Explore MDM Flashcards

Question 1

Q

What makes up the Desktop Life Cycle Model ?

Answer

A

Plan / Purchase / Deploy / Operate / Support / Upgrade / Retired

Question 2

Q

What are the too types of azure accounts?

Answer

A

Member and Guest

Question 3

Q

How Do you create Azure Accounts

Answer

A

Directory Sync and On the Cloud

Question 4

Q

What is Password Hash Synchronization?

Answer

A

Passwords are the same in both the cloud and Local

Question 5

Q

What is password Passthrough ?

Answer

A

Does not keep password in the cloud

Question 6

Q

What Type of devices can Join Azure AD?

Answer

A

Windows Home (including Pro & Enterprise), iOS or Android

Question 7

Q

What is Hybrid Azure AD join?

Answer

A

Hybrid Azure AD join is a process to automatically register your on-premises domain-joined devices with Azure AD

Question 8

Q

What devices are supported in Hybrid Azure AD join scenarios

Answer

A

Windows 10 or later
Windows Server 2016 or later
Windows 8.1
Windows Server 2012 R2

Question 9

Q

What authentication protocols does azure ad join require ?

Answer

A

WS-Fed and WS-Trust username/password endpoint

Question 10

Q

Where do you access intune?

Answer

A

https://endpoint.microsoft.com

Question 11

Q

What is a csr?

Answer

A

Certificate Signing Request (CSR)

Question 12

Q

Remember 1

Answer

A

Automatic enrollment to MDM works for Windows devices, because only Windows devices can be joined to an on-premises AD DS and Azure AD

Question 13

Q

How do you join devices to MDM that are not Windows ?

Answer

A

Other devices, such as Android and iOS devices, can only be enrolled manually to MDM by using the Company Portal app

Question 14

Q

What are the Intune Supported Devices ?

Answer

A

Windows 10/11 (Home, Pro, Education, S mode, and Enterprise versions)
Windows 10/11 Cloud PCs on Windows 365
Windows 10 IoT and Windows 10 Holographic
Windows 10 2019 LTSC
Windows RT 8.1, and Windows 8.1 (sustaining mode)
Apple iOS/iPadOS 13.0 and later
Mac OS X 10.15 and later
Android 6.0 and later, including Samsung Knox 2.4 and later and Android for Work

Question 15

Q

what is the default number of devices users can enroll in Intune?

Answer

A

By default, this is set to five devices per user

Question 16

Q

What type of device can be configured for automatic enrollment ?

Answer

A

Windows Only

Question 17

Q

what is the user driven method?

Answer

A

enrolls only intune but not azure ad joined

Question 18

Q

what is Azure AD join (OOBE)?

Answer

A

enrolls the device as a join work scenario

Question 19

Q

what is DEM?

Answer

A

A Device Enrollment Manager (DEM) account. A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices. The DEM would enroll the device, log on to the company portal and install the apps required by the user

Question 20

Q

WHAT IS CO-MANAGEMENT ?

Answer

A

Co-management enables you to concurrently manage Windows devices by using both Configuration Manager and Intune. It’s a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach

Question 21

Q

what do you use to make a provisioning pack ?

Answer

A

Windows Configuration Designer app

Question 22

Q

how many devices can a dem enroll?

Question 23

Q

what is enterprise state roaming?

Answer

A

Enterprise State Roaming defines which groups may sync settings and app data across devices.

Question 24

Q

what is fresh start?

Answer

A

Fresh Start (Windows 10 and later only). Removes any apps that are installed on a PC. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC.

Question 25

Q

what is retire?

Answer

A

Retire. Removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management

Question 26

Q

what is wipe ?

Answer

A

Wipe. Restores a device to its factory default settings. The user data is kept if you choose the Retain enrollment

Question 27

Q

how to you create a device configuration profile?

Answer

A

In the Endpoint Manager admin center, select Devices, then select Windows platform, then select Configuration Profiles.

Select Create Profile.

Enter the following properties:

Platform: Choose which versions of Windows to include.
Profile type: Select the type you want to create.

Question 28

Q

what is csp?

Answer

A

Configuration Service Provider (CSP)

Question 29

Q

how to monitor device profiles ?

Answer

A

In the Endpoint Manager admin center, select Devices.
On the Devices overview page, select Monitor , then select Assignment status

Question 30

Q

what is device sync?

Answer

A

The Sync device action forces the selected device to immediately check in with Intune. When a device checks in, it immediately receives any pending actions or policies that have been assigned to it

Question 31

Q

how do you view device sync status?

Answer

A

Devices > Monitor > Device actions

Question 32

Q

what are Configuration policies?

Answer

A

Commonly used to manage security settings and features on your devices, including access to company resources. Get started at Intune device profiles.

Question 33

Q

what are Device compliance policies?

Answer

A

Define the rules and settings that a device must comply with to be considered compliant by conditional access policies. You can also use compliance policies to monitor and remediate the compliance of devices independent of conditional access.

Question 34

Q

what are Conditional access policies ?

Answer

A

Help secure email and other services, depending on conditions that you enter.

Question 35

Q

what are Corporate device enrollment policies?

Answer

A

Intune supports the enrollment of corporate-owned iOS devices using the Apple Device Enrollment Program (DEP) or the Apple Configurator tool running on a Mac computer.

Question 36

Q

how many attempts does a device make to if it does not check in with intune?

Question 37

Q

what does the Intune management extension do ?

Answer

A

lets you upload PowerShell scripts in Intune to run on Windows devices, as well as shell scripts for the macOS

Question 38

Q

what are Intune management extension requirements ?

Answer

A

Windows
Version 1607 or later.

version 10.12 or later

Devices must be joined to Azure AD, including Hybrid AD joined devices.

Devices are managed by Intune.

Automatic MDM enrollment must be enabled in Azure AD.

mac
Shell scripts begin with #! and must be in a valid location such as #!/bin/sh or #!/usr/bin/env zsh.

Command-line interpreters for the applicable shells are installed.

Question 39

Q

what is a user profile ?

Answer

A

A user profile is a set of files and folders. It is personal to each user who has signed in to the computer, and it’s stored in the Users folder

Question 40

Q

what is a default user profile ?

Answer

A

A default profile is a pre-configured baseline profile, which contains all of the initial settings to be included, whenever a new profile is created.

Question 41

Q

what are the four types of user profiles ?

Answer

A

Local User Profile. This type is available on a single computer only.
Roaming User Profile. This type can roam between computers that are domain members.
Mandatory User Profile. This is a special type of pre-configured user profile that does not store user changes between sign-ins.
Temporary User Profiles. A temporary profile is issued each time that an error condition prevents the user’s profile from loading.

Question 42

Q

what are the profile extensions for user profiles

Answer

A

Windows 8.1

Windows Server 2012 R2

V4

Windows 10, version 1607 and later.

Windows Server 2016 and later

V6

Question 43

Q

what are quotas for user profiles ?

Answer

A

An option to limit user profile sizes is to use quotas. You can use the same approach to limit the disk space that a user consumes in general, and it applies to limiting user profile sizes. You can set a disk quota on a local Windows volume by using volume properties

Question 44

Q

what is folder redirection ?

Answer

A

Folder Redirection is a Group Policy setting that is most often used for configuring user profiles. Administrators can use Folder Redirection to redirect individual folders from a user profile to a new location

Question 45

Q

how many folder can be redirected

Answer

A

13 folders

Question 46

Q

what can enterprise state roaming do?

Answer

A

Enterprise State Roaming can sync only settings and not data

Question 47

Q

more on ESR

Answer

A

Enterprise State Roaming (ESR) does not provide a mechanism for synchronizing user files, such as documents and pictures

Question 51

Q

WHAT DOES Microsoft Edge sync BACK UP?

Answer

A

Favorites
Passwords
Form-fill
History
Open tabs (sessions)
Settings (preferences)
Extensions

Question 52

Q

WHAT IS User Experience Virtualization (UE-V)?

Answer

A

User Experience Virtualization (UE-V) is a Windows Enterprise edition feature that enables the synchronization of operating-system settings, desktop-application settings, Microsoft Store app settings, network printers, and user credentials between Windows Enterprise edition computers in the same AD DS domain environment.

Question 53

Q

How do you enable Enterprise state roaming?

Answer

A

azure Active Directory > Devices > Enterprise State Roaming
All or Selected next to Users may sync settings and app data across devices

Question 54

Q

what type of data is backed up by esr?

Answer

A

Theme, which includes features such as desktop theme and taskbar settings.
Internet Explorer settings, including recently opened tabs and favorites.
Passwords, including Internet passwords, Wi-Fi profiles, and others.
Language preferences, which include settings for keyboard layouts, system language, date and time, and more.
Ease of access features, such as high-contrast theme, Narrator, and Magnifier.
Other Windows settings, such as mouse settings.

Question 55

Q

what is MAM?

Answer

A

Intune Mobile Application Management (MAM) refers to the suite of Intune management features you can use to publish, push, configure, secure, monitor, and update mobile apps for your users

Question 56

Q

What is Intune MDM + MAM?

Answer

A

IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune MDM.

Question 57

Q

MAM without device enrollment?

Answer

A

MAM without device enrollment (MAM-WE) allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers. Also, apps can be managed by Intune on devices enrolled with third-party EMM providers or not enrolled with an MDM at all.

Question 58

Q

why are app protection policies important ?

Answer

A

The important benefits of using app protection policies are:

Protecting your company data at the app level. Because mobile app management doesn’t require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management.

End-user productivity isn’t affected, and policies don’t apply when using the app in a personal context. The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.

Question 59

Q

what can you use to protect app data?

Answer

A

You can enable your apps to use app protection policies by using either the Intune App Wrapping Tool or the Intune App SDK.

Question 60

Q

what is the Intune App Wrapping Tool

Answer

A

The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps. The tool is a command-line application that creates a wrapper around the app, which then allows the app to be managed by an Intune app protection policy.

Question 61

Q

what is Intune App SDK

Answer

A

The Intune App SDK is designed mainly for customers who have apps in the Apple App Store or Google Play Store, and want to be able to manage the apps with Intune. However, any app can take advantage of integrating the SDK, even line-of-business apps.

Question 62

Q

what are some app protection settings ?

Answer

A

App protection policy settings include:

Question 63

Q

what can’t you do on BYOB DEVICES with app protection ?

Answer

A

You can’t deploy apps to the device. The end user has to get the apps from the store.
You can’t provision certificate profiles on these devices.
You can’t provision company Wi-Fi and VPN settings on these devices.

Question 64

Q

where can you monitor app protection policies ?

Answer

A

Azure portal

Answer 62

A

Azure AD joined, hybrid domain joined, group policy enrolled devices are supported.

Answer 63

A

allows customers to install and manage private organization apps, as well as setup thier own private repository

Answer 64

A

Microsoft Store for Business account must be a global administrator in Azure AD

Answer 65

A

Configuration Manager
The Office Deployment Tool
The Office Customization Tool
End-user installation

Answer 66

A

Windows Information Protection (WIP) is a set of technologies that protect your organization from accidental or malicious data leaks, without significant changes to your enterprise environment or apps. It provides this protection to both enterprise-owned devices and BYOD devices, and it does so without interfering with employees’ regular workflows

Answer 67

A

Azure Rights Management (Azure RMS), as a key part of Azure Information Protection, provides an IRM system that works with WIP to extend protection after data leaves a user’s device

Answer 68

A

Block or Hide overrides

Prevents employees from performing data-sharing actions when blocked by the policy. In some Microsoft documentation, this is referred to as Hide overrides mode.

Allow overrides

Warns employees when they are performing a potentially risky action, but they can choose to complete the action. The action records to the audit log.

Silent

Works like Allow overrides mode, except that it only records any action that an employee can override to the audit log. Any action that would be blocked is still blocked.

Off

WIP is turned off and does not protect data.

Answer 69

A

EFS is a component of the NTFS file system, and it uses advanced, standard cryptographic algorithms to allow transparent file encryption and decryption

EFS is based on user certificates, and their public and private keys. Without proper certificate management, you can easily get into a situation where encrypted data is not accessible.

You can issue EFS certificates only to individual users. You cannot issue EFS certificates to groups.

Answer 70

A

Selective Wipe. A feature of Windows in a corporate environment is Selective Wipe. If a device is lost or stolen, an administrator can revoke the EFS key that was used to protect the files on the device. Revoking a key prevents all access to data files that are stored on a user’s device.

Answer 71

A

As with any security technology that you implement, centralized management is recommended. You can centrally manage BitLocker by using Group Policy, but with limited functionality. Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go with full functionality. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:

Answer 72

A

Microsoft Defender for Endpoint (formerly Windows Defender Advanced Threat Protection) is an additional cloud-based online service that assists organizations in detecting, investigating, and responding to advanced persistent threats. Windows Defender Advanced Threat Protection provides behavior-based advanced attack detection, a forensic timeline, and a unique threat intelligence knowledge base.

Answer 73

A

Microsoft 365 Security Center

Answer 74

A

Device Guard combines the features of Application Control with the ability to leverage the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. While WDAC doesn’t require specific hardware or software, enabling Hypervisor protected code integrity (HVCI) requires compatible hardware and drivers

Answer 75

A

Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive

Answer 76

A

Microsoft Defender Exploit Guard (formerly Windows Defender Exploit Guard) is a new set of host intrusion prevention capabilities for Windows, allowing you to manage and reduce the attack surface of apps used by your employees.

Answer 77

A

Windows uses a container type called Windows Defender System Guard to protect critical resources, such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module.

Answer 78

A

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them

Answer 79

A

Microsoft Defender Antivirus helps protect your computer from spyware, malware, and viruses. Microsoft Defender Antivirus also is Hyper-V–aware, which means that it detects if Windows is running as a virtual machine

Answer 80

A

Windows Hello for Business is an exclusive Windows 10 or later feature – it is not supported on earlier versions of Windows.

Answer 81

A

Azure AD Identity Protection is a Microsoft implementation of identity protection technology targeted at users of Microsoft 365 and other Microsoft cloud services. It’s a feature of the Azure AD Premium P2 license

Answer 82

A

Azure AD Identity Protection is a Microsoft implementation of identity protection technology targeted at users of Microsoft 365 and other Microsoft cloud services. It’s a feature of the Azure AD Premium P2 license

Answer 83

A

By using RAS Gateway, you can deploy VPN connections to provide end users with remote access to your organization’s network and resources. If your clients are running Windows 10 or later, you can deploy Always On VPN, which maintains a persistent connection between clients and your organization network whenever remote computers are connected to the internet.

Answer 84

A

Always On VPN is exclusively a Windows 10 or later feature–devices using other platforms would need to use traditional client VPN solutions

Answer 85

A

Device Security policy in Microsoft 365 or Device Compliance in Intune

Answer 86

A

Compliance policies define the rules and settings that should be configured on a device for it to be considered compliant. After you configure and deploy a compliance policy, you can monitor device compliance status, as well as individual devices that are configured in an expected way.

Answer 87

A

Intune compliance policies are created in the Devices section of the Endpoint Manager admin center The device compliance dashboard for monitoring can be found under Reports.

Answer 88

A

Before an organization can implement device compliance policies, it must first satisfy the following prerequisites:

It must be licensed for Azure AD Premium P1 or Azure AD Premium P2 and Intune. Both are part of Microsoft 365 or Enterprise Mobility + Security, but they can also be obtained separately.

Its devices run one of the following supported platforms:

Android
Android Enterprise
iOS/iPadOS
macOS
Windows 8.1 or later
Its devices must be enrolled in Intune to be eligible for compliance management.

Answer 89

A

Compliance policy settings can be found in the Endpoint Manager admin center, in Devices > Compliance policie

Answer 90

A

If the conditional access policy says that noncompliant devices can’t access a resource, the access request is denied.
If access is denied, the user is prompted to enroll the device and fix the compliance problems.

Answer 91

A

conditional access policy is a definition of an access scenario using the When this happens: Then do this pattern.

Answer 92

A

Desktop Analytics is a cloud-based service that collects application and hardware data from clients. It helps identify known issue apps based on data from multiple sources, and provided recommended remediation or testing information, based on data from developers and deployment data from other customers. It provides graphical representation of which devices are current and which need updates, and report on the health of devices as well.

Answer 93

A

Endpoint analytics is a cloud-based service that provides insights for measuring how your organization is working and the quality of the experience you’re delivering to your users. Endpoint Analytics provides Windows 11 hardware readiness reports in the Work from Anywhere report

Answer 94

A

Application Compatibility Toolkit (ACT) is a set of tools used during the inventory, analyze, and mitigate phases of the application compatibility testing process. ACT consists of several features, including:

Answer 95

A

Delivery Optimization is a cloud-managed solution; therefore, access to the Delivery Optimization cloud service is a requirement. In addition, devices must have access to the internet to use the peer-to-peer functionality of Delivery Optimization.

Answer 96

A

By default in Windows 10 or later Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing only on the organization’s own network (specifically, all of the devices must be behind the same NAT). However, you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.

Answer 97

A

Distributed Cache mode. In Distributed Cache mode, each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. This is similar to the Delivery Optimization feature in Windows.

Answer 98

A

Hosted Cache mode. In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. So rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.

Answer 99

A

Branch Cache replicates files from a central location to a local device, such as a server. This enable clients to download locally hosted data instead of consuming WAN bandwidth

Answer 100

A

Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares. BITS takes the cost of the transfer and the network usage into consideration so that the user’s foreground work has as little impact as possible.

Answer 101

A

The Windows installation files include the default OS image, install.wim This image is a basic OS image that contains a standard set of drivers. When you use the default OS image, configuring the OS and installing applications must be done separately and after the image is deployed.

Answer 102

A

Configurations and applications can be included in custom images. Tools such as Deployment Image Servicing and Management (DISM.exe) can be used to service and prepare Windows images. DISM is a command line tool that can capture the image of a reference computer with the desired OS, settings, and applications. DISM can also be used to mount the image and make modifications.

Answer 103

A

Sysprep is then used to generalize the image prior to deployment. Before you can deploy a Windows image to new PCs, you have to first generalize the image. This process removes computer-specific information such as installed drivers and the computer security identifier (SID). Generalizing the image makes it ready for deployment.

Answer 104

A

The Microsoft Deployment Toolkit (MDT) is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.

Answer 105

A

Boot images are the Windows PE images that start the OS deployment

Answer 106

A

Task Sequences. Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are in the Templates folder in the MDT installation directory, and they define the default actions in the sequence. You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions include:

Gather. Reads configuration settings from the deployment server.
Format and Partition. Creates the partition(s) and formats them.
Inject Drivers. Determines which drivers the machine needs and downloads them from the central driver repository.
Apply Operating System.
Windows Update. Connects to a WSUS server and updates the machine.

Answer 107

A

Deployment Workbench to create and deploy Windows 10 or later images
The Deployment Workbench is where you store your default image.

Answer 108

A

A task sequence is a sequential set of steps that will reference various components imported into MDT up to this point (OS images, applications etc.) When you create these using the MDT wizard, you are presented with various templates to help with each scenario. For this lesson, we’ll focus on a deployment task sequence.

Answer 109

A

Gather. Collects information locally and stores it as variables for use during the task sequence.
Format and Partition Disk. Formats and creates an appropriate disk layout for the target endpoint.
Apply OS Image. Applies a standard Windows image or a custom *.WIM file from a previously ran capture process.
Inject Drivers. Allows specific drivers to be applied to certain target devices.
Install Applications. Allows for an application imported in MDT to be installed sequentially.

Answer 110

A

When capturing and deploying Windows, be sure to familiarize yourself with the Unattend.xml file. This helps the Windows installation move through the various passes and applies any relevant customization. System Image Manager helps you review and showcase answer files for Windows

Answer 111

A

he following Microsoft management solutions are all now part of Microsoft Endpoint Manager:

Configuration Manager
Microsoft Intune
Desktop Analytics
Windows Autopilot
Other features in the Device Management Admin console

Answer 112

A

boot images are Windows Preinstallation Environment (Windows PE) images that are used to start a Windows deployment. You can start boot images from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server

Answer 113

A

The architecture of the boot image must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image.

Answer 114

A

32-bit OS. You can’t use an in-place upgrade to upgrade a 32-bit operating system to 64-bit Windows.

Answer 115

A

Join devices to Azure AD automatically.
Auto-enroll your users’ devices into MDM services.
Restrict the creation of the Administrator account.
Customize the OOBE content specifically to your organization

Answer 116

A

When you purchase new devices, the hardware vendor can upload device specific information on your behalf. If you want to use Windows Autopilot to deploy devices that your company already owns, you can transfer device specific information to a comma-separated value (CSV) file by running a Windows PowerShell script and then uploading the CSV file to Microsoft Intune or Microsoft Store for Business.

Answer 117

A

Microsoft Store for Business or Endpoint Manager admin center

Answer 118

A

Devices must have Windows 10 or Windows 11 preinstalled
Windows Pro, Enterprise, or Education. Windows Autopilot can’t deploy Windows Home or an operating system that is older than Creators Update (version 1703)
Organization must be using Azure AD
Intune or Microsoft Store for Business.

Answer 119

A

On the Azure Active Directory blade, select Mobility (MDM and MAM), and then in the details pane, select Microsoft Intune.

Answer 120

A

An employee who completes the OOBE also becomes a member of the local Administrators group, which can cause many problems.

Answer 121

A

Windows Autopilot user-driven mode
Windows Autopilot self-deploying mode
Autopilot for existing devices
Windows Autopilot for pre-provisioned deployment
Windows Autopilot reset

Answer 122

A

Users must be able to join Azure AD.
If using Intune (and not Microsoft Store for Business), user-driven mode must be selected in the Autopilot profile assigned to the device if using Intune. The Autopilot profile must also be assigned to an Azure AD device group.
The device must be added to Windows Autopilot and a profile must be assigned to the device.

Answer 123

A

The device must be running Windows 1809 or later.
Hybrid Azure AD joined must be specified as the selected option under Join to Azure AD as in the Autopilot profile.
The device must be able to access the internet and an Active Directory domain controller.
The Intune Connector for Active Directory must be installed (this performs the on-prem AD join instead of requiring user permission to join).

Answer 124

A

Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction, achieving a ZTI experience with all OOBE prompts pre-configured. The enrollment status page will display while the device is being configured, and then the computer will either complete and display the sign-in screen, ready for Azure AD credentials. If the device is configured as a kiosk device, it will automatically sign in by using a locally configured account.

Answer 125

A

Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. Note that this mode is not available using the Microsoft Store for Business.
Ensure that the profile has been assigned to the device before attempting to deploy that device.
Self-deploying mode requires devices with TPM 2.0 and Windows 10 version 1903 or later.

Answer 126

A

Pre-provisioned deployment requires Windows 1903 or later and an Intune subscription. The device must also support TPM 2.0 and device attestation, virtual machines are not supported. Access to the on-prem domain is not required in the pre-provision process. Internet connectivity (or connectivity to a domain controller is using Hybrid Azure AD join) is required during the final user process.

Answer 127

A

Windows Autopilot Reset enables you to achieve this goal without redeploying a Windows image. It removes all personal files, apps, and settings, and it resets a Windows device to its initial state from the lock screen. It can also deploy organizational apps and settings by using Intune or another MDM solution so that a device is ready to use after the Windows Autopilot Reset.

Answer 128

A

Dynamic provisioning uses a number of transforms to achieve this objective.

Name

Description

Windows 10 Subscription Activation

With Windows Subscription Activation, users of Windows Pro can upgrade to Windows Enterprise without needing to enter a product key, nor perform a restart.

Provisioning package configuration

By using Windows Configuration Designer, you can create configuration packages that you can deploy to users’ devices that can be used to configure apps and settings on those devices.

Azure AD join with automatic MDM enrollment

Using Azure AD join with automatic MDM enrollment, users enter their work or school account details and their device is automatically joined to Azure AD and enrolled in MDM. The user’s device is then configured per the organization’s MD policies.

Answer 129

A

Key Management Service (KMS). This is a role service that you can use to activate systems within your network from a computer where a KMS host has been installed. By default, volume editions of Windows connect to a system that hosts the KMS service to request activation. No action is required from users.
Multiple Activation Key (MAK). This method of activation uses product keys that can activate a specific number of computers. You can use MAKs to activate any Windows volume edition.
Active Directory-based activation. This is a role service that allows you to use AD DS to store activation objects, which can help simplify the maintenance of volume activation services for a network. When you use Active Directory-based activation, you do not need a host server, as in KMS, and activation requests process during client computer startup.

Answer 130

A

Enabling Subscription Activation with an existing Enterprise Agreement (EA). If you are an existing EA customer, you can get Windows Enterprise E3 or E5 licenses for free, depending on your EA.
Enabling Subscription Activation without an existing EA. You must purchase the licenses from a cloud solution provider (CSP) before you can assign them.

Answer 131

A

Subscription Activation requirements
To implement Subscription Activation, your organization must meet the following requirements:

Windows Pro/Pro Education/Enterprise/Education is installed and activated on the devices you want to upgrade.
An instance of Azure AD is available for identity management.
Devices to upgrade are either Azure AD-joined or Hybrid Azure AD-joined.
For education, the Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license or a Windows Enterprise or Education subscription.

Answer 132

A

A provisioning package is a method of applying configuration settings to a Windows 10 or later device using either removable media or downloaded directly to the device. They are created using a graphical tool called Windows Configuration Designer (WCD). Similar to the concept of group policies, Administrators use WCD to select options for a specific configuration. WCD then exports a package file containing the settings that can be applied to a Windows 10 or Windows 11 device.

Answer 133

A

You apply the provisioning package by running the .ppkg file, by adding the provisioning package in the Settings app, or by running the Add-ProvisioningPackage Windows PowerShell cmdlet.

Answer 134

A

Using Azure AD/MDM, you can:

Join devices to Azure AD automatically
Auto-enroll your users’ devices into MDM services
Configure the joined devices by using MDM policies
The requirements for implementing the Azure AD/MDM deployment model are:

Windows 10/11 Pro or Enterprise edition
An instance of Azure AD for identity management
An appropriate MDM, such as Microsoft Intune

Answer 135

A

To enable co-management for your on-premises Active Directory devices, you must configure your devices as hybrid Azure AD joined devices.

Answer 136

A

You are running an up-to-date version of Azure AD connect. Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), then these OUs need to be configured for synchronization in Azure AD Connect as well.
Intune MDM must be set up and configured for automatic enrollment.
Microsoft Endpoint Manager is installed.
Active Directory joined devices are using Windows 10 version 1709 or later. We recommended that you always use the latest version of Windows so that you get the newest advances in terms of security, Azure AD, and Intune features.
Azure AD automatic enrollment is enabled.

Answer 137

A

Hybrid Azure AD join is a process meant to automatically register your on-premises domain-joined devices with Azure AD. There are cases though, where you do not want all your devices to register automatically

Answer 138

A

Factory reset
Selective wipe
Delete devices
Restart device
Fresh start

Answer 139

A

Modern methods do require that Windows 10 or Windows 11 be installed on the target device. For devices still running Windows 7 or 8.1, the in-place upgrade method is recommended (in-place upgrade is examined in the next unit). For devices running another operating system or no operating system, traditional methods must be used. But once the device has Windows 10 or Windows 11 installed, there are few reasons to continue using traditional methods such as imaging. Even for new devices, which typically come with some edition of Windows 10 or Windows 11, imaging isn’t necessary to transform the OS to the desired edition and configuration.

Answer 140

A

a cloud-based service that automatically creates a new type of Windows virtual machine (Cloud PCs) for your end users. Each Cloud PC is assigned to an individual user and is their dedicated Windows device.

Windows 365 is available in two editions:

Windows 365 Business: Windows 365 Business is made specifically for use in smaller companies (up to 300 seats) who want ready-to-use Cloud PCs with simple management options. There are no licensing prerequisites to set up Windows 365 Business. There are no dependencies on Azure or Active Directory. Purchases are made through the Microsoft 365 admin center or the Windows 365 product site.
Windows 365 Enterprise: Windows 365 Enterprise is for larger companies who want unlimited seats for creating Cloud PCs. It includes options to create custom Cloud PCs based on your created device images, more management options, and full integration with Microsoft Endpoint Manager. It leverages Azure AD and AD DS domains.

Answer 141

A

Quality updates. Provide reliability and security updates and fixes, usually at least once a month. Each month, a cumulative update is released which supersedes all previous updates. This helps to ensure that organizations’ devices more closely align to those used for testing at Microsoft.

Answer 142

A

Feature updates. Adds new functionality annually. Microsoft aims to package new features into annual updates that can be readily deployed using existing management tools. Because the updates are delivered using the same method as quality updates, deployment is considerably easier. Consequently, the workload and cost effect on organizations is reduced. OS upgrades are also now delivered through this method, such as upgrading from Windows 10 to Windows 11.

Answer 143

A

Windows Insider Program. Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. Within the Windows Insider Program, there are three options:

Dev Channel
Beta Channel
Release Preview

Answer 144

A

General Availability Channel. This is the channel most devices will typically be assigned to. Computers configured in the General Availability Channel receive updates as soon as Microsoft publishes them (if no deferral is configured).

Answer 145

A

Long-Term Servicing Channel. For computers and other devices that perform a single task or a number of specialized tasks, the long-term servicing channel prevents configured devices from receiving feature updates; delivery of quality updates isn’t affected.

Answer 146

A

The Long-term Servicing Channel is available only in the Windows 10/11 Enterprise LTSC edition.

Answer 147

A

You can defer feature updates up to 365 days and quality updates up to 30 days.

Answer 148

A

Windows Update for Business is a new service introduced with Windows. With Windows Update for Business, you can use Group Policy or Intune configuration profiles to configure Windows Update to control the distribution and deployment of Windows updates. Windows Update for Business has the following features:

Internal deployment groups. With this feature, administrators can specify which Windows devices will receive upgrades and updates first, and when to update the remaining devices.
Maintenance windows. With this feature, administrators can specify when updates will and will not occur.
Peer-to-peer delivery. Windows devices don’t need to receive updates from Windows Update or a local server. With this feature, administrators can enable peer-to-peer delivery of updates to optimize updates delivery to branch offices and remote sites with limited bandwidth.
Integrates with existing tools. Windows Update for Business is compatible with WSUS, Configuration Manager, and Intune.
Support for Semi-Annual Channel. You can only use Semi-Annual Channel with Windows Update for Business.
Test upgrades. You have an additional three months of time to test upgrades before you deploy to your users’ Windows devices.

Answer 149

A

Feature Updates. These updates include security and quality revisions, and feature additions and changes. They’re released approximately every 4 to 8 months.
Quality Updates. These operating system updates typically are released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Updates to other Microsoft products (such as those for Microsoft Office or Microsoft Visual Studio) are also treated as Quality Updates.
Non-deferrable updates. Anti-malware and anti-spyware definition updates from Windows Update are mandatory and cannot be deferred.

Answer 150

A

Configure when devices receive Feature and Quality Updates. You can defer the application of both Feature and Quality updates. For Feature Updates, you can configure the deferral for up to 365 days. For Quality Updates, it’s a maximum of 35 days.

Brainscape's Knowledge GenomeTM

Explore MDM Flashcards

Brainscape's Knowledge Genome^TM