Exam MD-102 All QuestionsBrowse all questions from this exam
Go to Exam
Question 3

HOTSPOT -

Case study -

Overview -

ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

ADatum has a Microsoft 365 E5 subscription.

Environment -

Network Environment -

The network contains an on-premises Active Directory domain named adatum.com. The domain contains the servers shown in the following table.

ADatum has a hybrid Azure AD tenant named adatum.com.

Users and Groups -

The adatum.com tenant contains the users shown in the following table.

All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.

Enterprise State Roaming is enabled for Group1 and GroupA.

Group1 and Group2 have a Membership type of Assigned.

Devices -

ADatum has the Windows 10 devices shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.

The Windows 10 devices are configured as shown in the following table.

All the Azure AD joined devices have an executable file named C:\AppA.exe and a folder named D:\Folder1.

Microsoft Intune Configuration -

Microsoft Intune has the compliance policies shown in the following table.

The Automatic Enrollment settings have the following configurations:

MDM user scope: GroupA -

MAM user scope: GroupB -

You have an Endpoint protection configuration profile that has the following Controlled folder access settings:

Name: Protection1 -

Folder protection: Enable -

List of apps that have access to protected folders: C:\*\AppA.exe

List of additional folders that need to be protected: D:\Folder1

Assignments:

Included groups: Group2, GroupB -

Windows Autopilot Configuration -

ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.

Currently, there are no devices deployed by using Windows Autopilot.

The Intune connector for Active Directory is installed on Server1.

Requirements -

Planned Changes -

ADatum plans to implement the following changes:

Purchase a new Windows 10 device named Device6 and enroll the device in Intune

New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.

Deployed a network boundary configuration profile that will have the following settings:

Name: Boundary1 -

Network boundary: 192.168.1.0/24

Scope tags: Tag1 -

Assignments:

Included groups: Group1, Group2 -

Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:

Name: Connection1 -

Connection name: VPN1 -

Connection type: L2TP -

Assignments:

Included groups: Group1, Group2, GroupA

Excluded groups: --

Name: Connection2 -

Connection name: VPN2 -

Connection type: IKEv2 -

Assignments:

Included groups: GroupA -

Excluded groups: GroupB -

Technical Requirements -

ADatum must meet the following technical requirements:

Users in GroupA must be able to deploy new computers.

Administrative effort must be minimized.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
jofraarcher

No, No, Yes is correct. my source to pass: https://docs.google.com/document/d/1Yxh9Pg5hzlUcv-Hv5x-xUm9LtB6mPIOx_o6A4IgQv7I/edit?usp=sharing

sh123df

No No Yes Answer is correct

krzysztofbr

wrong answer!

Futfuyfyjfj

It’s correct. Device with no policies are marked as compliant based in the setting in the image. Furthermore policy 1 & 2 are assigned both to group 1, so device 1 can’t be compliant

Tonsku

N,N,Y device1: bitlocker Y, secureboot N Device1: group1 group1: policy1 & policy2 compliance policies settings: Policy1: require bitlocker Only Policy2: requere secure boot only mark device with no complience policy as Compliant Device1 : Not Compliant Device4: bitlocker N, secureboot Y Device4: group2 group2: policy3 compliance policies settings: Policy3: require bitlocker & secureboot mark device with no complience policy as Compliant Device4 : Not compliance Device5: bitlocker Y, secureboot N Device5: group3 Policy3: group2 Policy3: require bitlocker & secureboot compliance policy: mark device with no complience as Complient Device5 : compliance

picho707

These answers are so backward. I will fire the Intune administrator for configuring something like this.

MR_Eliot

Provided answer is correct: Device 1 - Group1 Conditional Policy: -> Policy1, Require bitlocker: YES -> Policy2, Require SecureBoot: NO ---------------------------------- Device 4 - Group2 Conditional Policy: -> Policy3, Require Bitlocker & SecureBoot: NO ---------------------------------- Device 5 - Group3 Conditional Policy: -> None: Compliant, becuase of configuration.

NoursBear

Well I was going for Yes No Yes because a device without a compliant policy is to be marked as compliant, so I don't know now as no one is thinking like me

Futfuyfyjfj

But device1 is assigned to 2 policies, which makes a No for device 1….

NoursBear

dunno why I came up with this, clearly NNY is correct, I see more clearly now lol

Contactfornitish

Device 1 would not be compliant since Policy 2 would fail for that Device 4 (yes registered device can be checked for compliance, though no profile possible) is not compliant Device 5 would be compliant since group 3 is getting no policy and no policy means compliant No, No, yes

VirtualJP

I'm going with: No No Yes

FrenchDuck

So for Device 1 it's a Yes bc the way it's arranged, from my understanding, Group one only needs either or to be marked as compliant. Compared to Device 2\group 2, it explicitly states it needs Bitlocker AND Secure boot, hence why it's a Not Compliant for me. Device 5 \ group 3 however , it's up to interpretation based on what Ive read in MS Learn so I'm going with Not Compliant based on here: https://learn.microsoft.com/en-us/training/modules/implement-device-compliance/4-deploy-policy

Futfuyfyjfj

In stead of what you are writing you mean it’s a No?

ShiftDeL

No No Yes for device 5 as :"Mark devices with no compliance policy assigned as: Compliant" has been configured.

7798da3

disregard last post i see the names was looking for the actual policy

7798da3

where is policy2 I see one only

Clauster

Provided answer is Correct 100%

boxafrica

Cela semble correct.Sur le peripherique 1 nous avons deux politiques de conformité policy1 et poliy2 donc peripherique 1est non conforme.peripherique4 appartient au groupe 2 politique appliqué policy 3 qui requiere bitlocker et secure boot activeé;ce qui n'est pas le cas ici donc device 4 non conforme.Device 5 est conforme car il n a aucune poliique de conformité qui s'applique à lui donc oui/e qui nous donne NON;NON;OUI

madsa

No, No, Yes is correct.

b0gdan433

The answer is No, No, Yes, i just took the exam today.

iTomi

So...? MS doesnt reveal right answers.

Merrybob

No way you could've confirmed this.

picho707

Can someone explain why Device4 is is a "No" It appears to me that the device is personally owned so the policy will not apply meaning that using these backward settings may be a "Yes". I am under the understanding that compliance policies require devices to be Azure Ad Joined to be able to properly report compliance results.

NoursBear

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune. Because it is enrolled it receives compliance policies

Jacob75

Group 2 required Policy is Secure boot and Bitlocker and device does not have Bitlocker. Personal devices can still be compliant and enrolled I think.