Download Windows 10.MD-100.PrepAway.2021-03-18.132q.vcex

The case study states: User10 reports that Computer10 is not activated.The solution is to perform a local AutoPilot Reset on the computer.  This will restore the computer settings to a fully-configured or known IT-approved state. When User10 signs in to the computer after the reset, the computer should activate. You can use Autopilot Reset to remove personal files, apps, and settings from your devices. The devices remain enrolled in Intune and are returned to a fully-configured or known IT-approved state. You can Autopilot Reset a device locally or remotely from the Intune for Education portal. Incorrect Answers:A: All users have Microsoft 365 E3 licenses.  This license includes Windows 10 Enterprise so we don’t need to assign a Windows 10 Enterprise license to User10. B: Volume License Keys aren’t required.C: Volume License Keys aren’t required.References:https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing https://docs.microsoft.com/en-us/intune-education/autopilot-reset

The requirement states: The computers in the San Diego office must be upgraded automatically to Windows 10 Enterprise and must be joined to Azure AD the first time a user starts each new computer. End users must not be required to accept the End User License Agreement (EULA). Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices.  The OEM Windows 10 installation on the new computers can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. The only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated. References:https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

The requirement states: Kiosk (assigned access) must be configured on Computer1.Kiosk (assigned access) is a feature on Windows 10 that allows you to create a lockdown environment that lets users interact with only one app when they sign into a specified account. With Kiosk (assigned access), users won't be able to get to the desktop, Start menu, or any other app, including the Settings app. Box 1: User 11Kiosk (assigned access) must be configured by a user who is a member of the Local Administrators group on the Computer.  Box 2: User 12.Kiosk (assigned access) must be configured for a user account that is a member of the Users group. References:https://www.windowscentral.com/how-set-assigned-access-windows-10

You can configure one of the computers as a Key Management Service (KMS) host and activate the KMS host by phone.  The other computers in the isolated network can then activate using the KMS host. Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers. To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services. References:https://docs.microsoft.com/en-us/windows/deployment/volume-activation/activate-using-key-management-service-vamt

Windows 10 in S mode is a version of Windows 10 that's streamlined for security and performance, while providing a familiar Windows experience. To increase security, it allows only apps from the Microsoft Store, and requires Microsoft Edge for safe browsing. Azure AD Domain join is available for Windows 10 Pro in S mode and Windows 10 Enterprise in S mode. It's not available in Windows 10 Home in S mode. References:https://support.microsoft.com/en-gb/help/4020089/windows-10-in-s-mode-faq

Configuring Application1 to sign in as the LocalSystem account would ensure that the identity used by Application1 cannot be used by a user to sign in to the desktop on Computer1.  However, this does not use the principle of least privilege. The LocalSystem account has full access to the system.  Therefore, this solution does not meet the goal. Reference:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally

By using the Service1 account as the identity used by Application1, we are applying the principle of least privilege as required in this question.   However, the Service1 account could be used by a user to sign in to the desktop on the computer.  To sign in to the desktop on the computer, an account needs the log on locally right which all user accounts have by default.  Therefore, we can prevent this by assigning Service1 the deny log on locally user right. References:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally

A service account needs the log on as a service user right.  When you assign an account to be used by a service, that account is granted the log on as a service user right.  Therefore, assigning Service1 the deny log on as a service user right would mean the service would not function. To sign in to the desktop on the computer, an account needs the log on locally right which all user accounts have by default.  To meet the requirements of this question, we need to assign Service1 the deny log on locally user right, not the deny log on as a service user right. References:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service

Windows Hello facial recognition requires an infrared (IR) camera.  If your device does not have an infrared camera (or any other biometric device such as a fingerprint scanner), you will see the message shown in the exhibit. The question states that Device Manager shows all hardware is working properly.  Therefore, it is not the case that the computer has an IR camera but it isn’t working properly.  The problem must be that the computer does not have an IR camera. Incorrect Answers:B: Windows 10 Enterprise is not required for Windows Hello.  Windows Hello also works on Windows 10 Pro.C: UEFI Secure Boot is not required for Windows Hello.D: A virtual TPM driver is not required for Windows Hello.References:https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide

A common way to add a feature such as Hyper-V in MDT is to use the Install Roles and Features task sequence action.  However, that is not an option in this question. The two valid options are to a command to the Unattend.xml file or to add a task sequence step that runs  dism.exe. To add Hyper-V using dism.exe, you would run the following dism command:DISM /Online /Enable-Feature /All /FeatureName:Microsoft-Hyper-VReferences:https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image https://mdtguy.wordpress.com/2016/09/14/mdt-fundamentals-adding-features-using-dism-from-within-the-task-sequence/ https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v