πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 2
Domain 2 β€” Module 9 of 10 90%
16 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 2: Manage and Maintain Devices Premium ⏱ ~10 min read

Cloud PKI & Tunnel for MAM

Cloud PKI eliminates on-premises certificate authorities for device authentication. Microsoft Tunnel for MAM provides VPN access through managed apps without full device enrollment.

Microsoft Cloud PKI

β˜• Simple explanation

Think of certificates like digital driver’s licences for your devices.

When a device connects to your Wi-Fi or VPN, it needs to prove who it is. Passwords can be stolen, but a certificate is cryptographically tied to the device β€” much harder to fake. The problem? Running your own certificate authority (CA) is like running your own driving licence office β€” expensive, complex, and requires on-prem servers.

Cloud PKI moves the certificate authority to the cloud. Microsoft runs it, Intune distributes the certificates, and you never touch a CA server. Chen Wei at Meridian Bank gets certificate-based Wi-Fi authentication without the infrastructure headache.

Microsoft Cloud PKI is a cloud-based certificate authority (CA) service within the Intune Suite. It enables organisations to issue, renew, and revoke certificates for device authentication without on-premises PKI infrastructure (like AD CS). Certificates are distributed via Intune SCEP or PKCS profiles.

Use cases include Wi-Fi authentication (EAP-TLS), VPN client certificates, S/MIME email encryption, and mutual TLS for web applications.

Use cases for Cloud PKI

Use CaseHow Certificates Help
Wi-Fi authentication (EAP-TLS)Devices authenticate to corporate Wi-Fi using certificates instead of passwords β€” no shared Wi-Fi passwords to leak
VPN authenticationCertificate-based VPN eliminates password prompts and resists phishing
S/MIME emailDigitally sign and encrypt emails with user certificates
Mutual TLSBoth client and server verify each other’s identity for sensitive web apps
Device identityProve a device is managed and trusted before granting network access

Cloud PKI vs on-premises PKI

FeatureCloud PKI (Intune Suite)On-Premises PKI (AD CS)
InfrastructureNone β€” Microsoft-managed cloud serviceRequires Windows Server with AD CS role
Certificate distributionIntune SCEP/PKCS profilesNDES server + Intune connector + SCEP profile
ManagementIntune admin centerAD CS management console + manual renewal
MaintenanceNone β€” Microsoft handles patching and HARegular server patching, backup, monitoring
Best forCloud-native orgs or migrating away from on-premExisting on-prem infrastructure, complex hierarchies
LicenceIntune Suite add-onIncluded with Windows Server

How Cloud PKI issues certificates β€” the flow

Understanding the issuance flow helps in both the exam and real deployments:

  1. Admin creates a CA in Intune β€” Intune admin center β†’ Tenant administration β†’ Cloud PKI β†’ Create. You create a root CA first, then an issuing CA signed by that root.
  2. Admin creates a SCEP profile β€” a device configuration profile that tells devices how to request a certificate (key size, subject name, validity period, intended purpose).
  3. Profile is assigned to a device or user group.
  4. Device receives the profile at next sync and generates a key pair (public + private).
  5. Device sends a Certificate Signing Request (CSR) to Intune containing the public key.
  6. Intune’s Cloud PKI signs the certificate using the issuing CA’s private key.
  7. Signed certificate returns to the device β€” the device now has a trusted certificate for Wi-Fi, VPN, or other authentication.

Certificate lifecycle

EventWhat Happens
IssuanceDevice requests β†’ Cloud PKI signs β†’ certificate installed on device
RenewalBefore expiry, Intune automatically triggers a new CSR (if auto-renewal is configured)
RevocationAdmin revokes in Intune β†’ certificate is added to a CRL (Certificate Revocation List) β†’ authentication fails at next check
ExpiryCertificate reaches its validity end date β†’ stops working β†’ device must re-enrol for a new one

Real-world example: Chen Wei at Meridian Bank sets up Cloud PKI with a root CA and issuing CA. He creates a SCEP profile for Wi-Fi (EAP-TLS) targeting all corporate Windows devices. When a new laptop enrolls, it automatically receives a certificate and connects to the β€œMeridianCorp” Wi-Fi network without any password. When an employee leaves, Chen Wei revokes their device certificate β€” it can’t connect to Wi-Fi anymore.

πŸ’‘ Exam tip: root CA vs issuing CA

Cloud PKI uses a two-tier CA hierarchy:

  • Root CA β€” the trust anchor. It signs the issuing CA’s certificate. Should be kept offline in on-prem PKI, but Cloud PKI handles this automatically.
  • Issuing CA β€” signs end-entity certificates (the ones devices actually use). All SCEP profiles point to the issuing CA.

The exam may ask: β€œHow many CAs does Cloud PKI require?” Answer: two β€” a root CA and at least one issuing CA. This mirrors the industry best practice of a two-tier PKI hierarchy.

Microsoft Tunnel for MAM

β˜• Simple explanation

Imagine a secure tunnel that only specific apps can use β€” not the whole device.

Regular VPN connects the entire device to your corporate network. That’s fine for corporate laptops, but what about Riko’s designers with personal phones? You don’t want their entire phone traffic going through the company’s network β€” just Outlook, Teams, and the company intranet.

Tunnel for MAM creates a VPN connection that only managed apps can use. Personal apps bypass the tunnel entirely. It works on devices that aren’t even enrolled in Intune β€” perfect for BYOD.

Microsoft Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support app-level VPN connections on unenrolled (BYOD) devices. Unlike standard Microsoft Tunnel (which requires device enrollment), Tunnel for MAM uses app protection policies to route traffic from specific managed apps through the VPN tunnel β€” without requiring MDM enrollment.

Standard Tunnel vs Tunnel for MAM

FeatureMicrosoft Tunnel (Standard)Tunnel for MAM
Device enrollment requiredYes β€” MDM enrolledNo β€” works on unenrolled BYOD devices
VPN scopeDevice-wide or per-appPer-app only (managed apps)
Personal trafficCan route through tunnelNever routes through tunnel
Supported platformsiOS, Android, Windows (preview)iOS, Android
ConfigurationTunnel VPN profile + device configApp protection policy + Tunnel config
Best forCorporate-managed devices needing VPNBYOD users accessing internal resources through managed apps

How Tunnel for MAM works

  1. Deploy Microsoft Tunnel Gateway β€” Linux-based server (or container) in your network
  2. Create an app protection policy β€” includes Tunnel for MAM settings
  3. User installs managed apps β€” Outlook, Teams, Edge (with Intune app protection)
  4. User opens a managed app β†’ app connects through the Tunnel β†’ accesses internal resources
  5. Personal apps continue using the regular internet β€” no corporate tunnel

Key exam concept: Tunnel for MAM is specifically for BYOD scenarios where you want managed apps to access internal resources without enrolling the whole device. If devices are enrolled, use standard Microsoft Tunnel instead.

πŸ’‘ Exam tip: Tunnel for MAM requirements

The exam may test prerequisites:

  • Intune Suite licence (add-on)
  • Microsoft Tunnel Gateway deployed (Linux server or container)
  • App protection policy configured with Tunnel settings
  • Microsoft Defender for Endpoint app on the device (acts as the Tunnel client on iOS/Android)
  • Supported on iOS and Android only (not Windows for MAM Tunnel)

🎬 Video walkthrough

🎬 Video coming soon

Cloud PKI & Tunnel for MAM β€” MD-102 Module 16

Cloud PKI & Tunnel for MAM β€” MD-102 Module 16

~10 min

Flashcards

Question

What is Microsoft Cloud PKI?

Click or press Enter to reveal answer

Answer

A cloud-based certificate authority in the Intune Suite that issues, renews, and revokes certificates without on-prem PKI infrastructure. Used for Wi-Fi auth (EAP-TLS), VPN, S/MIME email, and device identity. Certificates are distributed via Intune SCEP/PKCS profiles.

Click to flip back

Question

What makes Tunnel for MAM different from standard Microsoft Tunnel?

Click or press Enter to reveal answer

Answer

Tunnel for MAM works on unenrolled BYOD devices and only routes managed app traffic through the VPN. Standard Tunnel requires device enrollment and can route device-wide or per-app traffic. Tunnel for MAM uses app protection policies, not device configuration.

Click to flip back

Question

What acts as the Tunnel client on iOS and Android devices?

Click or press Enter to reveal answer

Answer

Microsoft Defender for Endpoint app β€” it serves as the Tunnel client for both standard Tunnel and Tunnel for MAM on mobile devices.

Click to flip back

Knowledge Check

Knowledge Check

Chen Wei needs devices at Meridian Bank to authenticate to corporate Wi-Fi using certificates instead of passwords. The bank has no on-premises certificate servers and doesn't want to build PKI infrastructure. What should Chen Wei use?

Knowledge Check

Riko's designers at Pixel & Co use personal iPhones (not enrolled in Intune) but need to access the company's internal project management site through Outlook and Edge. What's the best approach?


Next up: Remote Actions & Device Queries β€” managing devices remotely with sync, wipe, retire, and real-time KQL queries.

← Previous

Intune Suite: Apps, Analytics & Remote Help

Next β†’

Remote Actions & Device Queries

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.