You support Windows 10 Enterprise computers.

Your company has started testing Application Virtualization (App-V) applications on several laptops. You

discover that the App-V applications are available to users even when the laptops are offline.

You need to ensure that the App-V applications are available to users only when they are connected to the

company network.

What should you do?

A. Change user permissions to the App-V applications.

B. Disable the Disconnected operation mode.

C. Configure mandatory profiles for laptop users.

D. Reset the App-V client File System cache.

Correct Answer: B

Explanation/Reference:

Disconnected operation mode is enabled by default and allows App-V applications to be available to users

even when the laptops are offline. We need to disable Disconnected operation mode to prevent offline

access.

The disconnected operation mode settings--accessible by right-clicking the Application Virtualization node,

selecting Properties, and clicking the Connectivity tab--enables the Application Virtualization Desktop

Client or Client for Remote Desktop Services (formerly Terminal Services) to run applications that are

stored in the file system cache of the client when the client is unable to connect to the Application

Virtualization Management Server.

You support Windows 10 Enterprise computers that are members of an Active Directory domain. Your

company policy defines the list of approved Windows Store apps that are allowed for download and

installation.

You have created a new AppLocker Packaged Apps policy to help enforce the company policy.

You need to test the new AppLocker Packaged Apps policy before you implement it for the entire

company.

What should you do?

A. From Group Policy, enforce the new AppLocker policy in Audit Only mode.

B. From Group Policy, run the Group Policy Results Wizard.

C. From Group Policy, run the Group Policy Modeling Wizard.

D. From PowerShell, run the Get-AppLocker Policy 璄ffective command to retrieve the AppLocker

effective policy.

Correct Answer: A

Explanation

Explanation/Reference:

You can test an AppLocker Packaged Apps policy by running it in audit mode. After AppLocker rules are

created within the rule collection, you can configure the enforcement setting to Enforce rules or Audit only.

When AppLocker policy enforcement is set to Enforce rules, rules are enforced for the rule collection and

all events are audited. When AppLocker policy enforcement is set to Audit only, rules are only evaluated

but all events generated from that evaluation are written to the AppLocker log.

Your Windows 10 Enterprise work computer is a member of an Active Directory domain. You use your

domain account to log on to the computer. You use your Microsoft account to log on to a home laptop.

You want to access Windows 10 Enterprise apps from your work computer by using your Microsoft

account.

You need to ensure that you are able to access the Windows 10 Enterprise apps on your work computer

by logging on only once.

What should you do?

A. Add the Microsoft account as a user on your work computer.

B. Enable Remote Assistance on your home laptop.

C. Connect your Microsoft account to your domain account on your work computer.

D. Install SkyDrive for Windows on both your home laptop and your work computer.

Correct Answer: C

Explanation

You can connect your Microsoft account to your domain account on your work computer. This will enable

you to sign in to your work computer with your Microsoft account and access the same resources that you

would access if you were logged in with your domain account.

When you connect your Microsoft account to your domain account, you can sync your settings and

preferences between them. For example, if you use a domain account in the workplace, you can connect

your Microsoft account to it and see the same desktop background, app settings, browser history and

favorites, and other Microsoft account settings that you see on your home PC.

Your network contains an Active Directory domain named contoso.com. The domain contains Windows 10

Enterprise client computers.

Your company has a subscription to Microsoft Office 365. Each user has a mailbox that is stored in Office

365 and a user account in the contoso.com domain. Each mailbox has two email addresses.

You need to add a third email address for each user.

What should you do?

A. From Active Directory Users and Computers, modify the E-mail attribute for each user.

B. From Microsoft Azure Active Directory Module for Windows PowerShell, run the Set- Mailbox cmdlet.

C. From Active Directory Domains and Trust, add a UPN suffix for each user.

D. From the Office 365 portal, modify the Users settings of each user.

Correct Answer: B

Explanation

We can use the Set-Mailbox cmdlet to modify the settings of existing mailboxes.

The EmailAddresses parameter specifies all the email addresses (proxy addresses) for the recipient,

including the primary SMTP address. In on-premises Exchange organizations, the primary SMTP address

and other proxy addresses are typically set by email address policies. However, you can use this

parameter to configure other proxy addresses for the recipient.

To add or remove specify proxy addresses without affecting other existing values, use the following syntax:

@{Add="[<Type>]:<emailaddress1>","[<Type>]:<emailaddress2>"...;

Remove="[<Type>]:<emailaddress2>","[<Type>]:<emailaddress2>"...}.

HOTSPOT

You have an image of Windows 10 Enterprise named Image1. Image1 has version number 1.0.0.0 of a

custom, line-of-business universal app named App1.

You deploy Image1 to Computer1 for a user named User1.

You need to update App1 to version 1.0.0.1 on Computer1 for User1 only.

What command should you run? To answer, select the appropriate options in the answer area.

Hot Area:

[image]

DRAG DROP

You manage Microsoft Intune for a company named Contoso. You have an administrative computer

named Computer1 that runs Windows 10 Enterprise.

You need to add a Windows Store universal app named App1 to the Company Portal Apps list for all

users.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the

list of actions to the answer area and arrange them in the correct order.

Select and Place:

[image]

You manage a Microsoft Azure RemoteApp deployment. The deployment consists of a cloud collection

named CloudCollection1 and a hybrid collection named HybridCollection1.

Both collections reside in a subscription named Subscription1. Subscription1 contains two Active Directory

instances named AzureAD1 and AzureAD2. AzureAD1 is the associated directory of Subcsription1.

AzureAD1 is synchronized to an on-premises Active Directory forest named constoso.com.

Passwords are synchronized between AzureAD1 and the on-premises Active Directory.

You have the following user accounts:

You need to identify to which collections each user can be assigned access.

What should you identify? To answer, select the appropriate options in the answer area.

[image]

Employees are permitted to bring personally owned portable Windows 10 Enterprise computers to the

office. They are permitted to install corporate applications by using the management infrastructure agent

and access corporate email by using the Mail app.

An employee's personally owned portable computer is stolen.

You need to protect the corporate applications and email messages on the computer.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Prevent the computer from connecting to the corporate wireless network.

B. Change the user's password.

C. Disconnect the computer from the management infrastructure.

D. Initiate a remote wipe.

Correct Answer: BD

Explanation

The personally owned portable Windows10Enterprise computers being managed by the management

infrastructure agent enables the use of remote wipe. By initiating a remote wipe, we can erase all company

data including email from the stolen device. Microsoft Intune provides selective wipe, full wipe, remote lock,

and passcode reset capabilities. Because mobile devices can store sensitive corporate data and provide

access to many corporate resources, you can issue a remote device wipe command from the Microsoft

Intune administrator console to wipe a lost or stolen device.

Changing the user's password should be the first step. If the stolen computer is accessed before the

remote wipe happens, the malicious user could be able to access company resources if the laptop has

saved passwords.

You administer a Windows 10 Enterprise computer that runs Hyper-V. The computer hosts a virtual

machine with multiple snapshots. The virtual machine uses one virtual CPU and 512 MB of RAM.

You discover that the virtual machine pauses automatically and displays the state as paused-critical.

You need to identify the component that is causing the error.

Which component should you identify?

A. no virtual switch defined

B. insufficient memory

C. insufficient hard disk space

D. insufficient number of virtual processors

Correct Answer: C

Explanation

In this question, the VM has "multiple snapshots" which would use up a lot of disk space. Virtual machines

will go into the "Paused-Critical" state in Hyper-V if the free space on the drive that contains the snapshots

goes below 200MB. One thing that often trips people up is if they have their virtual hard disks configured

on one drive ?but have left their snapshot files stored on the system drive. Once a virtual machine

snapshot has been taken?the base virtual hard disk stops expanding and the snapshot file stores new data

that is written to the disk ?so it is critical that there is enough space in the snapshot storage location.

You have a Windows 10 Enterprise computer named Computer1 that has the Hyper-V feature installed.

Computer1 hosts a virtual machine named VM1. VM1 runs Windows 10 Enterprise. VM1 connects to a

private virtual network switch.

From Computer1, you need to remotely execute Windows PowerShell cmdlets on VM1.

What should you do?

A. Run the winrm.exe command and specify the –s parameter.

B. Run the Powershell.exe command and specify the –Command parameter.

C. Run the Receive-PSSession cmdlet and specify the –Name parameter.

D. Run the Invoke-Command cmdlet and specify the –VMName parameter.

Correct Answer: D

Explanation

We can use Windows PowerShell Direct to run PowerShell cmdlets on a virtual machine from the Hyper-V

host. Because Windows PowerShell Direct runs between the host and virtual machine, there is no need for

a network connection or to enable remote management.

There are no network or firewall requirements or special configuration. It works regardless of your remote

management configuration. To use it, you must run Windows 10 or Windows Server Technical Preview on

the host and the virtual machine guest operating system.

To create a PowerShell Direct session, use one of the following commands:

Enter-PSSession -VMName VMName

Invoke-Command -VMName VMName -ScriptBlock {commands}

You are the desktop administrator for a small company.

Your workgroup environment consists of Windows 10 Enterprise computers. You want to prevent 10 help

desk computers from sleeping. However, you want the screens to shut off after a certain period of time if

the computers are not being used.

You need to configure and apply a standard power configuration scheme for the 10 help desk computers

on your network.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Import the power scheme by using POWERCFG /IMPORT on each of the remaining help desk

computers. Set the power scheme to Active by using POWERCFG /S.

B. Use POWERCFG /X on one help desk computer to modify the power scheme to meet the

requirements. Export the power scheme by using POWERCFG /EXPORT.

C. Use POWERCFG /S on one help desk computer to modify the power scheme to meet the

requirements. Export the power scheme by using POWERCFG /EXPORT.

D. Import the power scheme by using POWERCFG /IMPORT on each of the remaining help desk

computers. Set the power scheme to Active by using POWERCFG /X.

Correct Answer: AB

Explanation

You can use the Powercfg.exe tool to control power settings and configure computers to default to

Hibernate or Standby modes.

In this question, we use POWERCFG /X on one help desk computer to modify the power scheme to meet

our requirements. After configuring the required settings, we can export the power scheme settings to a file

by using POWERCFG /EXPORT. We can then import the power scheme from the file on each of the

remaining help desk computers by using POWERCFG /IMPORT. After importing the power scheme on the

remaining computers, we need to set the new power scheme to be the active power scheme by using

POWERCFG /S.

You are an IT consultant for small and mid-sized business.

One of your clients wants to start using Virtual Smart Cards on its Windows 10 Enterprise laptops and

tablets. Before implementing any changes, the client wants to ensure that the laptops and tablets support

Virtual Smart Cards.

You need to verify that the client laptops and tablets support Virtual Smart Cards.

What should you do?

A. Ensure that each laptop and tablet has a Trusted Platform Module (TPM) chip of version 1.2 or greater.

B. Ensure that BitLocker Drive Encryption is enabled on a system drive of the laptops and tablets.

C. Ensure that each laptop and tablet can read a physical smart card.

D. Ensure that the laptops and tablets are running Windows 10 Enterprise edition.

Correct Answer: A

Explanation

A Trusted Platform Module (TPM) chip of version 1.2 or greater is required to support Virtual Smart Cards.

Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by

using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but

they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations,

rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created

in the TPM, where the keys that are used for authentication are stored in cryptographically secured

hardware.

You deploy several tablet PCs that run Windows 10 Enterprise.

You need to minimize power usage when the user presses the sleep button.

What should you do?

A. In Power Options, configure the sleep button setting to Sleep.

B. In Power Options, configure the sleep button setting to Hibernate.

C. Configure the active power plan to set the system cooling policy to passive.

D. Disable the C-State control in the computer's BIOS.

Correct Answer: B

Explanation

We can minimize power usage on the tablet PCs by configuring them to use Hibernation mode. A

computer in hibernation mode uses no power at all. Hibernation is a power-saving state designed primarily

for laptops. While sleep puts your work and settings in memory and draws a small amount of power,

hibernation puts your open documents and programs on your hard disk, and then turns off your computer.

Of all the power-saving states in Windows, hibernation uses the least amount of power. On a laptop, use

hibernation when you know that you won't use your laptop for an extended period and won't have an

opportunity to charge the battery during that time.

A company has an Active Directory Domain Services (AD DS) domain. All client computers run Windows

10 Enterprise. Some computers have a Trusted Platform Module (TPM) chip.

You need to configure a single Group Policy object (GPO) that will allow Windows BitLocker Drive

Encryption on all client computers.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Enable the Require additional authentication at startup policy setting.

B. Enable the Enforce drive encryption type on operating system drives policy setting.

C. Enable the option to allow BitLocker without a compatible TPM.

D. Configure the TPM validation profile to enable Platform Configuration Register indices (PCRs) 0, 2, 4,

and 11.

Correct Answer: AC

Explanation

We need to allow Windows BitLocker Drive Encryption on all client computers (including client computers

that do not have Trusted Platform Module (TPM) chip). We can do this by enabling the option to allow

BitLocker without a compatible TPM in the group policy. The `Allow BitLocker without a compatible TPM'

option is a checkbox in the `Require additional authentication at startup' group policy setting. To access the

`Allow BitLocker without a compatible TPM' checkbox, you need to first select Enabled on the `Require

additional authentication at startup' policy setting.

You manage Microsoft Intune for a company named Contoso. Intune client computers run Windows 10

Enterprise.

You notice that there are 25 mandatory updates listed in the Intune administration console.

You need to prevent users from receiving prompts to restart Windows following the installation of

mandatory updates.

Which policy template should you use?

A. Microsoft Intune Agent Settings

B. Windows Configuration Policy

C. Microsoft Intune Center Settings

D. Windows Custom Policy (Windows 10 and Windows 10 Mobile)

Correct Answer: A

Explanation

To configure the Prompt user to restart Windows during Intune client agent mandatory updates update

policy setting you have to configure the Microsoft Intune Agent Settings policy. Setting the Prompt user to

restart Windows during Intune client agent mandatory updates setting to No would prevent users from

receiving prompts to restart Windows following the installation of mandatory updates.

Your network contains an Active Directory domain named contoso.com. Contoso.com is synchronized to a

Microsoft Azure Active Directory. You have a Microsoft Intune subscription.

Your company plans to implement a Bring Your Own Device (BYOD) policy. You will provide users with

access to corporate data from their personal iOS devices.

You need to ensure that you can manage the personal iOS devices.

What should you do first?

A. Install the Company Portal app from the Apple App Store.

B. Create a device enrollment manager account.

C. Set a DNS alias for the enrollment server address.

D. Configure the Intune Service to Service Connector for Hosted Exchange.

E. Enroll for an Apple Push Notification (APN) certificate.

Correct Answer: E

Explanation

An Apple Push Notification service (APNs) certificate must first be imported from Apple so that you can

manage iOS devices. The certificate allows Intune to manage iOS devices and institutes an accredited and

encrypted IP connection with the mobile device management authority services.

You have an Active Directory domain named contoso.com that contains a deployment of Microsoft System

Center 2012 Configuration Manager Service Pack 1 (SP1). You have a Microsoft Intune subscription that is

synchronized to contoso.com by using the Microsoft Azure Active Directory Synchronization Tool

(DirSync.) You need to ensure that you can use Configuration Manager to manage the devices that are

registered to your Microsoft Intune subscription.

Which two actions should you perform? Each correct answer presents a part of the solution.

A. In Microsoft Intune, create a new device enrollment manager account.

B. Install and configure Azure Active Directory Synchronization Services (AAD Sync.)

C. In Microsoft Intune, configure an Exchange Connector.

D. In Configuration Manager, configure the Microsoft Intune Connector role.

E. In Configuration Manager, create the Microsoft Intune subscription.

Correct Answer: DE

Explanation

To allow Configuration Manager to manage mobile devices in the same context as other devices, it

requires you to create a Windows Intune subscription and synchronize user accounts from Active Directory

to Microsoft Online. to achieve that, you are required to complete the following tasks:

References: http://blogs.technet.com/b/configmgrteam/archive/2013/03/20/configuring- configurationmanager-

sp1-to-manage-mobile-devices-using-windows-intune.aspx

You have a Microsoft Intune subscription.

You have three security groups named Security1, Security2 and Security3. Security1 is the parent group of

Security2. Security2 has 100 users.

You need to change the parent group of Security2 to be Security3.

What should you do first?

A. Edit the properties of Security1.

B. Edit the properties of Security2.

C. Delete security2.

D. Remove all users from Security2.

Correct Answer: C

Explanation

You cannot change the parent group of a security group in Microsoft Intune. You can only delete the group

and recreate another group with the correct parent. Deleting a group does not delete the users that belong

to that group. Therefore, you do not need to remove the users from the group; you can just delete the

group and recreate it.

DRAG DROP

You manage Microsoft Intune for a company named Contoso. You have 200 computers that run Windows

10. The computers are Intune clients.

You need to configure software updates for the clients.

Which policy template should you use to configure each software updates setting? To answer, drag the

appropriate policy templates to the correct settings. Each policy template may be used once, more than

once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place: