder in the MDT installation directory, and they define the default actions in the sequence. You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions include: Gather. Reads configuration settings from the deployment server. Format and Partition. Creates the partition(s) and formats them. Inject Drivers. Determines which drivers the machine needs and downloads them from the central driver repository. Apply Operating System. Windows Update. Connects to a WSUS server and updates the machine.

Answer 84

Deployment Workbench to create and deploy Windows 10 or later images The Deployment Workbench is where you store your default image.

Answer 85

A task sequence is a sequential set of steps that will reference various components imported into MDT up to this point (OS images, applications etc.) When you create these using the MDT wizard, you are presented with various templates to help with each scenario. For this lesson, we'll focus on a deployment task sequence.

Answer 86

Gather. Collects information locally and stores it as variables for use during the task sequence. Format and Partition Disk. Formats and creates an appropriate disk layout for the target endpoint. Apply OS Image. Applies a standard Windows image or a custom *.WIM file from a previously ran capture process. Inject Drivers. Allows specific drivers to be applied to certain target devices. Install Applications. Allows for an application imported in MDT to be installed sequentially.

Answer 87

When capturing and deploying Windows, be sure to familiarize yourself with the Unattend.xml file. This helps the Windows installation move through the various passes and applies any relevant customization. System Image Manager helps you review and showcase answer files for Windows

Answer 88

he following Microsoft management solutions are all now part of Microsoft Endpoint Manager: Configuration Manager Microsoft Intune Desktop Analytics Windows Autopilot Other features in the Device Management Admin console

Answer 89

boot images are Windows Preinstallation Environment (Windows PE) images that are used to start a Windows deployment. You can start boot images from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server

Answer 90

The architecture of the boot image must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image.

Answer 91

32-bit OS. You can’t use an in-place upgrade to upgrade a 32-bit operating system to 64-bit Windows.

Answer 92

Join devices to Azure AD automatically. Auto-enroll your users' devices into MDM services. Restrict the creation of the Administrator account. Customize the OOBE content specifically to your organization

Answer 93

When you purchase new devices, the hardware vendor can upload device specific information on your behalf. If you want to use Windows Autopilot to deploy devices that your company already owns, you can transfer device specific information to a comma-separated value (CSV) file by running a Windows PowerShell script and then uploading the CSV file to Microsoft Intune or Microsoft Store for Business.

Answer 94

Microsoft Store for Business or Endpoint Manager admin center

Answer 95

Devices must have Windows 10 or Windows 11 preinstalled Windows Pro, Enterprise, or Education. Windows Autopilot can’t deploy Windows Home or an operating system that is older than Creators Update (version 1703) Organization must be using Azure AD Intune or Microsoft Store for Business.

Answer 96

On the Azure Active Directory blade, select Mobility (MDM and MAM), and then in the details pane, select Microsoft Intune.

Answer 97

An employee who completes the OOBE also becomes a member of the local Administrators group, which can cause many problems.

Answer 98

Windows Autopilot user-driven mode Windows Autopilot self-deploying mode Autopilot for existing devices Windows Autopilot for pre-provisioned deployment Windows Autopilot reset

Answer 99

Users must be able to join Azure AD. If using Intune (and not Microsoft Store for Business), user-driven mode must be selected in the Autopilot profile assigned to the device if using Intune. The Autopilot profile must also be assigned to an Azure AD device group. The device must be added to Windows Autopilot and a profile must be assigned to the device.

Answer 100

The device must be running Windows 1809 or later. Hybrid Azure AD joined must be specified as the selected option under Join to Azure AD as in the Autopilot profile. The device must be able to access the internet and an Active Directory domain controller. The Intune Connector for Active Directory must be installed (this performs the on-prem AD join instead of requiring user permission to join).

Answer 101

Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction, achieving a ZTI experience with all OOBE prompts pre-configured. The enrollment status page will display while the device is being configured, and then the computer will either complete and display the sign-in screen, ready for Azure AD credentials. If the device is configured as a kiosk device, it will automatically sign in by using a locally configured account.

Answer 102

Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. Note that this mode is not available using the Microsoft Store for Business. Ensure that the profile has been assigned to the device before attempting to deploy that device. Self-deploying mode requires devices with TPM 2.0 and Windows 10 version 1903 or later.

Answer 103

Pre-provisioned deployment requires Windows 1903 or later and an Intune subscription. The device must also support TPM 2.0 and device attestation, virtual machines are not supported. Access to the on-prem domain is not required in the pre-provision process. Internet connectivity (or connectivity to a domain controller is using Hybrid Azure AD join) is required during the final user process.

Answer 104

Windows Autopilot Reset enables you to achieve this goal without redeploying a Windows image. It removes all personal files, apps, and settings, and it resets a Windows device to its initial state from the lock screen. It can also deploy organizational apps and settings by using Intune or another MDM solution so that a device is ready to use after the Windows Autopilot Reset.

Answer 105

Dynamic provisioning uses a number of transforms to achieve this objective. Name Description Windows 10 Subscription Activation With Windows Subscription Activation, users of Windows Pro can upgrade to Windows Enterprise without needing to enter a product key, nor perform a restart. Provisioning package configuration By using Windows Configuration Designer, you can create configuration packages that you can deploy to users’ devices that can be used to configure apps and settings on those devices. Azure AD join with automatic MDM enrollment Using Azure AD join with automatic MDM enrollment, users enter their work or school account details and their device is automatically joined to Azure AD and enrolled in MDM. The user’s device is then configured per the organization’s MD policies.

Answer 106

Key Management Service (KMS). This is a role service that you can use to activate systems within your network from a computer where a KMS host has been installed. By default, volume editions of Windows connect to a system that hosts the KMS service to request activation. No action is required from users. Multiple Activation Key (MAK). This method of activation uses product keys that can activate a specific number of computers. You can use MAKs to activate any Windows volume edition. Active Directory-based activation. This is a role service that allows you to use AD DS to store activation objects, which can help simplify the maintenance of volume activation services for a network. When you use Active Directory-based activation, you do not need a host server, as in KMS, and activation requests process during client computer startup.

Answer 107

Enabling Subscription Activation with an existing Enterprise Agreement (EA). If you are an existing EA customer, you can get Windows Enterprise E3 or E5 licenses for free, depending on your EA. Enabling Subscription Activation without an existing EA. You must purchase the licenses from a cloud solution provider (CSP) before you can assign them.

Answer 108

Subscription Activation requirements To implement Subscription Activation, your organization must meet the following requirements: Windows Pro/Pro Education/Enterprise/Education is installed and activated on the devices you want to upgrade. An instance of Azure AD is available for identity management. Devices to upgrade are either Azure AD-joined or Hybrid Azure AD-joined. For education, the Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license or a Windows Enterprise or Education subscription.

Answer 109

A provisioning package is a method of applying configuration settings to a Windows 10 or later device using either removable media or downloaded directly to the device. They are created using a graphical tool called Windows Configuration Designer (WCD). Similar to the concept of group policies, Administrators use WCD to select options for a specific configuration. WCD then exports a package file containing the settings that can be applied to a Windows 10 or Windows 11 device.

Answer 110

You apply the provisioning package by running the .ppkg file, by adding the provisioning package in the Settings app, or by running the Add-ProvisioningPackage Windows PowerShell cmdlet.

Answer 111

Using Azure AD/MDM, you can: Join devices to Azure AD automatically Auto-enroll your users’ devices into MDM services Configure the joined devices by using MDM policies The requirements for implementing the Azure AD/MDM deployment model are: Windows 10/11 Pro or Enterprise edition An instance of Azure AD for identity management An appropriate MDM, such as Microsoft Intune

Answer 112

To enable co-management for your on-premises Active Directory devices, you must configure your devices as hybrid Azure AD joined devices.

Answer 113

You are running an up-to-date version of Azure AD connect. Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), then these OUs need to be configured for synchronization in Azure AD Connect as well. Intune MDM must be set up and configured for automatic enrollment. Microsoft Endpoint Manager is installed. Active Directory joined devices are using Windows 10 version 1709 or later. We recommended that you always use the latest version of Windows so that you get the newest advances in terms of security, Azure AD, and Intune features. Azure AD automatic enrollment is enabled.

Answer 114

Hybrid Azure AD join is a process meant to automatically register your on-premises domain-joined devices with Azure AD. There are cases though, where you do not want all your devices to register automatically

Answer 115

Factory reset Selective wipe Delete devices Restart device Fresh start

Answer 116

Modern methods do require that Windows 10 or Windows 11 be installed on the target device. For devices still running Windows 7 or 8.1, the in-place upgrade method is recommended (in-place upgrade is examined in the next unit). For devices running another operating system or no operating system, traditional methods must be used. But once the device has Windows 10 or Windows 11 installed, there are few reasons to continue using traditional methods such as imaging. Even for new devices, which typically come with some edition of Windows 10 or Windows 11, imaging isn't necessary to transform the OS to the desired edition and configuration.

Answer 117

a cloud-based service that automatically creates a new type of Windows virtual machine (Cloud PCs) for your end users. Each Cloud PC is assigned to an individual user and is their dedicated Windows device. Windows 365 is available in two editions: Windows 365 Business: Windows 365 Business is made specifically for use in smaller companies (up to 300 seats) who want ready-to-use Cloud PCs with simple management options. There are no licensing prerequisites to set up Windows 365 Business. There are no dependencies on Azure or Active Directory. Purchases are made through the Microsoft 365 admin center or the Windows 365 product site. Windows 365 Enterprise: Windows 365 Enterprise is for larger companies who want unlimited seats for creating Cloud PCs. It includes options to create custom Cloud PCs based on your created device images, more management options, and full integration with Microsoft Endpoint Manager. It leverages Azure AD and AD DS domains.

Answer 118

Quality updates. Provide reliability and security updates and fixes, usually at least once a month. Each month, a cumulative update is released which supersedes all previous updates. This helps to ensure that organizations’ devices more closely align to those used for testing at Microsoft.

Answer 119

Feature updates. Adds new functionality annually. Microsoft aims to package new features into annual updates that can be readily deployed using existing management tools. Because the updates are delivered using the same method as quality updates, deployment is considerably easier. Consequently, the workload and cost effect on organizations is reduced. OS upgrades are also now delivered through this method, such as upgrading from Windows 10 to Windows 11.

Answer 120

Windows Insider Program. Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. Within the Windows Insider Program, there are three options: Dev Channel Beta Channel Release Preview

Answer 121

General Availability Channel. This is the channel most devices will typically be assigned to. Computers configured in the General Availability Channel receive updates as soon as Microsoft publishes them (if no deferral is configured).

Answer 122

Long-Term Servicing Channel. For computers and other devices that perform a single task or a number of specialized tasks, the long-term servicing channel prevents configured devices from receiving feature updates; delivery of quality updates isn't affected.

Answer 123

The Long-term Servicing Channel is available only in the Windows 10/11 Enterprise LTSC edition.

Answer 124

You can defer feature updates up to 365 days and quality updates up to 30 days.

Answer 125

Windows Update for Business is a new service introduced with Windows. With Windows Update for Business, you can use Group Policy or Intune configuration profiles to configure Windows Update to control the distribution and deployment of Windows updates. Windows Update for Business has the following features: Internal deployment groups. With this feature, administrators can specify which Windows devices will receive upgrades and updates first, and when to update the remaining devices. Maintenance windows. With this feature, administrators can specify when updates will and will not occur. Peer-to-peer delivery. Windows devices don’t need to receive updates from Windows Update or a local server. With this feature, administrators can enable peer-to-peer delivery of updates to optimize updates delivery to branch offices and remote sites with limited bandwidth. Integrates with existing tools. Windows Update for Business is compatible with WSUS, Configuration Manager, and Intune. Support for Semi-Annual Channel. You can only use Semi-Annual Channel with Windows Update for Business. Test upgrades. You have an additional three months of time to test upgrades before you deploy to your users’ Windows devices.

Answer 126

Feature Updates. These updates include security and quality revisions, and feature additions and changes. They’re released approximately every 4 to 8 months. Quality Updates. These operating system updates typically are released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Updates to other Microsoft products (such as those for Microsoft Office or Microsoft Visual Studio) are also treated as Quality Updates. Non-deferrable updates. Anti-malware and anti-spyware definition updates from Windows Update are mandatory and cannot be deferred.

Answer 127

Configure when devices receive Feature and Quality Updates. You can defer the application of both Feature and Quality updates. For Feature Updates, you can configure the deferral for up to 365 days. For Quality Updates, it’s a maximum of 35 days.