MD-101 Online Practice Questions and Answers

Correct Answer: A

Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide

additional protection from privileged system attacks originating from the host.

Note: Hardware and software requirements

To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows

Defender Credential Guard uses:

Support for Virtualization-based security (required)

Secure boot (required)

Trusted Platform Module (TPM, preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware

UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)

The Virtualization-based security requires:

64-bit CPU

CPU virtualization extensions plus extended page tables

Windows hypervisor (does not require Hyper-V Windows Feature to be installed)

Reference:

https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements

Correct Answer: B

The domain members should have trusted root certificate stored.

Reference:

https://social.technet.microsoft.com/Forums/en-US/6b3abb8e-007e-4047-bd30-2946b9c3aaba/windows-admin-center-three-questions-login-and-certs? forum=ws2016

Correct Answer: AD

A: Conditional Access allows administrators to control what Office 365 apps users can gain access to based on if they pass/fail certain conditions. These conditions are enforced by building a policy (or multiple policies) to control how users

access your Office 365 resources.

Cloud Apps- What apps do you want to control? Conditional Access does not need to apply to all of Office 365, you can be more granular and just control access to specific apps " E.g. Exchange Online.

Access can be allowed to Office 365 with the following conditions:

*

Require multi-factor authentication " User is allowed in but will need to complete additional security to log in.

*

Etc.

D: The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication

Correct Answer: A

Applicability rules allow administrators to target devices in a group that meet specific criteria. For example, you create a device restrictions profile that applies to the All Windows 10/11 devices group. And, you only want the profile assigned to

devices running Windows Enterprise.

To do this task, create an applicability rule.

Reference:

https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create

Correct Answer: A

SCEP is to onroll certificates to Intune Devices (not necessary)

PKCS is to onroll certificates to Intune Devices (not necessary)

To trust the (internal) certificate of app1 you need to import the internal root certificate to the 'trused root certification authorities' of the device.

You must create a configuration Profile - Trusted certificate to deploy the root certificate to the intune devices

Answer = trusted certificate

Reference:

https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure

Correct Answer:

Box 1: The Microsoft Endpoint Manager console

How to set up Desktop Analytics.

Use this procedure to sign in to Desktop Analytics and configure it in your subscription. This procedure is a one-time process to set up Desktop Analytics for your organization.

Initial onboarding

1.

Open the Desktop Analytics portal in the Microsoft Endpoint Manager admin center as a user with the Global Admin role. Select Start. Alternatively, on the Configuration Manager console, go to the Software Library workspace, select the Desktop Analytics Servicing node, and select Plan deployments.

2.

Etc.

Box 2: Configure Azure Services Use this procedure to connect Configuration Manager to Desktop Analytics, and configure device settings. This procedure is a one-time process to attach your hierarchy to the cloud service.

In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Azure Services node. Select Configure Azure

Services in the ribbon.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/connect-configmgr

https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/set-up

Correct Answer:

Sign-in screen, or Locked screen, image is set under Locked screen experience Wallpaper image, or Desktop background picture, URL is set under Personalization.

Reference: https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10

Correct Answer:

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-groups?view=o365-worldwide#manage-device-groups

Correct Answer:

Box 1: Windows Server Update Services (WSUS)

Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft

Update to computers on your network.

Windows Server Update Services is a built-in server role that includes the following enhancements:

Can be added and removed by using the Server Manager

Includes Windows PowerShell cmdlets to manage the most important administrative tasks in WSUS

Etc.

Box 2: A Group Policy object In an Active Directory environment, you can use Group Policy to define how computers and users can interact with Windows Update to obtain automatic updates from Windows Server Update Services (WSUS).

Box 3: BranchCache -

BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own

network request. Windows Server Update Services (WSUS) and Microsoft Endpoint

Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.

Reference:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-branchcache

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates

Correct Answer:

Step 3: Add the commercial ID to the LEG department computers

The build in diagnostics/telemetry data needs to be configured to with the correct commercial ID.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/set-up https://systemcenterdudes.com/sccm-windows-analytics-log-analytics/