ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-102 All Questions

View all questions & answers for the MD-102 exam
Go to Exam

Exam MD-102 topic 1 question 152 discussion

Actual exam question from Microsoft's MD-102
Question #: 152
Topic #: 1
[All MD-102 Questions]

Case study -


Overview -

ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

ADatum has a Microsoft 365 E5 subscription.


Environment -


Network Environment -

The network contains an on-premises Active Directory domain named adatum.com. The domain contains the servers shown in the following table.



ADatum has a hybrid Azure AD tenant named adatum.com.


Users and Groups -

The adatum.com tenant contains the users shown in the following table.



All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.

Enterprise State Roaming is enabled for Group1 and GroupA.

Group1 and Group2 have a Membership type of Assigned.


Devices -

ADatum has the Windows 10 devices shown in the following table.



The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.

The Windows 10 devices are configured as shown in the following table.



All the Azure AD joined devices have an executable file named C:\AppA.exe and a folder named D:\Folder1.


Microsoft Intune Configuration -

Microsoft Intune has the compliance policies shown in the following table.





The Automatic Enrollment settings have the following configurations:

• MDM user scope: GroupA
• MAM user scope: GroupB

You have an Endpoint protection configuration profile that has the following Controlled folder access settings:

• Name: Protection1
• Folder protection: Enable
• List of apps that have access to protected folders: C:\*\AppA.exe
• List of additional folders that need to be protected: D:\Folder1
• Assignments:
- Included groups: Group2, GroupB


Windows Autopilot Configuration -

ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.



Currently, there are no devices deployed by using Windows Autopilot.

The Intune connector for Active Directory is installed on Server1.


Requirements -


Planned Changes -

ADatum plans to implement the following changes:

• Purchase a new Windows 10 device named Device6 and enroll the device in Intune
• New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
• Deployed a network boundary configuration profile that will have the following settings:
- Name: Boundary1
- Network boundary: 192.168.1.0/24
- Scope tags: Tag1
- Assignments:
- Included groups: Group1, Group2
• Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:
- Name: Connection1
- Connection name: VPN1
- Connection type: L2TP
- Assignments:
- Included groups: Group1, Group2, GroupA
- Excluded groups: --
- Name: Connection2
- Connection name: VPN2
- Connection type: IKEv2
- Assignments:
- Included groups: GroupA
- Excluded groups: GroupB


Technical Requirements -

ADatum must meet the following technical requirements:
• Users in GroupA must be able to deploy new computers.
• Administrative effort must be minimized.


Which user can enroll Device6 in Intune?

  • A. User4 and User1 only
  • B. User4 and User2 only
  • C. User4, User1, and User2 only
  • D. User1, User2, User3, and User4
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Robin_Cegeka at Oct. 25, 2023, 12:19 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Merrybob
Highly Voted 1 year, 4 months ago
Selected Answer: A
User 1 and 4 Only This is a trick question and requires a process of elimination. Basically everyone but Group B can perform an enrollment. Given: Group A has the MDM role and consists of Users 1 and 3. Group B has the MAM role and consists of Users 2 and 3. User 4 is a Global Admin so for sure they can enroll. [All answers have User 4] Logic: 1. Look for all answers that consist of User 4 + another user with the MDM role 2. Look for answers that do NOT contain User 2 (MAM only) You're left with Users 4 and 1 only. All the other answers contain User 2. Rationale: User 2 cannot enroll devices in Intune because they are not part of the MDM scope. Also the fact that the user is part of the Azure AD Joined Local Administrators group doesn't mean they can enroll a device in Intune. It's just local admin rights that were created as part of the VM deployment. [Ref: https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin#how-it-works]
upvoted 18 times
...
Robin_Cegeka
Highly Voted 1 year, 8 months ago
all of them because: user1 and User3 are in GroupA user2 is azure ad joined device local admin this group is created when user with the ability to enroll win10 devices enrolls the device and be automatically part of that group user4: global admin
upvoted 6 times
...
JakubWedrowycz
Most Recent 7 months, 4 weeks ago
Selected Answer: D
I would go with all. "You can still manage devices in Microsoft Intune but users must initiate MDM enrollment." https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll "Configure the MDM user scope. This setting enables automatic MDM enrollment for Microsoft Entra users so that you can manage their devices in Intune. Your options are: - None - Automatic MDM enrollment is disabled for all users. You can still manage devices in Microsoft Intune but users must initiate MDM enrollment. - Some - Automatic MDM enrollment is enabled for the users you select." - All - Automatic MDM enrollment is enabled for all users. Their devices automatically enroll in Intune when they join or register with Microsoft Entra ID.
upvoted 1 times
...
Bart_Hofstede
9 months, 3 weeks ago
Answer D is correct. There are no Device platform restrictions configured and no Microsoft Microsoft Intune Enrollment MDM group scope configured. Wich is something else as Microsoft Intune MDM groups scope a.k.a. Automatich enrollment in Intune device enrollment. Any user even without a user license for intune can enroll devices in Entra & MDM. Only exception i've seen is the global administrator without a intune license.....
upvoted 1 times
...
ergacharsk
11 months ago
Selected Answer: A
I will go with "A"
upvoted 1 times
...
Faceless_Void
11 months ago
Selected Answer: C
Cloud Device Administrator - override MDM scope Azure AD Joined Device Administrator - override MDM scope Global Reader - STRICTLY READ ONLY even if included in MDM scope. - NO Global Administrator - override MDM role.
upvoted 1 times
...
Cezt
11 months ago
Selected Answer: D
D, they all can enroll devices to intune, you dont need a role for that, https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#enable-windows-enrollment-without-azure-ad-premium:~:text=MDM%20enrollment%20is%20disabled%20for%20all%20users.%20You%20can%20still%20manage%20devices%20in%20Microsoft%20Intune%20but%20users%20must%20initiate%20MDM%20enrollment.
upvoted 1 times
...
oopspruu
11 months, 1 week ago
Selected Answer: A
The only possible reason for A to be correct is IF User 4 is in Group A and the given info is wrong. No, a global admin can't automatically enroll a device into Intune when they connect to Azure AD if the MDM scope doesn't include them. Joining to AAD and Enrolling to Intune are 2 different things.
upvoted 1 times
...
arsh807
1 year, 2 months ago
Selected Answer: A
First, carefully look at all 4 given options. Now, MDM User Scope : GroupA User 1 - Cloud Device Admin & is in group A - So Yes. User 2 - Azure joined Local Admin & not in group A - So No. User 3 - Global Reader So No. User 4 - Global Admin So Yes. It comes down to User 1 and User 4.
upvoted 2 times
...
Krayzr
1 year, 3 months ago
Selected Answer: D
D is right
upvoted 1 times
...
MR_Eliot
1 year, 3 months ago
Selected Answer: A
I think the answer should be A. Because they want to enroll Device 6 in intune. Before anything can be done, device hash has to be imported in Intune. Only Global Admin & Cloud Device admins can do that. proof me wrong!
upvoted 1 times
MR_Eliot
1 year, 3 months ago
also, the autopilot group assignment is only for devices. not users.
upvoted 1 times
...
...
Krayzr
1 year, 4 months ago
Selected Answer: D
Copilot and Gemini both agrees .... Therefore, even if the user is not in the “mobile device management” users group, as long as they are an “Azure AD joined local device administrator”, they should be able to enroll a Windows 11 device in Intune. However, the exact capabilities and permissions might depend on the specific configurations and policies set up in your organization’s Azure AD and Intune settings. It’s always a good idea to check with your IT department or consult the specific documentation for your organization’s setup.
upvoted 1 times
...
Krayzr
1 year, 4 months ago
Selected Answer: A
User 2 - Not in MDM Scope
upvoted 1 times
Krayzr
1 year, 4 months ago
Answer D I change my Answer. Colpiolot : Yes, a user assigned as an “Azure AD joined local device administrator” can enroll a Windows 11 device in Intune. Here’s why: Azure AD Join: According to Microsoft’s documentation1, when a device is joined to Azure AD, it is managed by Intune. The document states, "Join this device to Azure Active Directory: Users enter the information they’re asked, including their organization email address and password. This option joins the device in Microsoft Entra ID. They show as organization owned, and show as Microsoft Entra joined in the Intune admin center. Devices are managed by Intune, regardless of who’s …".
upvoted 1 times
Krayzr
1 year, 4 months ago
Automatic Enrollment: The same document1 also mentions that automatic enrollment in Intune occurs when a corporate-owned device joins your Microsoft Entra ID. It states, "Automatic enrollment: Uses the Access school or work feature on the devices. Uses the enrollment options you configure in the Intune admin center. You can use this enrollment option to: Enable automatic enrollment for personal devices that register and join in Microsoft Entra ID. Automatically bulk enroll devices with the Windows Configuration Designer app. Automatically enroll Microsoft Entra hybrid joined devices using group policy.".
upvoted 1 times
Krayzr
1 year, 4 months ago
MDM User Scope: Another document2 explains that if you enable MDM automatic enrollment, enrollment in Intune will occur when a corporate-owned device joins to your Microsoft Entra ID. It states, "If you enable MDM automatic enrollment, enrollment in Intune will occur when: A Microsoft Entra user adds their work or school account to their personal device. A corporate-owned device joins to your Microsoft Entra ID.". Therefore, even if the user is not in the “mobile device management” users group, as long as they are an “Azure AD joined local device administrator”, they should be able to enroll a Windows 11 device in Intune. However, the exact capabilities and permissions might depend on the specific configurations and policies set up in your organization’s Azure AD and Intune settings. It’s always a good idea to check with your IT department or consult the specific documentation for your organization’s setup.
upvoted 1 times
...
...
...
...
NoursBear
1 year, 4 months ago
Anyone with an intune license can enroll a device. Users have an Office 365 and Enterprise + Mobility license (which include Intune). The question is not about the Autopilot profile assignment
upvoted 2 times
...
mp34
1 year, 5 months ago
The answer is not all of them, as the Device local administrator does not have the correct permissions...
upvoted 1 times
...
yosry
1 year, 5 months ago
Selected Answer: D
CORRECT
upvoted 2 times
...
abill
1 year, 7 months ago
Can someone explain how this is correct?
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel