ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-101 All Questions

View all questions & answers for the MD-101 exam
Go to Exam

Exam MD-101 topic 2 question 26 discussion

Actual exam question from Microsoft's MD-101
Question #: 26
Topic #: 2
[All MD-101 Questions]

HOTSPOT -
You use Microsoft Intune to manage Windows updates.
You have computers that run Windows 10. The computers are in a workgroup and are enrolled in Intune. The computers are configured as shown in the following table.

On each computer, the Select when Quality Updates are received Group Policy setting is configured as shown in the following table.

You have Windows 10 update rings in Intune as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb
by Wilf32 at May 4, 2021, 6:35 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Wilf32
Highly Voted 4 years, 2 months ago
I think the answer is YES, NO, YES Computer1 = Group1 + GPO NOT configured = update ring is applied = 2 days = YES Computer2 = Group2 + GPO IS configured = update ring NOT applied = 5 days = NO Computer3 = Group3 + GPO disabled = update ring is applied = 14 days = YES As i understand it GPO takes precedence over update rings.
upvoted 65 times
IrvSus
4 years, 2 months ago
this question feels like a trick because they say workgroup and then reference GPO - so do they mean Local GPO then, and I can't seem to find anything on CSP vs Local GPO (I would think CSP would win over local GPO)
upvoted 3 times
Wilf32
4 years, 1 month ago
The setting for local GPO is here Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quility Updates are received. See this link https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb Also GPO settings always win unless "MDMWinsOverGP" is enabled - this is referenced in a similar question https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict
upvoted 5 times
letters1234
3 years, 4 months ago
"Also GPO settings always win unless "MDMWinsOverGP" is enabled - this is referenced in a similar question" But isn't referenced in this one, the default setting for MDMWins is for GPO to win.
upvoted 2 times
...
...
...
Slammer900
4 years, 2 months ago
I agree
upvoted 1 times
...
Layer8
4 years, 1 month ago
but wouldn't the GPO being set to "disabled" override the intune setting then?
upvoted 4 times
RodrigoT
3 years, 3 months ago
If you open the Local Group Policy Editor > Select when Quality Updates are received, you can read the Description that states: "If you disable or do not configure this policy, Windows Update will not alter its behavior", meaning "Not Configured" and "Disabled" are the same thing in this policy. Keep studying.
upvoted 6 times
...
...
Jimbob77
4 years, 1 month ago
YES NO YES (From the GPO being referenced for the 'Disabled' setting "If you disable or do not configure this policy, Windows Update will not alter its behavior." So the update Ring setting should apply.)
upvoted 4 times
...
Load full discussion...
...
Perycles
Highly Voted 4 years, 1 month ago
after 2 hours Tests, my final answer is YES, NO , YES. easy for computer 1 and 3. For computer 2, intune settings for updates rights are never applied if GPO is active. TAGS have no impact here ( used only to easy admin jobs).
upvoted 32 times
RodrigoT
3 years, 2 months ago
Thank you for really testing.
upvoted 4 times
...
...
aleexoo
Most Recent 2 years, 6 months ago
YES, NO, YES Local Policy win over MDM and disabled setting act like "not configured"
upvoted 1 times
...
Graz
2 years, 6 months ago
If it has been a year and a half and the mods haven't corrected it, the given answer is probably correct although I would have went with yes no yes
upvoted 2 times
...
raduM
2 years, 8 months ago
GPO wins over MDM so i would say yes no no
upvoted 1 times
...
TonySuccess
2 years, 9 months ago
Feel like it should specify Local GPO, as that is misleading.
upvoted 1 times
...
coelho4cc
3 years ago
Computer1 - NO. Not in "Scope (Tags)" Computer2 - NO. MDM over GPO takes precedence over "Policy CSP - ControlPolicyConflict" for setting to 1, default is 0. As Wilf32 mentioned. Computer3 - NO. This computer does not have a Tag2.
upvoted 2 times
...
Gulshan85
3 years ago
No, Yes, No The above is the correct answer. https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags
upvoted 4 times
AngelusNL
2 years, 8 months ago
Scope Tags are only used to control acces for Admins and have NOTHING to do with update rings being applied, this is the wrong answer
upvoted 4 times
...
...
AVR31
3 years, 2 months ago
Answer should be corrected. It is YES-NO-YES. For reasons very well explained by other users.
upvoted 1 times
Dedutch
2 years, 11 months ago
I don't think so. Option 1 - No - Option 2 - Yes - Devices aren't domain joined so the GPO must be a local GPO. Intune should override locally applied GPOs but not domain pushed GPOs (unless the flag to do such is checked). Option 3- NO - Scope tags should apply so option 3 the policy applied in intune isn't going to apply to the machine since its not in scope.
upvoted 2 times
Dedutch
2 years, 11 months ago
No. Scope tag not applied.
upvoted 1 times
AngelusNL
2 years, 8 months ago
Scope Tags are only used to control acces for Admins and have NOTHING to do with update rings being applied, this is the wrong answer
upvoted 1 times
...
...
...
...
Solaris2002
3 years, 4 months ago
Do people read these questions? Global Group Policy doesn't apply here. The devices are in a workgroup but managed by Intune, it says at the top: The computers are in a workgroup and are enrolled in Intune. I'm still confused by the given answers however. Intune policies should override local GPO unless I'm missing something.
upvoted 3 times
...
ChrisThrelfall
3 years, 4 months ago
I agree with YES, NO, YES: Tags are disregarded & GPO Wins over MDM: Computer 1 - No GPO configured (Bypass) > Update ring applies to Group 1 (2 Days): YES Computer 2 - GPO Enabled (Ignore MDM) > Deferral period of 5 days applies: NO Computer 3 - CONFIGURATION GPO disabled > Unknown state of other GPO's, the assumption is that updates are enabled (Bypass GPO) > Update ring applies to Group 3 (14 Days): YES
upvoted 4 times
...
b3arb0yb1m
3 years, 6 months ago
Yes No Yes
upvoted 4 times
...
encxorblood
3 years, 7 months ago
Answer is correct. GPO in a workgroup? Only intune is the solution and the scope tag ist important.
upvoted 2 times
letters1234
3 years, 4 months ago
"Local" Group Policy Object - still accessed by GPedit.msc where it shows both domain and local policies set.
upvoted 1 times
...
mikl
3 years, 6 months ago
I was wondering the exact same - GPO settings cant apply to devices in workgroup.
upvoted 2 times
...
...
ANDREVOX
3 years, 8 months ago
The Question does not say who wins in case of conflict. Default action is GPO always wins unless specified otherwise. "In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM." GPO’s as follows: Computer 1 - No GPO configured - (MDM will apply because there is no conflict) = YES Computer 2 - GPO Enabled - (MDM will not apply because there is a conflict) = NO Computer 3 - GPO Disable - (MDM will apply because there is no conflict) = YES
upvoted 2 times
...
AnoniMouse
4 years, 1 month ago
The answer provided is correct NO, YES, NO Computer1 is in Group1. The Intune policy Ring1 applies to Group1 if the device has Tag1, which Computer1 doesn't, so this policy doesn't apply, neither the other policies because they are set to other groups which Computer1 isn't member of. So here the local GPO wins which is set to Not Configured. So the answer is NO Computer2 is in Group2. The Intune policy Ring2 applies to Group2 if the device has Tag2, which Computer2 does have, so this policy applies. No other policy is applied. Computer2 has a local GPO to set the deferral, but this will get override by the Intune CSP which says 7 days. So the answer is YES Computer3 is in Group3. The Intune policy Ring3 applies to Group3 if the device has Tag2, but Computer3 has Tag3 so this policy doesn't apply neither does other policies. Computer3 has a local GPO which disables the configuration of deferrals, which reverts to default, i.e, none. So the answer is NO
upvoted 14 times
camino
3 years, 4 months ago
Tags are just for RBAC and have nothing to do with assigning a policies
upvoted 4 times
[Removed]
3 years, 4 months ago
Correct: https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags
upvoted 2 times
...
DaZa5
2 years, 9 months ago
As described in the link: "https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings" Windows update rings support scope tags. You can use scope tags with update rings to help you filter and manage sets of configurations that you use.
upvoted 3 times
...
...
ceskil
3 years, 3 months ago
Base on Ans 1 & 3, both not applicable as one not exist and one disabled, hence GPO doesn't apply and Intune Ring is bypassed. But in Ans 2, GPO enable and 5 days are applied and no other policy should apply, hence should be 5 days and Ans should be No too, but you applied Intune Ring 7 days as override, which make no sense.
upvoted 1 times
...
...
RomeIndian
4 years, 1 month ago
Computer1 = Group1 + GPO NOT configured = update ring is applied = 2 days = so since local GPO is not configured the intune policies should take affect and in that case it is -> YES Computer2 = Group2 + GPO IS configured hence GPO will win because "MDMWinsOverGP" is not mentioned and it is off by default = 5 days -> NO Computer3 = Group3 + GPO disabled = update ring is applied = 14 days = YES
upvoted 3 times
...
RomeIndian
4 years, 1 month ago
Computer1 = Group1 + GPO NOT configured = update ring is applied = 2 days = so since local GPO is not configured the intune policies should take affect and in that case it is -> YES Computer2 = Group2 + GPO IS configured hence GPO will win because "MDMWinsOverGP" is not mentioned and it is off by default = 5 days -> NO Computer3 = Group3 + GPO disabled = update ring is applied = 14 days = YES I think it should be Yes -> NO -> Yes
upvoted 9 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel