ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-102 All Questions

View all questions & answers for the MD-102 exam
Go to Exam

Exam MD-102 topic 1 question 332 discussion

Actual exam question from Microsoft's MD-102
Question #: 332
Topic #: 1
[All MD-102 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 tenant that contains Windows devices enrolled in Microsoft Intune as shown in the following table.



You create an Endpoint Privilege Management (EPM) elevation settings policy named ElevationSettings1 that has the following settings:

• Endpoint Privilege Management: Enabled
• Default elevation response: Require user confirmation
• Validation: Business justification
• Assignments: Group1

Each device contains a file named File1.exe that can be run only by an administrator.

You create an EPM elevation rules policy named ElevationRules1 that has the following settings:

• Rule name: Rule1
• Elevation type: Automatic
• File name: File1.exe
• File hash:
• Assignments: Group2

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by martinods at Nov. 9, 2024, 10:20 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
martinods
Highly Voted 5 months, 3 weeks ago
1:yes Device1 is assigned to both Group1 and Group2. While ElevationRules1 allows automatic elevation for File1.exe for Group2, ElevationSettings1 requires user confirmation and business justification for Group1. Since Device1 is part of Group1, it will still need user confirmation to run File1.exe. 2: YES: Device2 is assigned to Group2, and ElevationRules1, which allows automatic elevation for File1.exe, is also assigned to Group2. Therefore, Device2 can run File1.exe without administrator intervention. 3: NO: Device3 is assigned to both Group1 and Group2. Since ElevationSettings1, which requires business justification, is assigned to Group1, Device3 will require business justification to run File1.exe.
upvoted 8 times
ExamBud
2 months ago
ElevationRules1 wins, the policy applies only if there is not a rule created for a specific file (File1). And device2 has not EPM enabled (no EPM policy asssigned). Same for Device 3, Rule wins over Policy for File 1, YES. So NNY.
upvoted 2 times
...
XylosSW
2 months ago
I don't agree with this one. https://learn.microsoft.com/en-us/mem/intune/protect/epm-policies#windows-elevation-settings-policy "Set default rules for elevation requests for any file that isn't managed by an Endpoint Privilege Management elevation rule on that device." This states that EPM elevation rule has preference over EPM elevation settings policy. Correct me if I'm wrong
upvoted 1 times
...
...
faa7b48
Highly Voted 4 months, 1 week ago
Answer seems wrong and should be No, Yes, Yes instead. https://learn.microsoft.com/en-us/mem/intune/protect/epm-policies#about-windows-elevation-settings-policy The elevation settings policy only takes effect when no rule exists for the application. Since there is a rule for File1.exe that applies for Device1 and Device 3, the elevation settings policy has no impact and the elevation happens automatic without any prompts on the user side.
upvoted 7 times
...
Knight_Of_Peace
Most Recent 1 month, 3 weeks ago
Suggested answer: N, N, Y Device1: has the EMP Setting and the EMP Rule, so EMP is enabled and it can use the Rule which will allow the file access automatically. (Access without justification). Device2: Dose not have the EMP Setting but it has the EMP Rule. So the EMP is not enabled on it, thus the EMP Rule will not work for it. Therefore, it will use the EMP Setting only as the default for all the file access. (Needs to provide business justification). Device3: has the EMP Setting and the EMP Rule, so EMP is enabled and it can use the Rule which will allow the file access automatically. (Access without justification).
upvoted 2 times
Knight_Of_Peace
1 month, 3 weeks ago
Ref: https://learn.microsoft.com/en-us/mem/intune-service/protect/epm-policies#windows-elevation-settings-policy:~:text=Default%20elevation%20response%20%2D%20Set%20a%20default%20response%20for%20an%20elevation%20request%20of%20any%20file%20that%20isn%27t%20managed%20by%20a%20Windows%20elevation%20rule%20policy. https://learn.microsoft.com/en-us/mem/intune-service/protect/epm-policies#windows-elevation-settings-policy:~:text=Enable%20Endpoint%20Privilege%20Management%20on%20devices.%20By%20default%2C%20this%20policy%20enables%20EPM.%20When%20first%20enabled%20for%20EPM%2C%20a%20device%20provisions%20the%20components%20that%20collect%20usage%20data%20on%20elevation%20requests%20and%20that%20enforce%20elevation%20rules.
upvoted 1 times
Knight_Of_Peace
1 month, 2 weeks ago
Ref: https://learn.microsoft.com/en-us/mem/intune-service/protect/epm-overview#prerequisites:~:text=on%20capabilities.-,Requirements,Clear%20line%20of%20sight%20(without%20SSL%2DInspection)%20to%20the%20required%20endpoints,-Note
upvoted 1 times
...
...
...
justsomeguy12345678
2 months ago
I got No, No, Yes No - The first ruleset handles how files that aren't managed by an EPM rule explicitly, the second is an explicit rule for File1, and since Group 2 contains D1, that rule applies and it's 'managed' by EPM No- You have to enable EPM first with the first policy, if it's isn't enabled they can't receive EPM policies. Yes - Since file1.exe has an explicit rule, the first ruleset which pertains to actions when no explicit EPM policy is in place on a file, is not used
upvoted 4 times
...
correction
2 months, 3 weeks ago
Except for the following situation, conflicting policies for EPM are handled like any other policy conflict. 1. When a device receives two separate elevation settings policies with conflicting values 2. If a device receives two rules targeting the same application https://learn.microsoft.com/en-us/mem/intune/protect/epm-policies#policy-conflict-handling-for-endpoint-privilege-management Any conflicting settings are set to the most restrictive values. https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#conflicts therefore, Yes,Yes,No
upvoted 1 times
...
Meek_Learner
3 months ago
All answers should be No. The key information is that File1.exe "can be run only by an administrator." This means that standard users, regardless of the Endpoint Privilege Management (EPM) policies in place, cannot run the file without being granted administrative privileges. The EPM policies created (ElevationSettings1 and ElevationRules1) do not explicitly grant administrative rights to standard users. They only define how elevation requests should be handled. Since the file requires administrator privileges to run, and the policies do not grant those privileges, standard users on all devices would be unable to run File1.exe, regardless of the EPM settings. This interpretation aligns with the principle of least privilege, which is a fundamental aspect of security that EPM aims to support.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago