HOTSPOT -
You use Microsoft Endpoint Manager to manage Windows 10 devices.
You are designing a reporting solution that will provide reports on the following:
✑ Compliance policy trends
✑ Trends in device and user enrolment
✑ App and operating system version breakdowns of mobile devices
You need to recommend a data source and a data visualization tool for the design.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: The Microsoft Intune Data Warehouse
Use the Intune Data Warehouse to build reports that provide insight into your enterprise mobile environment. For example, some of the reports include:
Trend of users enrolling in Intune so you can optimize your license purchases
App and OS versions breakdown so you can review that status of mobile devices
Enrollment and device compliance trends so you can smoothly roll out policy updates.
Box 2: Microsoft Power BI -
You can use the Power BI Compliance app to load interactive, dynamically generated reports for your Intune tenant. Additionally, you can load your tenant data in
Power BI using the OData link. Intune provides connection settings to your tenant so that you can view the following sample reports and charts related to:
Devices -
Enrollment -
App protection policy -
Compliance policy -
Device configuration profiles -
Software updates -
Device inventory logs -
Reference:
https://docs.microsoft.com/en-us/mem/intune/developer/reports-nav-create-intune-reports https://docs.microsoft.com/en-us/mem/intune/developer/reports-proc-get-a-link-powerbi
HOTSPOT -
In Microsoft Intune, you have the device compliance policies shown in the following table.
The Intune compliance policy settings are configured as shown in the following exhibit.
On June 1, you enroll Windows 10 devices in Intune as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: No -
Policy1 requires encryption, but on June 4 Device1 is configured with No Drive Encryption, so it is not compliant.
Box 2: No -
Policy1 requires encryption, but on June 6 Device1 is configured with No Drive Encryption, so it is not compliant.
Box 3: Yes -
Both Policy2 and Policy3 applies to Device2. Policy3, which is the most restrictive applies, which result in Mark device as not compliant = 10 days.
Note: If you have deployed multiple compliance policies, Intune uses the most restrictive of these policies.
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#how-intune-resolves-policy-conflicts
HOTSPOT -
You have a Microsoft Intune subscription.
You create the Windows Autopilot deployment profile-shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven
You need to assign the same deployment profile to all the computers that are configured by using Windows Autopilot.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
BF
B: It is possibly to automatically assign a Windows AutoPilot deployment profile to Windows AutoPilot devices. That makes it a lot easier for administrators, as this prevents the administrators from potentially forgetting to assign the deployment profile to newly imported devices.
F: ZTDId: A unique value assigned to all imported Windows AutoPilot devices.
Reference:
https://www.petervanderwoude.nl/post/automatically-assign-windows-autopilot-deployment-profile-to-windows-autopilot-devices/
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have computers that run Windows 10. The computers are joined to Azure AD and managed by using Microsoft Intune.
You need to ensure that you can centrally monitor the computers by using Windows Analytics.
What should you create in Intune?
Answer:
A
To configure the setting go to Device configuration ג€" Profiles > Device Restriction ג€" Properties > Device restrictions > Reporting and Telemetry.
Reference:
https://www.scconfigmgr.com/2019/03/27/windows-analytics-onboarding-with-intune/
HOTSPOT -
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
You need to set a custom image as the wallpaper and sign-in screen.
Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Sign-in screen, or Locked screen, image is set under Locked screen experience
Wallpaper image, or Desktop background picture, URL is set under Personalization.
Reference:
https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have computers that run Windows 10. The computers are joined to Azure AD and managed by using Microsoft Intune.
You need to ensure that you can centrally monitor the computers by using the Update Compliance solution.
What should you create in Intune?
Answer:
A
With CommercialID in hand, you're ready to go to the MEM admin center portal and start putting your keyboard to work making a custom OMA-URI device configuration profile to enable Update Compliance settings. You're going to need a total of four custom policy settings to configure devices to play nice with
Update Compliance -
Reference:
https://www.jeffgilb.com/update-compliance-with-intune/
HOTSPOT -
You have a Microsoft Intune subscription that has the following device compliance policy settings:
✑ Mark devices with no compliance policy assigned as: Compliant
✑ Compliance status validity period (days): 14
On January 1, you enroll Windows 10 devices in Intune as shown in the following table.
On January 4, you create the following two device compliance policies:
✑ Name: Policy1
✑ Platform: Windows 10 and later
✑ Require BitLocker: Require
✑ Mark device noncompliant: 5 days after noncompliance
✑ Scope (Tags): Tag1
✑ Name: Policy2
✑ Platform: Windows 10 and later
✑ Firewall: Require
✑ Mark device noncompliant: Immediately
✑ Scope (Tags): Tag2
On January 5, you assign Policy1 and Policy2 to Group1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: No.
Policy1 and Policy2 apply to Group1 which Device1 is a member of. Device1 does not meet the firewall requirement in Policy2 so the device will immediately be marked as non-compliant.
Box 2: No -
For the same reason as Box1.
Box 3: Yes -
Policy1 and Policy2 apply to Group1. Device2 is not a member of Group1 so the policies don't apply.
The Scope (tags) have nothing to do with whether the policy is applied or not. The tags are used in RBAC.
HOTSPOT -
You have 100 Windows 10 devices that are managed by using Microsoft Endpoint Manager.
You plan to sideload an app to the devices.
You need to configure Microsoft Endpoint Manager to enable sideloading.
Which device profile type and setting should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: Device restrictions -
In a Windows 10/11 device restrictions profile, most configurable settings are deployed at the device level using device groups. Policies deployed to user groups apply to targeted users. The policies also apply to users who have an Intune license, and users that sign in to that device.
Box 2: Trusted app installation -
Trusted app installation: Choose if non-Microsoft Store apps can be installed, also known as sideloading. Sideloading is installing, and then running or testing an app that isn't certified by the Microsoft Store. For example, an app that is internal to your company only.
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You create a scope tag, and then you add the scope tag to the Windows 10 Enterprise devices and Profile1.
Does this meet the goal?
Answer:
B
Instead: You configure an applicability rule for Profile1. You assign Profile1 to Group1.
Note: Applicability rules allow administrators to target devices in a group that meet specific criteria. For example, you create a device restrictions profile that applies to the All Windows 10/11 devices group. And, you only want the profile assigned to devices running Windows Enterprise.
To do this task, create an applicability rule.
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
