You have 100 devices that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD). You need to prevent users from joining their home computer to Azure AD. What should you do?
A.
From the Device enrollment blade in the Intune admin center, modify the Enrollment restriction settings.
B.
From the Devices blade in the Azure Active Directory admin center, modify the Device settings.
C.
From the Device enrollment blade in the Intune admin center, modify the Device enrollment manages settings.
D.
From the Mobility (MDM and MAM) blade in the Azure Active Directory admin center, modify the Microsoft Intune enrollment settings.
I believe this is A.
Wouldn't you set the enrollment restrictions to block personally owned devices - https://docs.microsoft.com/en-us/intune/enrollment/enrollment-restrictions-set#blocking-personal-windows-devices
When you enroll a device in Intune, doesn't that register it? Intune is configured so that when users sign in to a device with their work credentials they are automatically 'enrolled' and have access to Azure AD. The device is now registered to Azure AD and not joined. To stop someone from joining you have to configure this in Azure AD
This is correct.
Answer cannot be B - because if "Users may join devices to Azure AD" was selected, that would also include corporate devices, which by inference still need to be joined to Azure AD.
A very subtly worded Microsoft-style question ;)
Why not B? Just go with B and select only the IT group guys to join the devices. Since JOIN is a one time procedure it's not a huge load of extra work, and it's an admin job, as you can see on the next question. Using A would apparently work but it would also block registering and enrolling at least personal devices. Using B you can solve both.
I WROTE to Microsoft and their OFFICIAL answer is B. Check my thread here:
https://github.com/MicrosoftDocs/azure-docs/issues/92026
Block personally-owned devices from join Azure AD.
Question states you need to prevent the user from joining Azure AD not enrolling a device. You can set the "Users may join devices to Azure AD" setting to NONE or scope it to a group to achieve this. So the answer would be B.
If the question had mentioned Intune then I would agree with A but at no point does it do so.
To solve this I would go with B and select only the IT group guys to join the devices. Since join is a one time procedure it's not a huge load of extra work. Using A would apparently also work but it would also block registering that is not requested. Using B you can solve both.
The most incredible part is that there is NOWHERE on Microsoft documentation that even mention this: how to just block personally-owned devices to be JOINED to Azure AD. Believe me, I searched a lot.
The problem with B is now the user cant even enroll their corporate machines if you exclude them from this setting. This will also affect autopilot or hybrid join from working for these users. I really dont see the point in that setting as its usally ALL. enrollment restrictions make more sense to me. I would go with A.
I believe this should be B. Not only be the already given arguments also because in the question there is no mentioning that the device have an Intune enrollment
B is the answer for the following reasons.
-The question is talking about joining their computers to AZURE AD. The only option that is fully answering the question is B
-Option D talks about azure ad but it says go to MDM and MAM, which is what intune is and doesn't provide a solution.
The answer is A and here's why:
If you go with B and from the Azure AD admin center you go to Devices>Device Settings and set the "User may join devices to Azure AD" to "none", no users, including IT personal, will be able to add any devices to Azure AD.
If you go with A, there is clearly in Intune the option to specifically disable users from joining their personal owned devies. here's how:
Intune > Devices > Enroll Devices > Enrollment device platform restrictions > Create Restriction > Name your restriction policy and click Next > Personally owned = BLOCKED.
Answer is A!
I believe it's A.
The question specifically asks about blocking their home computers. The Intune device platform restriction has a specific setting called "Personally owned devices - Block" which makes me think this is the answer MS are looking for.
The answer is "A".
"Use device platform restrictions to restrict enrollment by device platform and OS version. You can also use platform restrictions to block personally-owned devices from enrolling. "
https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set
This section is not available anymore. Please use the main Exam Page.MD-101 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
asdffail99
Highly Voted 5 years, 5 months agoJasiJay
5 years, 5 months agoExamStudy101
3 years, 11 months agoFlailingLimbs
4 years agoExamStudy101
3 years, 11 months agoRodrigoT
3 years, 2 months agoRodrigoT
3 years, 1 month agohitten_za
Highly Voted 5 years agoRodrigoT
3 years, 2 months agoIvaNaW
Most Recent 1 year, 9 months agobassfunk
1 year, 11 months ago4D33L
1 year, 11 months agodlast
2 years agoAfsan
2 years, 5 months agoPrincee450
2 years, 6 months agoAK4U_111
2 years, 8 months agoTonySuccess
2 years, 9 months agoraduM
2 years, 10 months agoBenCook
2 years, 11 months agoskalolaz
2 years, 11 months agoIM77
2 years, 11 months agoAVR31
3 years, 2 months agoModerator
3 years, 4 months agomoobdoob
3 years, 5 months ago