ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-102 All Questions

View all questions & answers for the MD-102 exam
Go to Exam

Exam MD-102 topic 1 question 1 discussion

Actual exam question from Microsoft's MD-102
Question #: 1
Topic #: 1
[All MD-102 Questions]

HOTSPOT -

Case study -

Overview -
ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
ADatum has a Microsoft 365 E5 subscription.

Environment -

Network Environment -
The network contains an on-premises Active Directory domain named adatum.com. The domain contains the servers shown in the following table.

ADatum has a hybrid Azure AD tenant named adatum.com.

Users and Groups -
The adatum.com tenant contains the users shown in the following table.

All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group1 and Group2 have a Membership type of Assigned.

Devices -
ADatum has the Windows 10 devices shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.

All the Azure AD joined devices have an executable file named C:\AppA.exe and a folder named D:\Folder1.

Microsoft Intune Configuration -
Microsoft Intune has the compliance policies shown in the following table.


The Automatic Enrollment settings have the following configurations:

MDM user scope: GroupA -

MAM user scope: GroupB -
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:

Name: Protection1 -

Folder protection: Enable -
List of apps that have access to protected folders: C:\*\AppA.exe
List of additional folders that need to be protected: D:\Folder1
Assignments:

Included groups: Group2, GroupB -

Windows Autopilot Configuration -
ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.

Currently, there are no devices deployed by using Windows Autopilot.
The Intune connector for Active Directory is installed on Server1.

Requirements -

Planned Changes -
ADatum plans to implement the following changes:
Purchase a new Windows 10 device named Device6 and enroll the device in Intune
New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
Deployed a network boundary configuration profile that will have the following settings:

Name: Boundary1 -
Network boundary: 192.168.1.0/24

Scope tags: Tag1 -
Assignments:

Included groups: Group1, Group2 -
Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:

Name: Connection1 -

Connection name: VPN1 -

Connection type: L2TP -
Assignments:
Included groups: Group1, Group2, GroupA
Excluded groups: --

Name: Connection2 -

Connection name: VPN2 -

Connection type: IKEv2 -
Assignments:

Included groups: GroupA -

Excluded groups: GroupB -

Technical Requirements -
ADatum must meet the following technical requirements:
Users in GroupA must be able to deploy new computers.
Administrative effort must be minimized.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by volto at Aug. 16, 2023, 2:42 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
volto
Highly Voted 1 year, 9 months ago
1. No - only C:\*\AppA.exe can create file in this folder. 2. Yes - Local administrators can delete folder form protected folders list . 3. No - Global Reader haven't privileges to run something on enrolled computers.
upvoted 29 times
prBo
1 year, 7 months ago
Why does the MAM policy apply here?
upvoted 2 times
...
Futfuyfyjfj
1 year, 8 months ago
The global reader could sign in to a device and according to the Autopilot profile he will be a standard user locally. However being a standard user still allows to open a non elevated PS window and create a file, tested this, so should be NYY.
upvoted 8 times
FAlien
1 year, 6 months ago
No, user 3 cannot create a file on the destop. the question states that the file is created with a powershellscript. You can only run a powershellscript after the execution policy is changed from restricted to something else.
upvoted 5 times
...
...
...
deit
Highly Voted 1 year, 9 months ago
I think it's 1. No - only C:\*\AppA.exe can create file in this folder. 2. Yes - Local administrators can delete folder form protected folders list . 3. Yes - Desktop is not a folder protected by default. User can log in to computer and create files in his desktop.
upvoted 15 times
Futfuyfyjfj
1 year, 8 months ago
I tested this, my situation was not 100% equal, but thuis seems to be right. With non elavated PS I could create a txt file.
upvoted 4 times
...
NoursBear
1 year, 3 months ago
not with a Powershell script he can't because of execution policy. He can however run a Powershell command from the prompt to create a file or a directory etc..
upvoted 3 times
...
...
HvD
Most Recent 8 months ago
Question 2: User2 can remove D:\Folder1 from the list of protected folders on Device2. The qeustion is about removing the folder from the list of protected folder, not "remove folder", but "from the list of protected folders", which is in the policy, right? So this user must be able to change the policy in Intune, which he can not. He is only local admin on the devices.
upvoted 2 times
...
Tonsku
8 months ago
N,Y,N User1: groupA User2: groupB User3: GroupA, groupB Device4: AzureAD Join, group2 Device2: AzureAD Join, group2 All the Azure AD joined devices have an executable file named C:\AppA.exe and a folder named D:\Folder1. Folder protection: Enable List of apps that have access to protected folders: C:\*\AppA.exe List of additional folders that need to be protected: D:\Folder1 Assignments: Included groups: Group2, GroupB
upvoted 1 times
Tonsku
1 year, 5 months ago
MAM user scope: GroupB
upvoted 2 times
...
...
Merrybob
8 months ago
No - A Cloud Device Administrator doesn't have local admin rights. Without Local Admin rights no one can make a change to the folder in question except for C:\*\AppA.exe Yes - Tried this on my laptop and it allows me to delete the folder and enable/disable the Controlled Folder feature if needed. No - Cannot run a script as a Global Reader. Need the execution policy enabled to be able to do that.
upvoted 4 times
OyYaGotta
12 months ago
The don't need local rights. They are removing the App from the list in Intune, not on a client computer. This whole question is horrendous and doesn't teach anyone anything. It's trick all the way. You would never come across the need to work this out in a real work scenario.
upvoted 2 times
...
...
MR_Eliot
8 months ago
Well, based on my testing correct answers are: - YES (the setting in ASR policy is only for adding additional trusted programs. Notepad is already trusted by Microsoft. So answer is YES.) - YES (Same as before, only custom scripts, programs are prevented from removing files. Exploere.exe is trusted, so answer is YES.) - YES ( desktop folder is not a system folder like Pictures, Music, Video and Documents. In case this folder needs more protection It should be added in ASR policy. )
upvoted 2 times
OyYaGotta
12 months ago
- NO - ASR is a disaster recovery service. Nothing to do with this question. You are confusing it with App Protection Policy... which is also incorrect as this is Folder Protection. App list is one app. Notepad is NOT on the list. Yes - User 2 has Admin rights to change desktop storage options NO- Global reader can read... nothing else. ASR has, again, nothing to do with the users role rights.
upvoted 1 times
...
MR_Eliot
1 year, 2 months ago
Second one should be NO. Third one should be NO as well. Because exection policy is enabled by default.
upvoted 1 times
...
...
cruzi
8 months ago
Device4 is a member of Group2 and subject to the Endpoint protection configuration profile Protection1. Protection1 enables folder protection for D:\Folder1. Notepad.exe does not have access to D:\Folder1 and cannot save files in the folder. Device2 is a member of Group1 and Group2 and subject to the Endpoint protection configuration profile Protection1. Protection1 enables folder protection for D:\Folder1. The protection cannot be removed by a local administrator. User3 can create a file on his personal desktop using Power Shell, File Explorer, or any other suitable method. 1. No 2. No 3. Yes
upvoted 3 times
LionelDerBoven
8 months, 2 weeks ago
Almost. 1 is correct (No). Secured folder. 2 is right (no). MAM configured the secured folder. even local admins can't disable that because it is configured by the MAM. 3 is no because he runs a script. non admin can't run a script or set-executionpolicy command.
upvoted 1 times
...
...
spillb
8 months, 2 weeks ago
n one device (Device2) to both Groups 1 and 2 that promulgate all 3 policies?
upvoted 1 times
...
LionelDerBoven
8 months, 2 weeks ago
1 (No). Secured folder so user can't do that (not even local admin) 2 (No). MAM configured the secured folder. even local admins can't disable that because it is configured by the MAM. 3 is no because he runs a script. non admin can't run a script or set-executionpolicy command.
upvoted 1 times
...
kiik32
10 months, 3 weeks ago
1.Yes note pad is a trusted app by default, I tested this. with a role-less user 2.Yes 3.Yes tested as well
upvoted 2 times
Blessing_
9 months, 3 weeks ago
1. Device 4 is for personally owned
upvoted 3 times
...
...
kiik32
10 months, 3 weeks ago
3. Yes you dont need a role to create files in unprotected folders from a non elevated power shell script
upvoted 1 times
...
AlSuds
1 year, 5 months ago
I'm pretty sure it's N, N, and N. 2. is tricky because User is a local admin and can remove the folder - but cannot remove the policy to 'remove folder from the protected list'. 3. is tricky too, Restricted Execution Policy allows an interactive PS console session (and the user can quite happily create a .txt file on their own desktop) - but Restricted never allows a user to run a PS script. Answer must be No.
upvoted 5 times
...
lucianosesantos
1 year, 6 months ago
I think it's 1. No - only C:\*\AppA.exe can create file in this folder. 2. No - Local administrators can delete folder form protected folders list . 3. Yes - Desktop is not a folder protected by default. User can log in to computer and create I agree wit @majerzg 2. The question is: user2 can remove D:\Folder1 from the list of protected folders, not - he can remove it from the disk on Device2.
upvoted 3 times
NoursBear
4 months, 3 weeks ago
User 2 is local admin due to his Azure role
upvoted 1 times
...
...
majerzg
1 year, 7 months ago
2. The question is: user2 can remove D:\Folder1 from the list of protected folders, not - he can remove it from the disk on Device2.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel