Download Windows 10.MD-100.CertDumps.2020-10-07.149q.vcex

The requirement states: Automate the configuration of the contractors’ computers. The solution must provide a configuration file that the contractors can open from a Microsoft SharePoint site to apply the required configurations. The ‘configuration file’ in this case is known as a ‘provisioning package’. A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. References:https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icdhttps://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-packages

The case study states: User10 reports that Computer10 is not activated.The solution is to perform a local AutoPilot Reset on the computer.  This will restore the computer settings to a fully-configured or known IT-approved state. When User10 signs in to the computer after the reset, the computer should activate. You can use Autopilot Reset to remove personal files, apps, and settings from your devices. The devices remain enrolled in Intune and are returned to a fully-configured or known IT-approved state. You can Autopilot Reset a device locally or remotely from the Intune for Education portal. Incorrect Answers:A: All users have Microsoft 365 E3 licenses.  This license includes Windows 10 Enterprise so we don’t need to assign a Windows 10 Enterprise license to User10. B: Volume License Keys aren’t required.C: Volume License Keys aren’t required.References:https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing https://docs.microsoft.com/en-us/intune-education/autopilot-reset

The requirement states: The computers in the San Diego office must be upgraded automatically to Windows 10 Enterprise and must be joined to Azure AD the first time a user starts each new computer. End users must not be required to accept the End User License Agreement (EULA). Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices.  The OEM Windows 10 installation on the new computers can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. The only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated. References:https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

The requirement states: Kiosk (assigned access) must be configured on Computer1.Kiosk (assigned access) is a feature on Windows 10 that allows you to create a lockdown environment that lets users interact with only one app when they sign into a specified account. With Kiosk (assigned access), users won't be able to get to the desktop, Start menu, or any other app, including the Settings app. Box 1: User 11Kiosk (assigned access) must be configured by a user who is a member of the Local Administrators group on the Computer.  Box 2: User 12.Kiosk (assigned access) must be configured for a user account that is a member of the Users group. References:https://www.windowscentral.com/how-set-assigned-access-windows-10

Windows 10 in S mode is a version of Windows 10 that's streamlined for security and performance, while providing a familiar Windows experience. To increase security, it allows only apps from the Microsoft Store, and requires Microsoft Edge for safe browsing. Azure AD Domain join is available for Windows 10 Pro in S mode and Windows 10 Enterprise in S mode. It's not available in Windows 10 Home in S mode. References:https://support.microsoft.com/en-gb/help/4020089/windows-10-in-s-mode-faq

You can configure one of the computers as a Key Management Service (KMS) host and activate the KMS host by phone.  The other computers in the isolated network can then activate using the KMS host. Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers. To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services. References:https://docs.microsoft.com/en-us/windows/deployment/volume-activation/activate-using-key-management-service-vamt

The User State Migration Tool (USMT) includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.  In this case the source and destination will be the same computer. As we have performed a clean installation of Windows 10 without formatting the drives, User1’s customized Windows 7 user profile will be located in the \Windows.old folder.  Therefore, we need to run scanstate.exe on the \Windows.old folder.   User1’s Windows 10 profile will be in the C:\Users folder so we need to run loadstate.exe to apply the changes in the C:\Users folder.References:https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-how-it-workshttps://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-common-migration-scenarios#bkmk-fourpcrefresh

Configuring Application1 to sign in as the LocalSystem account would ensure that the identity used by Application1 cannot be used by a user to sign in to the desktop on Computer1.  However, this does not use the principle of least privilege. The LocalSystem account has full access to the system.  Therefore, this solution does not meet the goal. Reference:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally

By using the Service1 account as the identity used by Application1, we are applying the principle of least privilege as required in this question.   However, the Service1 account could be used by a user to sign in to the desktop on the computer.  To sign in to the desktop on the computer, an account needs the log on locally right which all user accounts have by default. Therefore, we can prevent this by assigning Service1 the deny log on locally user right. References:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally

A service account needs the log on as a service user right.  When you assign an account to be used by a service, that account is granted the log on as a service user right.  Therefore, assigning Service1 the deny log on as a service user right would mean the service would not function. To sign in to the desktop on the computer, an account needs the log on locally right which all user accounts have by default.  To meet the requirements of this question, we need to assign Service1 the deny log on locally user right, not the deny log on as a service user right. References:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service