MD-102 · Study Guide

This domain is about how Windows reaches the user's device: from choosing the right Windows 11 edition, through activation methods, to modern provisioning tools. Windows Autopilot is the most heavily tested method and has a dedicated tab just for it.

1.1 · Windows 11 editions and licensing

The first step of any deployment is choosing the right edition. Each edition has different capabilities and audiences:

← drag the table sideways to see all columns

Important Windows features · what each edition supports

This table is pure gold for the exam. A question like "I need Credential Guard — what's the minimum edition?" can show up, and you need to know.

* BitLocker on Home is only limited "Device Encryption", without GPO/Intune control.

What each security feature does

• BitLocker: encrypts the entire disk. Protects data if the device is stolen.
• AppLocker: controls which applications can run (allowlist/blocklist by publisher, hash or path).
• WDAC (Windows Defender Application Control): a more robust version of AppLocker, based on digital signature policies. Recommended for zero trust.
• Credential Guard: uses virtualization to protect credentials (NTLM hash, Kerberos ticket) against attacks like pass-the-hash. Requires TPM 2.0 and Secure Boot.
• SmartScreen: blocks malicious downloads and websites (all editions have it).
• Windows Sandbox: a disposable isolated environment to test suspicious apps (Pro+).
• Memory Integrity (HVCI): kernel memory protection via virtualization.
• Tamper Protection: prevents malware from disabling Defender (all editions).

Windows activation methods

There are four activation methods you need to know:

• MAK (Multiple Activation Key): a single key that activates a limited number of devices. Each activation consumes one "unit". Used in small or disconnected environments.
• KMS (Key Management Service): an on-premises server that activates clients on the internal network. Clients must contact the KMS at least once every 180 days to keep activation.
• ADBA (Active Directory-Based Activation): activation happens automatically when the device joins the AD domain. No dedicated KMS server needed.
• Subscription Activation: the device "steps up" in edition (Pro → Enterprise) automatically when the user signs in with an Entra ID account licensed with Windows 11 Enterprise E3/E5. It's the modern method and the most tested on the exam.

1.2 · Windows deployment methods

There are several ways to install Windows on a device, from the most modern (cloud-first) to the most traditional (on-premises):

Windows Autopilot (cloud-first, modern)

Lets brand-new devices ship straight from the vendor to the end user, with everything configured automatically on the first boot. It's the most heavily tested method on the exam.

Provisioning Packages (Windows Configuration Designer)

.ppkg files created in the Windows Configuration Designer tool. They can be applied via USB drive, email, network share or directly during the OOBE (Out-of-Box Experience). Useful for configuring Wi-Fi, certificates, policies and even bulk Entra ID join, without needing Intune. Good for offline scenarios or networks with limited connectivity.

Configuration Manager (formerly SCCM)

Microsoft's on-premises solution for large-scale deployment. Supports task sequences to image devices, OSD (Operating System Deployment) with PXE boot, and integration with Intune via co-management.

MDT and WDS (legacy)

Traditional tools to create and deploy images over the network using PXE boot. They still exist, but are considered legacy. Microsoft strongly recommends migrating to Autopilot.

1.3 · Upgrade paths and updates

There are three main ways to move between Windows versions:

• In-place upgrade: upgrades while keeping apps, files and settings. Supported from Windows 10 → 11 (if the hardware meets the requirements).
• Wipe-and-load: wipes everything and installs a fresh image. Used when refreshing old hardware.
• Side-by-side migration: migration between two devices (hardware replacement).

Feature Updates vs Quality Updates

1.4 · Windows 365 and Azure Virtual Desktop

These are Cloud PC services: instead of Windows running on the physical laptop, it runs on a virtual machine in the cloud that the user accesses remotely.

The management of Windows 365 (Cloud PC types and Provisioning Policies) is detailed in Domain 3.

This domain covers how the device "presents itself" to Entra ID and how to ensure it meets security rules before accessing corporate resources. Here is the part that confuses the most: the join types (device states).

2.1 · The 3 device states in Entra ID

This is probably the most heavily tested area of the exam. When a device "appears" in Entra ID, it can be in one of three states:

1. Microsoft Entra Joined (Entra Joined)
2. Microsoft Entra Hybrid Joined (Hybrid Joined)
3. Microsoft Entra Registered (also called Workplace Join)

🔷 Entra Joined

The device is a "citizen" of Entra ID, with no connection to on-premises Active Directory. The user signs in to Windows with the corporate Entra ID account (name@company.com).

• Who authenticates: the Entra ID work account
• Device owner: the organization (corporate-owned)
• OS: Windows 10/11 Pro, Enterprise, Education (Home not supported)
• Receives a Primary Refresh Token (PRT) at sign-in → automatic SSO to Microsoft 365 and SaaS apps
• Management: Microsoft Intune (full MDM)
• Use case: cloud-first environment, modern companies, startups, organizations without heavy dependence on on-premises legacy apps

🔶 Entra Hybrid Joined

The device is "in two homes" at the same time: joined to on-premises AD and registered in Entra ID. It's the bridge state for companies that still have on-prem AD but want Entra benefits (cloud SSO, Conditional Access, Intune).

• Who authenticates: the AD account (synced to Entra ID via Entra Connect or Entra Cloud Sync)
• Device owner: the organization
• OS: Windows only (10/11 Pro, Enterprise, Education)
• Needs line of sight to a Domain Controller on-premises (a problem for remote users!)
• Supports Kerberos/NTLM for on-premises legacy apps (file shares, internal apps)
• Group Policy (GPO) keeps working
• Use case: companies in transition, legacy apps that depend on AD, Kerberos file shares

🟡 Entra Registered (Workplace Join)

The device is personal — it belongs to the user, not the organization. The user simply "registers" the device to access company resources (email, Teams, etc.) without losing control of their own device.

• Who authenticates: personal account + an additional work account for specific apps
• Device owner: the user (BYOD)
• OS: ⭐ Windows 10/11, macOS, iOS, iPadOS, Android, Linux — it's the only state that supports everything
• Management: usually MAM (Mobile Application Management), not full MDM. The company controls only the corporate apps, not the entire device.
• SSO: more limited — works for specific cloud apps
• Use case: BYOD, personal phones accessing corporate email, contractors

📊 Full comparison table

← arraste a tabela para o lado para ver todas as colunas

2.2 · Entra ID join and automatic enrollment

For a Windows device that does Entra ID join to be automatically enrolled in Intune, you need to turn on Automatic MDM enrollment:

Entra admin center → Mobility (MDM and WIP) → Microsoft Intune → set the MDM user scope to All (or to a group). Without this, the device joins Entra but never enrolls in Intune — it's the most common configuration mistake.

2.3 · Company Portal

The Company Portal is the app through which the end user interacts with Intune: installs optional apps, sees the device compliance status and performs self-service actions.

In Intune admin center → Tenant administration → Customization you can customize logo and colors, company name, support contacts, welcome message, featured apps and which actions the user can perform (rename device, retire, etc.).

2.4 · Device authentication

Windows Hello for Business (WHfB)

Replaces passwords with biometrics (fingerprint, facial recognition) or a PIN. Important: the WHfB PIN is not a password — it's tied to the device's TPM and never leaves the hardware.

• Cloud trust (recommended): uses Entra ID Kerberos. No on-premises PKI needed.
• Hybrid certificate trust: uses certificates issued by an on-premises CA.
• Hybrid key trust: uses keys in the TPM; requires Kerberos configuration.

FIDO2 / Passkeys

Physical security keys (USB, NFC) or passkeys stored on devices. They enable full passwordless sign-in.

Multi-Factor Authentication (MFA)

Combines something you know (password) + something you have (phone, token) + something you are (biometrics). Configured in Conditional Access or via Security Defaults.

2.5 · Compliance Policies

A Compliance Policy in Intune defines which rules a device must meet to be considered "compliant". Examples: minimum OS version, BitLocker enabled, Secure Boot, up-to-date antivirus, no jailbreak/root, minimum password complexity, low risk score in Defender for Endpoint.

Actions for noncompliance

When a device becomes non-compliant, you can chain actions: mark as noncompliant (immediately or after X grace days), send email to the user, send a push notification, remotely lock the device or retire it (remove corporate data).

2.6 · Conditional Access (CA)

It's the "gatekeeper" of Entra ID. A CA policy has two sides: the conditions (when the policy applies) and the controls (what to require).

Report-only mode

Before turning on a policy in production, put it in Report-only. It's evaluated on every sign-in but not enforced — it only logs what would have happened. Excellent for testing without breaking anything.

2.7 · Intune RBAC and Scope Tags

In large organizations you want to separate who can manage what. Intune has three concepts:

• Roles: "School Administrator", "Help Desk Operator", "Policy and Profile Manager", etc.
• Scope Tags: tags that limit which resources an admin sees. E.g. the "Lisbon" scope tag makes the admin see only the devices from the Lisbon office.
• Assignments: who the role/scope is assigned to.

This is the largest domain and where you need to focus the most. It covers everything that happens after the device is enrolled in Intune: configuration, security, updates, monitoring, Defender, Windows 365 and BitLocker. Windows Autopilot has its own tab.

3.1 · Device enrollment

The enrollment is the process by which a device "joins" Intune to be managed. Each OS has its own method:

🔍 Android Enterprise · the 4 modes

Android is the most complex platform in Intune because it has 4 completely different scenarios, each with its own enrollment flow, capabilities and use cases.

• Fully Managed: 100% company-owned device, no personal space. Enrolls via factory reset → afw#setup / QR code / NFC. Apps only via Managed Google Play. For corporate phones assigned individually.
• Dedicated: single-purpose, no assigned user. Works as a kiosk (single-app or multi-app). Enrolls via QR code / NFC / Zero-Touch. For inventory terminals, barcode scanners, ordering machines.
• COPE (Corporate-Owned Work Profile): company-owned device, but personal use is allowed. It has two separate profiles. The admin only sees the work side and can wipe the whole device or just the work profile. For managers and sales staff.
• Work Profile (BYOD): user-owned device; the company creates only an isolated work profile. The admin doesn't see personal apps, photos or contacts. Only the work profile can be wiped (retire). For employees using their personal phone for email/Teams.

← arraste a tabela para o lado para ver todas as colunas

3.2 · Configuration Profiles

Configuration Profiles deliver settings to devices (Wi-Fi, VPN, restrictions, certificates, etc.). The main types:

• Settings Catalog: the modern, recommended method. Thousands of granular, searchable and always up-to-date settings.
• Templates: ready-made groups by category (Device restrictions, Endpoint protection, VPN, Wi-Fi, etc.). They are gradually being replaced by the Settings Catalog.
• Administrative Templates (ADMX): the cloud equivalent of classic ADMX GPOs.
• Custom (OMA-URI): only for very specific settings that are not yet in the Settings Catalog.

Security Baselines

These are pre-configured sets of Microsoft-recommended settings (baseline for Windows, Defender for Endpoint, Edge). They apply dozens of security best practices at once, instead of you configuring each item manually.

3.3 · Remote Actions

Actions you run remotely on a device in Intune. The most heavily tested are the "wipe" ones:

Other useful actions: Sync, Restart, Remote lock, Reset passcode, Locate device, Rename, Collect diagnostics and Quick/Full scan (Defender).

3.4 · Microsoft Defender for Endpoint (MDE)

It's Microsoft's EDR (Endpoint Detection and Response) platform, far beyond a traditional antivirus. Main components:

• Next-gen antivirus: real-time protection, cloud-delivered protection.
• EDR: detects suspicious behavior, not just known malware.
• Attack Surface Reduction (ASR): blocks common attack techniques (macros, scripts, ransomware behavior).
• Threat & Vulnerability Management (TVM): identifies vulnerabilities on devices.
• Automated Investigation and Remediation (AIR): automated incident response.

Risk-based Conditional Access

MDE assigns a Machine Risk Score to each device (Low, Medium, High). You integrate this into a Compliance Policy (e.g. "Medium or higher = non-compliant"), and Conditional Access requires a compliant device. The result is an automatic defense loop: Defender → Compliance → Conditional Access.

3.5 · Microsoft Intune Suite

The Intune Suite is a package of advanced capabilities beyond Plan 1 (which comes with Microsoft 365 E3/E5). The exam loves testing which plan includes what.

• Remote Help: cloud-based remote support. The technician requests a session, the user accepts. It's not Remote Desktop and doesn't need a VPN.
• Endpoint Privilege Management (EPM): temporary (just-in-time) privilege elevation for users without admin rights. Supports zero trust.
• Enterprise App Management (EAM): a curated catalog of third-party apps with automated deployment and patching (over 900 apps).
• Cloud PKI: certificate issuance directly in Intune, without on-premises PKI.

3.6 · Microsoft Tunnel

Microsoft Tunnel is a VPN gateway managed by Intune that lets mobile devices (iOS/iPadOS and Android) securely access on-premises resources, using modern authentication and Conditional Access — without a third-party VPN.

It runs on a Linux server (Docker or Podman container), on the corporate network or in Azure. Microsoft Defender for Endpoint acts as the VPN client on the device (it's required). Authentication goes through Entra ID, and Conditional Access can require a compliant device.

Tunnel for MAM (unenrolled devices)

It's the most heavily tested version, along with BYOD scenarios. Classic Tunnel only works on MDM-enrolled devices; Tunnel for MAM extends VPN access to within the app, without requiring enrollment.

3.7 · Windows Autopatch and Update Rings

Windows Autopatch is the Microsoft-managed service that fully automates update deployment: it creates the rings, monitors success and performs automatic rollback if there's a problem. It covers Windows, Microsoft 365 Apps, Edge and Teams. Requires Windows 11 Enterprise E3/E5.

When you want manual control, you use Update Rings (Windows Update for Business): groups of devices with a deferral period (how many days to defer), a deadline (time limit to install) and a grace period. The standard is to organize them into progressive rings — pilots first, production later.

3.8 · BitLocker and encryption

BitLocker encrypts the entire disk. Through Intune, it's configured in Endpoint security → Disk encryption and can be enabled silently (without user interaction) using the TPM.

• Recovery key (Entra Joined): automatically stored in Entra ID when BitLocker is enabled via Intune. Accessible in Entra admin center → Devices → the device → BitLocker keys.
• Recovery key (Hybrid Joined): can go to on-premises AD or to Entra, depending on the configuration.
• Requirements: TPM 2.0 recommended; you can require a startup PIN for an extra layer.

3.9 · Endpoint Analytics

Endpoint Analytics gives insights about the user experience: boot/logon time (startup performance), app reliability and a Work-from-anywhere score. It includes Proactive Remediations: script packages (detection + fix) that run automatically on devices to resolve known issues before the user complains.

3.10 · Windows 365 · management

The concept of Windows 365 and the comparison with AVD are in Domain 1. Here it's only the management part.

Tipos de Cloud PC

• Windows 365 Business: for small companies (up to 300 Cloud PCs), simplified setup, no need for Intune/Azure.
• Windows 365 Enterprise: for larger companies, integrated with Intune and Entra ID, managed like any other endpoint. Supports Provisioning Policies.
• Windows 365 Frontline: for shift workers — multiple people share a set of licenses (non-concurrent use).

Provisioning Policies

In Windows 365 Enterprise, a Provisioning Policy defines how Cloud PCs are created: image (gallery or custom), region, join type (Entra Joined), network and the user group that receives the Cloud PCs. It's the equivalent of the "deployment profile" for Cloud PCs.

3.11 · Compliance · advanced scenarios

The basics of Compliance Policies are in Domain 2. Here are the details the exam tests in HOTSPOT questions: grace period, multiple policies and device limits.

Grace period in practice

When a Compliance Policy detects non-compliance, the "Mark device noncompliant" action has a default schedule of 0 days (immediate). But you can configure grace days:

Multiple policies on the same device

When a device receives two or more Compliance Policies, the rule is: the most restrictive wins. Example: if Policy 1 requires BitLocker (5-day grace) and Policy 2 requires Firewall (0-day grace), and the device has no Firewall → it's marked non-compliant immediately (because of Policy 2 with schedule 0), even though Policy 1 has a 5-day grace.

Actions for noncompliance — chainable sequence

Device limits · Entra ID vs Intune

These are two independent limit systems:

What Autopilot is

Windows Autopilot lets a new device go straight from the vendor to the user and configure itself on the first boot — without the IT team touching the machine, without creating an image. The device is already known to the Autopilot service (via the hardware hash), so when the user powers on and connects to the internet, the Entra join, Intune enrollment and app installation happen automatically.

The flow, in order

1. The device's hardware hash is registered in the Autopilot service (by the OEM or manually).
2. You create a Deployment Profile and assign it to the device group.
3. The user powers on the device and connects to the network in the OOBE.
4. Autopilot recognizes the device and applies the profile → Entra ID join.
5. Automatic Intune enrollment (thanks to Automatic MDM enrollment).
6. The Enrollment Status Page (ESP) applies policies and installs the mandatory apps.
7. The device is delivered ready to use.

Hardware hash

The hardware hash is a unique identifier generated from physical elements of the device (TPM, motherboard, CPU, NICs). It's how Autopilot "recognizes" each machine. Ways to obtain it:

• Directly from the OEM (Dell, HP, Lenovo): the vendor registers the hash in your tenant at purchase time. It's the ideal scenario at scale.
• Manually via PowerShell: with the Get-WindowsAutopilotInfo script, generating a CSV that you import into Intune.
• Via Configuration Manager: collects the hash from already-managed devices.

Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv

The 5 classic modes (Autopilot v1)

← arraste a tabela para o lado para ver todas as colunas

Autopilot v2 · Device Preparation

In 2024 Microsoft launched a simplified version: Autopilot Device Preparation (Autopilot v2). Differences:

• ⭐ No need to pre-register the hardware hash — the device is identified dynamically by the sign-in.
• Supports only User-driven and Automatic (for Windows 365).
• Supports only Entra Joined (no Hybrid).
• Near real-time reporting. Simpler, but less flexible.

Enrollment Status Page (ESP)

It's the page the user sees during the Autopilot setup. It shows progress and blocks device use until the policies and mandatory apps are installed. Important settings:

• Show app and profile configuration progress: shows or hides the ESP.
• Block device use until all apps and profiles are installed: prevents use until it finishes.
• Block device use until these required apps are installed: lets you choose Selected instead of All — recommended!
• Allow users to reset device if installation error occurs: gives the option to start over.
• Show error when installation takes longer than: timeout (default 60 min).

Deployment Profile · main fields

• Deployment mode: User-driven or Self-deploying.
• Join to Microsoft Entra ID as: Entra joined or Entra hybrid joined.
• Skip privacy settings, EULA, account setup.
• User account type: Standard (recommended) or Administrator.
• Apply device name template: e.g. LAB-%RAND:5% generates "LAB-A3F9B".
• Allow pre-provisioned deployment: Yes/No.
• Language (Region): only works with Ethernet (Wi-Fi requires user input).

md C:\HWID
Set-Location C:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv

(device.devicePhysicalIds -any (_ -contains "[ZTDId]"))

It's the smallest domain by weight, but important: the real job of an endpoint admin is reliably getting apps onto devices. It covers app types, deployment methods and data protection.

4.1 · Application types in Intune

Win32 Content Prep Tool

A free tool that converts installers (.exe, .msi + configuration files) into .intunewin packages:

IntuneWinAppUtil.exe -c <source folder> -s <setup file> -o <output folder>

4.2 · Assignments

When assigning an app to a group, you choose the intent:

• Required: installs automatically, no user choice.
• Available for enrolled devices: appears in the Company Portal for optional installation.
• Uninstall: removes the app from devices that have it.
• Available with or without enrollment: for apps on non-MDM devices (iOS/Android only).

4.3 · App Protection Policies (APP / MAM)

These are policies that protect corporate data within apps, even on unmanaged devices. It's one of the most important topics in the domain and shows up a lot in BYOD scenarios.

Data Protection Framework · 3 levels

An App Protection Policy's settings fall into three groups: Data Protection (copy/paste, "save as", backup), Access Requirements (PIN, credentials, biometrics) and Conditional Launch (block if jailbreak/root, require minimum version, wipe after X days offline).

Selective wipe (app wipe)

One of the biggest advantages of App Protection Policies: you remove only the corporate data from an app, without touching personal data. Done in Intune → Apps → App selective wipe. Ideal when a BYOD employee leaves the company — their personal iPhone loses only the corporate data.

4.4 · App Configuration Policies

They let you pre-configure apps so the user doesn't have to set them up manually. E.g. set the corporate account in Outlook iOS, the Edge homepage, or Defender as the Tunnel for MAM client. Two delivery methods:

4.5 · Microsoft 365 Apps for Enterprise

It's the enterprise Office suite (Word, Excel, PowerPoint, Outlook, Teams, etc.) deployed and managed via Intune. Settings when adding: update channel, architecture (64-bit recommended), included apps, language and Shared Computer Activation.

Update channels

Shared Computer Activation

Lets multiple users use Office on the same shared device, each activating with their own account. Designed for AVD, RDS and kiosks. Without it, installing Office on a shared PC would violate licensing.

🎯 MeasureUp ↔ this material mapping

MeasureUp organizes questions into 4 functional areas (what you do as an Endpoint Admin), while this material follows the conceptual structure of the Microsoft domains (what you need to know). That's why there's overlap. Use this table to choose the modules when you select an area in MeasureUp:

📚 Microsoft Learn (official and free)

• MD-102 learning paths: learn.microsoft.com/training/courses/md-102t00
• Skills outline (official structure): aka.ms/MD-102-study-guide
• Intune docs: learn.microsoft.com/intune
• Autopilot docs: learn.microsoft.com/autopilot

🧪 Lab environment

• Microsoft 365 Developer Program: developer.microsoft.com/microsoft-365/dev-program — 25 free, renewable E5 licenses, with Intune included.
• Azure free account: US$200 of credit to test Windows 365 and AVD.

📝 Practice tests

• MeasureUp: official Microsoft practice test. Expensive, but the closest to the real thing.
• ExamTopics: real questions discussed by the community (double-check the answers, there are errors).
• Whizlabs / Pluralsight: good courses with practice tests included.

⏱️ Suggested plan · next 6 weeks