πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 2
Domain 2 β€” Module 1 of 10 10%
8 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 2: Manage and Maintain Devices Free ⏱ ~12 min read

Windows Autopilot: Choose Your Path

Windows Autopilot transforms how you deploy devices β€” no imaging, no USB drives, no technician hands. Learn the three deployment modes and when to pick each one.

What is Windows Autopilot?

β˜• Simple explanation

Imagine ordering a pizza that arrives fully customised β€” toppings, temperature, cut style β€” without the restaurant needing your oven.

That’s Autopilot. You buy laptops from Dell, HP, or Lenovo. The manufacturer ships them directly to your employees. When an employee opens the box and connects to Wi-Fi, the laptop configures itself: it joins your cloud directory, enrolls in Intune, installs company apps, and applies security policies. No IT technician touches the device. No USB drives. No imaging labs.

Windows Autopilot is a cloud-based deployment service that lets organisations set up and pre-configure new Windows devices without building custom OS images. The device’s hardware identity (hash) is registered with the Autopilot service, which associates it with your Intune tenant and a deployment profile.

During the Out-of-Box Experience (OOBE), the device contacts the Autopilot service, receives its configuration, Entra-joins, auto-enrolls in Intune, and installs assigned apps and policies β€” all driven by cloud configuration rather than local infrastructure.

Autopilot vs provisioning packages

Sam at Tui Solutions is choosing between Autopilot and provisioning packages for 500 new laptops. Here’s the comparison:

FeatureWindows AutopilotProvisioning Packages
Infrastructure neededInternet connection onlyWindows Configuration Designer (WCD) + USB/network share
Image requiredNo β€” uses the factory OSNo β€” uses the factory OS (but can customise settings)
Internet required during setupYesNo (offline capable)
IT technician neededNo β€” user self-service or zero-touchMinimal β€” apply package via USB
Entra joinAutomatic during OOBECan be configured in package
Intune enrollmentAutomatic (via auto-enrollment)Can be configured in package
Customisation depthProfiles, apps, policies via IntuneRegistry settings, certificates, Wi-Fi, apps
Best forCloud-managed devices with internet accessKiosks, shared devices, or environments without reliable internet
ScaleThousands of devices β€” fully cloud-drivenHundreds β€” manual USB application per device

Key exam concept: Autopilot is the recommended approach for modern cloud-managed deployments. Provisioning packages are the fallback for offline scenarios or specialised devices (kiosks, labs) where Autopilot isn’t practical.

The three deployment modes

This is one of the most exam-tested topics in MD-102. Each mode serves a different scenario.

Autopilot Deployment Modes
FeatureUser-DrivenSelf-DeployingPre-Provisioned
Who sets up the deviceThe end userNobody β€” zero-touchIT technician (Phase 1) + end user (Phase 2)
User signs in during OOBEYes β€” user authenticatesNo β€” no user interactionPhase 1: technician. Phase 2: user.
User affinityYes β€” device is tied to a userNo β€” shared deviceYes β€” tied to user after Phase 2
TPM 2.0 requiredNo (recommended)Yes (mandatory)Yes (mandatory)
Best forStandard employee laptopsKiosks, shared devices, meeting roomsExecutive devices needing pre-staging
Use case exampleSam ships laptops to remote workers who self-setupTui Solutions deploys conference room tabletsIT pre-installs heavy apps before giving to VIPs
Entra join typeEntra Joined or Hybrid JoinedEntra Joined onlyEntra Joined or Hybrid Joined

User-driven mode (most common)

The employee receives a new laptop, opens the box, connects to Wi-Fi, and signs in with their Entra ID credentials. Autopilot handles the rest:

  1. Device contacts Autopilot service
  2. Custom OOBE screens shown (branded company logo, custom text)
  3. User signs in β†’ Entra join + Intune enrollment
  4. Apps, policies, and profiles install
  5. Device is ready to use

When to use: The default choice for standard employee devices. Works for both remote and in-office workers.

Self-deploying mode (no user needed)

The device powers on, connects to a network (wired or configured Wi-Fi), and configures itself completely without any user interaction.

  1. Device contacts Autopilot service using hardware identity (TPM attestation)
  2. Entra joins automatically (no user sign-in)
  3. Intune enrollment and configuration
  4. Device is ready for shared use

When to use: Kiosks, digital signage, shared meeting room devices, lobby check-in stations. Any device that doesn’t belong to a specific user.

Requirement: TPM 2.0 is mandatory β€” the device proves its identity through hardware attestation since no user authenticates.

Pre-provisioned mode (two-phase)

IT does the heavy lifting upfront, then the user finishes setup:

Phase 1 (IT technician):

  1. Technician powers on the device in a staging area
  2. Presses Windows key 5 times during OOBE to enter technician flow
  3. Device Entra-joins and starts installing apps/policies
  4. Technician verifies everything works, then reseals the device

Phase 2 (End user):

  1. User receives the pre-staged device
  2. Connects to Wi-Fi and signs in
  3. Any remaining user-specific config applies
  4. Device is ready β€” much faster than starting from scratch

When to use: When you need to pre-install large applications (e.g., Visual Studio, CAD software) or verify device readiness before handing to a user. Common for executives, developers, and remote workers with poor internet.

πŸ’‘ Exam tip: self-deploying requires TPM 2.0

The exam specifically tests the TPM requirement for self-deploying mode. Remember:

  • User-driven β€” TPM recommended but NOT required
  • Self-deploying β€” TPM 2.0 required (no user authenticates, so the device must prove identity via hardware)
  • Pre-provisioned β€” TPM 2.0 required (Phase 1 uses device attestation)

If a question describes a kiosk device without TPM 2.0, self-deploying mode will NOT work. You’d need user-driven (with a service account) or a provisioning package instead.

Sam’s Autopilot plan for Tui Solutions

Device TypeCountDeployment ModeWhy
Employee laptops (remote workers)300User-drivenShipped direct to employees, self-service setup
Employee laptops (office-based)100Pre-provisionedIT pre-installs specialist consulting software
Conference room tablets30Self-deployingNo user β€” shared meeting room devices
Warehouse kiosks20Self-deployingNo user β€” inventory check-in stations
Executive laptops50Pre-provisionedIT pre-stages with full app suite + verification

🎬 Video walkthrough

🎬 Video coming soon

Windows Autopilot: Choose Your Path β€” MD-102 Module 8

Windows Autopilot: Choose Your Path β€” MD-102 Module 8

~12 min

Flashcards

Question

What are the three Windows Autopilot deployment modes?

Click or press Enter to reveal answer

Answer

1. User-driven β€” employee self-service, most common. 2. Self-deploying β€” zero-touch for shared/kiosk devices. 3. Pre-provisioned β€” IT does Phase 1, user does Phase 2. Self-deploying and pre-provisioned both require TPM 2.0.

Click to flip back
Question

When should you use a provisioning package instead of Autopilot?

Click or press Enter to reveal answer

Answer

When devices don't have reliable internet during setup (offline deployment), for specialised kiosk configurations, or in environments where Autopilot's cloud-dependency is a limitation. Provisioning packages are created with Windows Configuration Designer and applied via USB.

Click to flip back
Question

Why does self-deploying mode require TPM 2.0?

Click or press Enter to reveal answer

Answer

Because no user signs in to authenticate, the device must prove its identity through hardware attestation via the TPM (Trusted Platform Module). Without TPM 2.0, the Autopilot service can't verify the device's identity.

Click to flip back
Question

What triggers the pre-provisioned technician flow during OOBE?

Click or press Enter to reveal answer

Answer

Pressing the Windows key 5 times during OOBE opens the technician flow for pre-provisioned deployment. The technician can then start Phase 1 (Entra join, app installation, policy application) before resealing the device for the end user.

Click to flip back

Knowledge Check

Knowledge Check

Tui Solutions needs to deploy 30 tablets for conference rooms. The tablets will display a meeting room booking app β€” no specific user will sign in. Which Autopilot deployment mode should Sam choose?
Knowledge Check

Sam discovers that 20 older kiosk devices in the warehouse don't have TPM 2.0 chips. He planned to use self-deploying mode for these. What should Sam do?

Next up: Autopilot Deployment: Device Names, ESP & Rollout β€” the practical details of implementing Autopilot at scale.

← Previous

Windows LAPS & Local Group Management

Next β†’

Autopilot: Device Names, ESP & Rollout

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.