Exam MD-102 All QuestionsBrowse all questions from this exam
Go to Exam
Question 1

HOTSPOT -

Case study -

Overview -

ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

ADatum has a Microsoft 365 E5 subscription.

Environment -

Network Environment -

The network contains an on-premises Active Directory domain named adatum.com. The domain contains the servers shown in the following table.

ADatum has a hybrid Azure AD tenant named adatum.com.

Users and Groups -

The adatum.com tenant contains the users shown in the following table.

All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.

Enterprise State Roaming is enabled for Group1 and GroupA.

Group1 and Group2 have a Membership type of Assigned.

Devices -

ADatum has the Windows 10 devices shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.

The Windows 10 devices are configured as shown in the following table.

All the Azure AD joined devices have an executable file named C:\AppA.exe and a folder named D:\Folder1.

Microsoft Intune Configuration -

Microsoft Intune has the compliance policies shown in the following table.

The Automatic Enrollment settings have the following configurations:

MDM user scope: GroupA -

MAM user scope: GroupB -

You have an Endpoint protection configuration profile that has the following Controlled folder access settings:

Name: Protection1 -

Folder protection: Enable -

List of apps that have access to protected folders: C:\*\AppA.exe

List of additional folders that need to be protected: D:\Folder1

Assignments:

Included groups: Group2, GroupB -

Windows Autopilot Configuration -

ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.

Currently, there are no devices deployed by using Windows Autopilot.

The Intune connector for Active Directory is installed on Server1.

Requirements -

Planned Changes -

ADatum plans to implement the following changes:

Purchase a new Windows 10 device named Device6 and enroll the device in Intune

New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.

Deployed a network boundary configuration profile that will have the following settings:

Name: Boundary1 -

Network boundary: 192.168.1.0/24

Scope tags: Tag1 -

Assignments:

Included groups: Group1, Group2 -

Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:

Name: Connection1 -

Connection name: VPN1 -

Connection type: L2TP -

Assignments:

Included groups: Group1, Group2, GroupA

Excluded groups: --

Name: Connection2 -

Connection name: VPN2 -

Connection type: IKEv2 -

Assignments:

Included groups: GroupA -

Excluded groups: GroupB -

Technical Requirements -

ADatum must meet the following technical requirements:

Users in GroupA must be able to deploy new computers.

Administrative effort must be minimized.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
volto

1. No - only C:\*\AppA.exe can create file in this folder. 2. Yes - Local administrators can delete folder form protected folders list . 3. No - Global Reader haven't privileges to run something on enrolled computers.

Futfuyfyjfj

The global reader could sign in to a device and according to the Autopilot profile he will be a standard user locally. However being a standard user still allows to open a non elevated PS window and create a file, tested this, so should be NYY.

FAlien

No, user 3 cannot create a file on the destop. the question states that the file is created with a powershellscript. You can only run a powershellscript after the execution policy is changed from restricted to something else.

prBo

Why does the MAM policy apply here?

deit

I think it's 1. No - only C:\*\AppA.exe can create file in this folder. 2. Yes - Local administrators can delete folder form protected folders list . 3. Yes - Desktop is not a folder protected by default. User can log in to computer and create files in his desktop.

Futfuyfyjfj

I tested this, my situation was not 100% equal, but thuis seems to be right. With non elavated PS I could create a txt file.

NoursBear

not with a Powershell script he can't because of execution policy. He can however run a Powershell command from the prompt to create a file or a directory etc..

Merrybob

No - A Cloud Device Administrator doesn't have local admin rights. Without Local Admin rights no one can make a change to the folder in question except for C:\*\AppA.exe Yes - Tried this on my laptop and it allows me to delete the folder and enable/disable the Controlled Folder feature if needed. No - Cannot run a script as a Global Reader. Need the execution policy enabled to be able to do that.

OyYaGotta

The don't need local rights. They are removing the App from the list in Intune, not on a client computer. This whole question is horrendous and doesn't teach anyone anything. It's trick all the way. You would never come across the need to work this out in a real work scenario.

AlSuds

I'm pretty sure it's N, N, and N. 2. is tricky because User is a local admin and can remove the folder - but cannot remove the policy to 'remove folder from the protected list'. 3. is tricky too, Restricted Execution Policy allows an interactive PS console session (and the user can quite happily create a .txt file on their own desktop) - but Restricted never allows a user to run a PS script. Answer must be No.

lucianosesantos

I think it's 1. No - only C:\*\AppA.exe can create file in this folder. 2. No - Local administrators can delete folder form protected folders list . 3. Yes - Desktop is not a folder protected by default. User can log in to computer and create I agree wit @majerzg 2. The question is: user2 can remove D:\Folder1 from the list of protected folders, not - he can remove it from the disk on Device2.

MR_Eliot

Well, based on my testing correct answers are: - YES (the setting in ASR policy is only for adding additional trusted programs. Notepad is already trusted by Microsoft. So answer is YES.) - YES (Same as before, only custom scripts, programs are prevented from removing files. Exploere.exe is trusted, so answer is YES.) - YES ( desktop folder is not a system folder like Pictures, Music, Video and Documents. In case this folder needs more protection It should be added in ASR policy. )

MR_Eliot

Second one should be NO. Third one should be NO as well. Because exection policy is enabled by default.

OyYaGotta

- NO - ASR is a disaster recovery service. Nothing to do with this question. You are confusing it with App Protection Policy... which is also incorrect as this is Folder Protection. App list is one app. Notepad is NOT on the list. Yes - User 2 has Admin rights to change desktop storage options NO- Global reader can read... nothing else. ASR has, again, nothing to do with the users role rights.

MrBigglou

Team - Is this exam/questions still relevant as I understand it was a beta?

iTomi

Yes it is. I took test on few days ago and this qustion was there.

SK_DT

Out of date

majerzg

2. The question is: user2 can remove D:\Folder1 from the list of protected folders, not - he can remove it from the disk on Device2.

kiik32

1.Yes note pad is a trusted app by default, I tested this. with a role-less user 2.Yes 3.Yes tested as well

kiik32

3. Yes you dont need a role to create files in unprotected folders from a non elevated power shell script

cruzi

Device4 is a member of Group2 and subject to the Endpoint protection configuration profile Protection1. Protection1 enables folder protection for D:\Folder1. Notepad.exe does not have access to D:\Folder1 and cannot save files in the folder. Device2 is a member of Group1 and Group2 and subject to the Endpoint protection configuration profile Protection1. Protection1 enables folder protection for D:\Folder1. The protection cannot be removed by a local administrator. User3 can create a file on his personal desktop using Power Shell, File Explorer, or any other suitable method. 1. No 2. No 3. Yes

zaheer_n

this is still vaild?

Tonsku

N,Y,N User1: groupA User2: groupB User3: GroupA, groupB Device4: AzureAD Join, group2 Device2: AzureAD Join, group2 All the Azure AD joined devices have an executable file named C:\AppA.exe and a folder named D:\Folder1. Folder protection: Enable List of apps that have access to protected folders: C:\*\AppA.exe List of additional folders that need to be protected: D:\Folder1 Assignments: Included groups: Group2, GroupB

Tonsku

MAM user scope: GroupB