MD-102 Notes

What is Azure AD (Entra ID)?

Cloud-based identity and access management service.

What is Azure AD Joined device?

Device joined directly to cloud directory only.

What is Hybrid Azure AD Joined?

Device joined to on-prem AD and synced to Azure AD.

What is Azure AD Registered?

Personal/BYOD device registered but not fully joined.

When use Hybrid Join?

When organization still uses on-prem AD.

What is MDM?

Mobile Device Management (device-level control).

What is MAM?

Mobile Application Management (app-level control without full device control).

What is automatic enrollment?

Devices enroll into Intune automatically when joined to Azure AD.

What is BYOD?

Bring Your Own Device (personal device used for work).

Corporate vs BYOD difference?

Corporate = full control, BYOD = limited control.

What is Windows Autopilot?

Cloud-based device deployment without imaging.

Main goal of Autopilot?

Zero-touch provisioning.

What is required for Autopilot?

Device hardware hash registered in Intune.

Autopilot user-driven mode?

User logs in and completes setup.

Autopilot self-deploying mode?

Fully automated deployment with no user input.

Autopilot pre-provisioned?

IT preloads apps/policies before user receives device.

What does Autopilot configure?

Azure AD join, Intune enrollment, apps, policies.

Autopilot vs imaging?

Autopilot is cloud-based, imaging is traditional/manual.

User group vs device group?

User group targets users, device group targets devices.

What is a configuration profile?

Policy that applies settings to devices.

Settings catalog?

Central location for configuring device settings in Intune.

What causes policy not applying?

Wrong group, device not enrolled, license missing, conflicts.

What is device check-in?

Device syncing with Intune to receive policies.

What are scope tags?

Used to control visibility of resources in Intune.

What is a compliance policy?

Rules that determine if a device is secure.

Examples of compliance settings?

BitLocker, password, OS version.

What happens if device is non-compliant?

Marked non-compliant in Intune.

Does compliance block access by itself?

No, requires Conditional Access.

Compliance + Conditional Access?

Enforces access restrictions.

What is Conditional Access?

Policy that controls access based on conditions.

Conditions in CA?

User, device, location, risk.

Controls in CA?

Allow, block, require MFA, require compliant device.

Main goal of CA?

Enforce Zero Trust security.

Example CA scenario?

Block access if device is non-compliant.

What is a Win32 app?

Advanced app deployment (.intunewin format).

What is LOB app?

Line-of-business app, simpler deployment.

Required app?

Installs automatically.

Available app?

User installs from Company Portal.

What is detection rule?

Determines if app is already installed.

First troubleshooting step?

Check Intune device/app install status.

Where to check failures?

Intune portal and device logs.

What are Update Rings?

Policies controlling Windows update deployment.

What can Update Rings control?

Deferrals, deadlines, restart behavior.

What is Feature Update?

Upgrade to new Windows version.

Purpose of Update Rings?

Controlled rollout of updates.

What is BitLocker?

Disk encryption for data protection.

Where are BitLocker keys stored?

Azure AD / Intune.

Why use BitLocker?

Protect data on lost/stolen devices.

What is Endpoint Security in Intune?

Security policies like antivirus, firewall.

What is Microsoft Defender?

Built-in antivirus solution.

What is RBAC?

Role-Based Access Control.

Purpose of RBAC?

Limit access based on role.

What are Intune roles?

Permissions assigned to admins.

Why use scope tags?

Restrict admin visibility.

What is Endpoint Analytics?

Provides performance and usage insights.

What can you monitor in Intune?

Compliance, apps, device health.

What is device status report?

Shows device configuration and compliance state.

Device not receiving policy—first step?

Check group assignment.

App not installing—first step?

Check Intune install status.

User blocked from access—why?

Likely Conditional Access policy.

Device non-compliant—impact?

Access blocked if CA enforced.

Policy conflict—result?

One policy overrides or fails.