Exam MS-100 topic 3 question 14 discussion

According to me the correct answer is No, No, Yes. User 1 cannot enroll the Windows device because Policy 3 is applied to him via Group 1 . User 2 cannot enroll the Android device because policy 2 is applied to him via Group 2. Policy 3 is also assigned to him via Group 1 but has a lower priority than Policy 2 and is therefore overruled. User 3 can enroll any type of device because he is assigned as Device Enrollment Manager and Device restriction do not apply to them as stated here: https://docs.microsoft.com/en-us/intune/enrollment/enrollment-restrictions-set#create-a-device-limit-restriction

Box 1: No. User1 is in Group1. The two device type policies that apply to Group1 are Policy3 and the Default (All Users) policy. However, Policy3 has a higher priority than the default policy so Policy3 is the only effective policy. Policy3 allows the enrolment of Android and iOS devices only, not Windows. Box 2: No. User2 is in Group1 and Group2. The device type policies that apply to Group1 and Group2 are Policy2, Policy3 and the Default (All Users) policy. However, Policy2 has a higher priority than Policy 3 and the default policy so Policy2 is the only effective policy. Policy2 allows the enrollment of Windows devices only, not Android. Box 3: Yes. User3 is a device enrollment manager. Device restrictions to not apply to a device enrollment manager. Reference: https://docs.microsoft.com/en-us/intune/enrollment/enrollment-restrictions-set

no,no,NO I tested the User 3 question and when the Default Platform type policy is turn off iOS enrollment. DEM account (User 3) CANNOT enroll. After login on iOS during enrollment DEM account just like any other will get "Something went wrong" Error. Also the question maybe outdated, since Old interface is 1 policy can be set to multiple Platform but now all the policy are by Platform type in different type. So just to recreate Policy 1, you cannot just create Policy 1, but create 3 different policy than can be same name or different name to allow the platform. So it is possible that when the question is written DEM is allow to bypass, but currently (Jan 22, 2023) DEM is Blocked from enrolling iOS device when the iOS Platform is BLOCKED.

I go with N N Y as user3 assign with device enroll manager

No, No, No. The Device Enrollment Manager can't enroll iOS. It also can only enroll a personal Android with work profile, not corporate owned or fully managed. https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll

no, no, NO. "DEM isn't compatible with Apple Automated Device Enrollment (ADE)." https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#apple-automated-device-enrollment

no, no, NO. "DEM isn't compatible with Apple Automated Device Enrollment (ADE)." https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#apple-automated-device-enrollment

Is this really MS-100?

Should No, NO. No. Device restrictions do not applu to device enrollment manager only in Windows 10, hence he can not enroll IOS

No No No Part 3: This seems to be misunderstood by many people: DEM accounts are subject to device type restrictions just like other users. If you don't believe me , test it for yourself.

Priority is used when a user exists in multiple groups that are assigned restrictions. Users are subject only to the highest priority restriction assigned to a group that they are in. For example, Joe is in group A assigned to priority 5 restrictions and also in group B assigned to priority 2 restrictions. Joe is subject only to the priority 2 restrictions. Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set#change-enrollment-restriction-priority

If the solution is restricted by Priority, the answer is: User 1, Group 1: Policy 3 only. User 2, Group 1,2: Policy 2 only. User 3, No group, DEM: All devices. Question 1: No. Question 2: No. Question 3: Yes.

- Conditions: Include All device state, exclude Device marked as compliant ✑ Access controls is set to Block access. Means that all compliant devices will be excluded from the policy. The policy is set to "Block". Thus... N/Y/Y

N, N, Y for sure. cfalci

This is the right link "https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#:~:text=If%20you're%20enrolling%20Android,DEM%20accounts%20isn't%20supported." In this case the restrictions do not apply to a DEM account, but number of devices that can be enrolled does apply to a DEM account.

No No - higher priority wins Yes - DEM roles guys!

User2 -> No Reference search for the name "multiple groups" https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set