- (Exam Topic 4)
You have a Microsoft 365 subscription.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD). You plan to replace the computers with new computers that run Windows 10. The new computers will be joined to Azure AD.
You need to ensure that the desktop background, the favorites, and the browsing history are available on the new computers.
What should you use?
Correct Answer:
C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settingsrefere https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-faqs
- (Exam Topic 4)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin. You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.
Solution: From the Azure Active Directory admin center, you modify the User settings and the Device settings.
Does this meet the goal?
Correct Answer:
B
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Device Management admin center, you configure the Windows Hello for Business enrollment options.
Reference:
https://docs.microsoft.com/en-us/intune/protect/windows-hello
- (Exam Topic 4)
You have devices enrolled in Microsoft Intune as shown in the following table.
On which devices can you apply app configuration policies?
Correct Answer:
BCD
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business
- (Exam Topic 4)
You have a Microsoft 365 subscription that contains devices enrolled in Microsoft Intune. You need to create Endpoint security policies to enforce the following requirements:
Computers that run macOS must have FileVault enabled. Computers that run Windows 10 must have Microsoft Defender Credential Guard enabled. 
Computers that run Windows 10 must have Microsoft Defender Application Control enabled.
Which Endpoint security feature should you use for each requirement? To answer, drag the appropriate features to the correct requirements. Each feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Solution:
Box 1: Disk encryption
Computers that run macOS must have FileVault enabled.
Intune supports macOS FileVault disk encryption. FileVault is a whole-disk encryption program that is included with macOS. You can use Intune to configure FileVault on devices that run macOS 10.13 or later.
Box 2: Attack surface reduction (ASR)
Computers that run Windows 10 must have Microsoft Defender Application Control enabled. Attack surface reduction profiles include:
* Application control - Application control settings can help mitigate security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). Manage settings that can block unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.
Note: Attack surface reduction rules target certain software behaviors, such as: Launching executable files and scripts that attempt to download or run files Running obfuscated or otherwise suspicious scripts
Performing behaviors that apps don't usually initiate during normal day-to-day work Box 3: Account protection
Computers that run Windows 10 must have Microsoft Defender Credential Guard enabled.
The account protection policy is focused on settings for Windows Hello and Credential Guard, which is part of Windows identity and access management.
Note: Microsoft Defender Credential Guard protects against credential theft attacks. It isolates secrets so that only privileged system software can access them.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices-filevault https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 4)
You have a Microsoft 365 subscription.
You plan to enroll devices in Microsoft Endpoint Manager that have the platforms and versions shown in the following table.
You need to configure device enrollment to meet the following requirements:
Ensure that only devices that have approved platforms and versions can enroll in Endpoint Manager. Ensure that devices are added to Microsoft Azure Active Directory (Azure AD) groups based on a selection made by users during the enrollment.
Which device enrollment setting should you configure for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Solution:
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set https://docs.microsoft.com/en-us/mem/intune/enrollment/device-group-mapping
Does this meet the goal?
Correct Answer:
A
