🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 1
Domain 1 — Module 5 of 7 71%
5 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 1: Prepare Infrastructure for Devices Premium ⏱ ~12 min read

Intune RBAC & Windows Hello for Business

Not every admin should have the same power. Learn how Intune role-based access control limits who can do what, and how Windows Hello for Business replaces passwords with biometrics and PINs.

Who can do what in Intune?

☕ Simple explanation

Think of Intune RBAC like hotel staff keys.

The general manager’s key opens every room, the restaurant, and the safe. A housekeeper’s key opens guest rooms but not the safe. A receptionist can check guests in but can’t enter rooms. Everyone has the access they need — and nothing more.

Intune works the same way. The IT director gets full access. The helpdesk gets “read device info + remote actions.” The app team gets “manage apps only.” Nobody gets more access than their job requires.

Role-Based Access Control (RBAC) in Intune lets you define precisely what each admin can see and do. Instead of giving everyone Global Administrator rights, you assign roles that match job responsibilities.

Each role is defined by permissions (what actions are allowed) and scope (which devices/users/groups those actions apply to). This implements the principle of least privilege — a core Zero Trust concept.

Built-in Intune roles

Chen Wei at Meridian Bank has a team of 15 IT staff. He doesn’t want every team member to have the power to wipe 10,000 devices. Here are the built-in roles he uses:

RoleWhat They Can DoWho Gets It
Intune AdministratorEverything in IntuneChen Wei (IT Security Lead) only
Helpdesk OperatorView device/user info, perform remote actions (lock, sync, restart), reset passcodesHelpdesk team (5 staff)
Application ManagerManage apps: add, assign, update, delete. Can’t touch device policies.App deployment team (2 staff)
Endpoint Security ManagerManage security baselines, compliance policies, conditional access integrationSecurity team (3 staff)
Read Only OperatorView everything, change nothingAuditors, junior staff
Policy and Profile ManagerCreate and manage config profiles and compliance policiesDevice config team (2 staff)
School AdministratorManage devices and apps for education tenantsNot used at Meridian

Custom roles

If built-in roles don’t fit, you can create custom roles:

  1. Intune admin center → Tenant administration → Roles → Create role
  2. Pick a name and description
  3. Select specific permissions (e.g., “Remote tasks: wipe = Yes, Remote tasks: retire = No”)
  4. Assign the role to a group with a scope group (limits which devices they manage)
💡 Exam tip: scope tags and scope groups

RBAC in Intune has two scope concepts — don’t confuse them:

  • Scope groups = which users/devices the admin can manage (e.g., “only devices in the Finance department”)
  • Scope tags = which Intune objects (policies, profiles, apps) the admin can see (e.g., “only policies tagged ‘Finance’”)

Together, they create fine-grained access: an admin might only manage Finance department devices AND only see Finance-tagged policies. This is especially useful in large orgs like Meridian Bank where different teams manage different business units.

Windows Hello for Business

What is it?

☕ Simple explanation

Windows Hello for Business replaces your password with your face, fingerprint, or a PIN that never leaves your device.

Instead of typing a password that could be stolen, phished, or guessed, you unlock your device with something only you have (biometrics) or something tied to your specific device (a hardware-backed PIN). Even if someone sees your PIN, it only works on YOUR device.

Windows Hello for Business is a passwordless authentication method that uses asymmetric key pairs (public/private) for sign-in. The private key is protected by the device’s TPM (Trusted Platform Module) and unlocked by the user’s biometric gesture or PIN.

Unlike traditional passwords, the private key never leaves the device and isn’t transmitted during authentication. This makes Windows Hello resistant to phishing, credential theft, and replay attacks.

Hello for Business vs regular Windows Hello

FeatureWindows HelloWindows Hello for Business
PurposeConsumer convenienceEnterprise security
Key storageSoftware-basedTPM-backed (hardware)
Managed byUserIT admin via Intune or GPO
Credential typeLocal PIN/biometricAsymmetric key pair + PIN/biometric
Phishing resistantBasicYes — private key never transmitted
Multi-factorNoYes — device possession + biometric/PIN

Configuring Hello for Business with Intune

Chen Wei enables Hello for Business across all Meridian Bank devices:

  1. Intune admin center → Devices → Enrollment → Windows Hello for Business

  2. Configure the tenant-wide settings:

    • Enable: Yes
    • Minimum PIN length: 6 (Chen Wei sets 8 for banking compliance)
    • Maximum PIN length: 127
    • Lowercase letters in PIN: Required
    • Uppercase letters in PIN: Required
    • Special characters in PIN: Allowed
    • PIN expiration: Not configured (Microsoft recommends against PIN expiration)
    • Use biometrics: Yes
    • Use TPM: Required
    • Allow phone sign-in: No (Chen Wei blocks this for security)

  3. Alternatively, create a device configuration profile or identity protection policy for group-specific settings

ℹ️ Deep dive: Hello for Business deployment models

There are several deployment models, and the exam may test awareness of them:

  • Cloud-only — simplest. Entra ID + Intune. No on-prem infrastructure. Best for cloud-native orgs like CloudForge.
  • Hybrid key trust — uses Entra ID + on-prem AD + Entra Connect. The on-prem DC validates the key. Common during migration.
  • Hybrid certificate trust — adds PKI (certificate authority). The on-prem DC validates a certificate. More complex, needed for RDP scenarios.
  • On-premises key trust — purely on-prem AD with Windows Server 2016+. No cloud dependency.

For the exam, focus on: cloud-only is simplest, hybrid key trust is most common during migration, all models require TPM 1.2 or later.

🎬 Video walkthrough

🎬 Video coming soon

Intune RBAC & Windows Hello for Business — MD-102 Module 5

Intune RBAC & Windows Hello for Business — MD-102 Module 5

~12 min

Flashcards

Question

What's the difference between scope tags and scope groups in Intune RBAC?

Click or press Enter to reveal answer

Answer

Scope groups control WHICH devices/users an admin can manage. Scope tags control WHICH Intune objects (policies, profiles, apps) an admin can see. Together, they limit both the targets and the tools an admin can access.

Click to flip back
Question

What makes Windows Hello for Business resistant to phishing?

Click or press Enter to reveal answer

Answer

It uses asymmetric key pairs where the private key is stored in the device's TPM and never transmitted during authentication. Even if an attacker intercepts the authentication flow, they can't replay or steal the credential.

Click to flip back
Question

Which built-in Intune role should you assign to helpdesk staff?

Click or press Enter to reveal answer

Answer

Helpdesk Operator — it allows viewing device/user information and performing remote actions (lock, sync, restart, passcode reset) without the ability to modify policies, profiles, or app assignments.

Click to flip back
Question

Does Microsoft recommend setting PIN expiration for Windows Hello for Business?

Click or press Enter to reveal answer

Answer

No. Microsoft recommends against PIN expiration. Since the PIN is hardware-backed (TPM) and only works on the specific device, it doesn't have the same risks as traditional passwords. Forcing rotation provides minimal security benefit.

Click to flip back

Knowledge Check

Knowledge Check

Chen Wei has a helpdesk team of 5 staff who need to view device information and perform remote actions like lock and restart — but must NOT be able to create or modify policies. Which approach follows the principle of least privilege?
Knowledge Check

Aroha at CloudForge is deploying Windows Hello for Business to her 30-person startup. All devices are cloud-native (Entra Joined, no on-prem AD). Which deployment model should she use?

Next up: Compliance Policies & Conditional Access — defining what “compliant” means and blocking non-compliant devices from accessing resources.

← Previous

Auto-Enrollment & Bulk Enrollment

Next →

Compliance Policies & Conditional Access

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.