Exam AZ-140 All QuestionsBrowse all questions from this exam
Go to Exam
Question 111

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have the following:

✑ A Microsoft 365 E5 tenant

✑ An on-premises Active Directory domain

✑ A hybrid Azure Active Directory (Azure AD) tenant

✑ An Azure Active Directory Domain Services (Azure AD DS) managed domain

✑ An Azure Virtual Desktop deployment

The Azure Virtual Desktop deployment contains personal desktops that are hybrid joined to the on-premises domain and enrolled in Microsoft Intune.

You need to configure the security settings for the Microsoft Edge browsers on the personal desktops.

Solution: You configure a Group Policy Object (GPO) in the Azure AD DS managed domain.

Does this meet the goal?

    Correct Answer: B

    The personal desktops in the Azure Virtual Desktop deployment are hybrid joined to the on-premises Active Directory domain and enrolled in Microsoft Intune. Group Policy Objects (GPOs) configured in the Azure Active Directory Domain Services (Azure AD DS) managed domain will not apply to these desktops because they are not joined to the Azure AD DS domain. Instead, they are part of the on-premises domain. Therefore, configuring a GPO in Azure AD DS managed domain does not meet the goal of configuring the security settings for the Microsoft Edge browsers on these personal desktops.

Discussion
SneakyBDOption: B

B is correct as the machines are joined to on-prem. AAD DS is NOT an extension on an on-prem, but its OWN domain. Creating a GPO in AAD DS is not going to affect these machines

PhyMacOption: A

I feel correct answer is A. Azure ADDS has a GPO function, so you can configure the policy and enforce it for the edge browser.

HKEX388

Agree. It has ADDS but not Azure AD. ADDS supports GPO

feeneymi

Yes, Azure AD DS does have GPO functionality but the hosts are not joined to this domain, they are joined to the on premise domain. Both these domains are unique and operate there own set of GPOs so the correct answer is B (NO)

mrcljnff

when you read: "Intune enrolled", AADDS never is a option because AADDS Devices cant be intune enrolled. "If you're joining session hosts to Azure Active Directory Domain Services, you can't manage them using Intune."

Sledge_HammerOption: B

No, devices are joined to local domain. Only GPO in local domain will apply. AADDS has GPO but will not apply.

afbnfzOption: A

I'm saying Yes this does meet the goal. Because, according to MS, "In a hybrid environment, group policies configured in an on-premises AD DS environment aren't synchronized to Azure AD DS. To define configuration settings for users or computers in Azure AD DS, edit one of the default GPOs or create a custom GPO." - https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy

vipjasonOption: B

This is a trick (and very unrealistic) question. The GPO is applied to the ADDS domain and not the on-prem domain. For the life of me, i can't imagine why anyone would have a hybrid azure AD depoyment between azure AD and on-prem and still have an AAD DS. Makes no sense. The folks who make up these questions are Morons.

spoolOption: B

B is correct, If you read the question again it says Personal Desktops that are controlled via intune, ADDS joined are workgroup machines and do not recieve GPO,

alfonsodisalvoOption: A

Answer is A

benj180Option: A

Its A. Hybrid joined so GPOs will apply.

FrankmmendozaOption: B

Based on the scenario provided and best practices for managing devices enrolled in Intune, Solution B: No, configuring a GPO in the Azure AD DS managed domain does not meet the goal of configuring the security settings for Microsoft Edge browsers on the personal desktops in your AVD deployment. Instead, you should use Intune configuration profiles to define and enforce the desired security settings for Microsoft Edge on these devices. This approach ensures effective management and compliance with organizational security policies in a modern management environment.

MarineCellenzaOption: B

B is correct because the machines are joined to the on-prem domain not to AAD DS.

RDIOOption: B

No is the answer... The machines are joined to the "on-prem AD". Not to the Azure ADDS. When it says hybrid it refering to On-Prem+Azure AD. Azure AD and Azure ADDS are two different things. Azure ADDS is it's own and different domain.

STDYOption: B

Correct Answer is B. The session hosts are hybrid joined to the "On-Premises" domain not to Azure AD DS. So configuring a GPO policy in Azure AD DS will not affect the Session Hosts. Hybrid Joined refers to being joined to an Active Directory Domain, and Azure AD (Entra ID). The Active Directory Domain could refer to either the On-Premises AD or the Azure AD DS Managed Domain. In this question it specifically states that they are joined to the "On-Premises" domain. The presence of the Azure AD DS Managed domain in the question was intentionally to cause doubt in the reader. It's a poorly written question designed to throw you off.

LeocanOption: B

B is correct because the machines are joined to the on-prem domain rather than AAD DS.

MJFTOption: A

Azure AD DS replicates identity information from Azure AD, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment https://learn.microsoft.com/en-us/azure/active-directory-domain-services/overview

MJFTOption: A

Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy

feeneymiOption: B

Azure AD DS does have GPO functionality but the hosts are not joined to this domain, they are joined to the on premise domain. Both these domains are unique and operate there own set of GPOs so the correct answer is B (NO)

MJFT

Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy

SeijkohOption: B

It's hybrid joined to the onprem domain and not to the Azure AD DS domain so this is not going to do anything.