Your network contains an Active Directory domain. The domain contains computers that run Windows 10.
All users use Roaming User Profiles.
You have a user named Public1 that is used to sign-in to a public computer.
You need to prevent changes to the user settings of Public1 from being saved to the user profile.
What should you do?

Discover Answer Hide Answer

Answer: C
User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from NTuser.dat to NTuser.man. The .man extension causes the user profile to be a read-only profile.
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mandatory-user-profile

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains 50 Windows 10 devices. All the devices are enrolled in Microsoft Endpoint
Manager.
You discover that Group Policy settings override the settings configured in Microsoft Endpoint Manager policies.
You need to ensure that the settings configured in Microsoft Endpoint Manager override the Group Policy settings.
What should you do?

Discover Answer Hide Answer

Answer: C
Creating the policy -
Let's create a new policy in Intune to control the GP vs. MDM winner
1. Navigate to portal.azure.com and locate Intune
2. Select ג€Device configuration ֳ  Profiles ֳ  Create profileג€
3. Under Platform select Windows 10 and later
4. Under Profile type select ג€customג€ and ג€addג€
5. Name the custom setting with something intuitive
6. For OMA-URI add the policy OMA-URI string: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
7. For Data type select Integer and add the number
Note: The following describes which policy wins according to Windows 10 version.
Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.
Windows 10 version 1803 and beyond there is a new Policy CSP (configuration service provider) setting called ControlPolicyConflict that includes the policy of
MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.
Note 2: the ControlPolicyConflict policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy
(GP) are set on the device.
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict https://uem4all.com/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/

You have computers that run Windows 10, are joined to Azure Active Directory (Azure AD), and are enrolled in Microsoft Intune.
You have an Azure web app named App1. App1 only allows connections over HTTPS. App1 uses a certificate from an on-premises certification authority (CA).
You need to ensure that the computers can connect to App1 from Microsoft Edge.
Which type of device configuration profile should you create in Microsoft Endpoint Manager?

Discover Answer Hide Answer

Answer: B
Intune supports use of the Simple Certificate Enrollment Protocol (SCEP) to authenticate connections to your apps and corporate resources.
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure

HOTSPOT -
You have a computer named Computer1 that runs Windows 10.
The Wi-Fi network profile for Computer1 is configured as shown in the following exhibit.

From which computers will Computer1 will receive updates and to which computers will Computer1 provide updates? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:

HOTSPOT -
You have a Microsoft 365 tenant named contoso.com that contains a group named ContosoUsers. All the users in contoso.com are members of ContosoUsers.
You have two Windows 10 devices as shown in the following table.

Both Computer1 and Computer2 contain two apps named App1 and App2.
You configure an app protection policy named AppPolicy1 that has the following settings:
✑ Protected apps: App1
✑ Assignments: ContosoUsers
✑ Enrollment state: Without enrollment
✑ Windows Information Protection mode: Block
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/windows-information-protection-policy-create https://docs.microsoft.com/en-us/mem/intune/apps/apps-selective-wipe

HOTSPOT -
You have devices that are not rooted enrolled in Microsoft Intune as shown in the following table.

The devices are members of a group named Group1.
In Intune, you create a device compliance location that has the following configurations:
✑ Name: Network1
✑ IPv4 range: 192.168.0.0/16
In Intune, you create a device compliance policy for the Android platform. The policy has the following configurations:
✑ Name: Policy1
✑ Device health: Rooted devices: Block
✑ Locations: Location: Network1
✑ Mark device noncompliant: Immediately
✑ Assigned: Group1
The Intune device compliance policy has the following configurations:
✑ Mark devices with no compliance policy assigned as: Compliant
✑ Enhanced jailbreak detection: Enabled
✑ Compliance status validity period (days): 20
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:
Reference:
https://docs.microsoft.com/en-us/intune/device-compliance-get-started

You have an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant contains Windows 10 devices that are enrolled in Microsoft Intune.
You create an Azure Log Analytics workspace and add the Update Compliance Solution to the workspace.
You need to create a custom device configuration profile that will enroll the Windows 10 devices in Update Compliance.
Which OMA-URI should you add to the profile?

Discover Answer Hide Answer

Answer: B
Deploy Commercial ID to Windows devices
Besides enabling Windows Telemetry, you will also need to configure the Commercial ID on all your Windows devices. For this we will use the following OMA-URI
(Open Mobile Alliance Uniform Resource Identifier) configuration:

Reference:
https://allthingscloud.blog/monitor-windows-10-updates-for-intune-mdm-enrolled-devices/

HOTSPOT -
You have 100 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
You need to configure the following device restrictions:
✑ Block users from browsing to suspicious websites.
✑ Scan all scripts loaded into Microsoft Edge.
Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:
Box 1: Windows Defender SmartScreen
Block users from browsing to suspicious websites.
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
Microsoft Defender SmartScreen determines whether a site is potentially malicious
Box 2: Windows Defender Antivirus
Scan all scripts loaded into Microsoft Edge.
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview

HOTSPOT -
You have computers that run Windows 10 as shown in the following table.

Computer2 and Computer3 are enrolled in Microsoft Intune.
In a Group Policy object (GPO) linked to the domain, you enable the Computer Configuration/Administrative Templates/Windows Components/Search/Allow
Cortana setting.
In an Intune device configuration profile that is assigned to an Azure Active Directory group that includes Computer2 and Computer3, you configure the following:
✑ Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP to a value of 1
Experience/AllowCortana to a value of 0.

Each of the following statement, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:
Reference:
https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/

Your company plans to deploy Windows 10 to devices that will be configured for English use and other devices that will be configured for Korean use.
You need to create a single multivariant provisioning package for the planned devices.
You create the provisioning package.
What should you do next to add the language settings to the package?

Discover Answer Hide Answer

Answer: A
Follow these steps to create a provisioning package with multivariant capabilities.
1. Build a provisioning package and configure the customizations you want to apply during certain conditions.
2. After you've configured the settings, save the project.
3. Open the project folder and copy the customizations.xml file to any local location.
4. Use an XML or text editor to open the customizations.xml file.
5. Edit the customizations.xml file to create a Targets section to describe the conditions that will handle your multivariant settings.
6. In the customizations.xml file, create a Variant section for the settings you need to customize.
7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
8. Use the Windows Configuration Designer command-line interface to create a provisioning package using the updated customizations.xml.
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-multivariant