🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 2
Domain 2 — Module 5 of 10 50%
12 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 2: Manage and Maintain Devices Premium ⏱ ~13 min read

Configure Windows Devices with Intune

Device configuration profiles are how you push settings to Windows devices at scale — Wi-Fi, VPN, restrictions, ADMX policies, and more. Learn to create profiles and target them with filters.

What are device configuration profiles?

☕ Simple explanation

Think of a configuration profile as a recipe for how a device should behave.

Instead of manually configuring Wi-Fi, email, VPN, and password rules on each of Sam’s 500 laptops, he writes the recipe once (a profile) and Intune delivers it to every device in the group. Change the recipe, and every device updates automatically.

It’s like setting a thermostat for the whole building instead of adjusting each room’s heater individually.

Device configuration profiles in Intune define settings that are pushed to enrolled devices. They cover a wide range: Wi-Fi, VPN, email, device restrictions (camera, Bluetooth, USB), Windows Update settings, certificates, and hundreds of Group Policy-equivalent settings via the Settings Catalog and ADMX import.

Profiles are assigned to user or device groups and can be further refined using assignment filters. Conflicts between profiles are resolved by the Intune policy engine — conflicts are flagged in the device’s policy status.

Profile types for Windows

Profile TypeWhat It ConfiguresExample
Settings Catalog5000+ individual settings, searchableDisable camera, set wallpaper, configure Windows Update
TemplatesPre-built configurations for common scenariosDevice restrictions, Wi-Fi, VPN, email, PKCS certificate
ADMX importGroup Policy settings imported as ADMX/ADML filesOffice policies, Chrome settings, third-party app settings
Custom (OMA-URI)Direct CSP (Configuration Service Provider) accessAdvanced settings not available in the UI

Settings Catalog vs Templates

FeatureSettings CatalogTemplates
Number of settings5000+ (and growing)Limited to template scope
SearchableYes — search by keywordBrowse by category
GranularityIndividual settings picked one by onePre-grouped settings
Conflict detectionBetter — per-setting conflict reportingProfile-level conflict reporting
Recommended by MicrosoftYes — the future of profile configurationStill supported but not preferred for new configs
Best forNew configurations, granular controlQuick setup of common scenarios (Wi-Fi, VPN)

Key exam concept: Microsoft recommends the Settings Catalog for new configurations. Templates are still valid but the Settings Catalog offers more settings, better conflict detection, and is actively expanded.

Importing ADMX files

Group Policy admins migrating to Intune often need settings that exist in ADMX templates but aren’t yet in the Settings Catalog. Intune lets you import custom ADMX/ADML files.

How it works

  1. Intune admin center → Devices → Configuration → Import ADMX
  2. Upload the .admx file (settings definitions) and .adml file (language strings)
  3. Create a profile → select “Imported Administrative templates”
  4. Configure settings from the imported template
  5. Assign to device groups

Common ADMX imports

ADMX SourceSettings Available
Microsoft OfficeOffice telemetry, macro security, update settings
Google ChromeHomepage, proxy, extension management
Microsoft EdgeStartup pages, password manager, sync settings
Custom LOB appsAny application that publishes ADMX templates
💡 Exam tip: ADMX import vs Settings Catalog

Many settings that previously required ADMX import are now available natively in the Settings Catalog. Before importing ADMX files, check the Settings Catalog first — it’s cleaner and easier to manage.

The exam may ask when ADMX import is necessary: for third-party application settings (Chrome, custom LOB apps) or legacy GPO settings not yet in the Settings Catalog.

Built-in Windows and Edge ADMX templates are already available in Intune without importing.

Windows 11 Enterprise multi-session

Windows 11 Enterprise multi-session is a special edition designed for Azure Virtual Desktop (AVD) that allows multiple users to sign in simultaneously — like a terminal server. Intune can manage these VMs with specific considerations.

Key differences from standard Windows 11

AspectWindows 11 (standard)Windows 11 Enterprise multi-session
Users per device1 at a timeMultiple concurrent users
Primary usePhysical PCs, Cloud PCsAVD session hosts
Intune enrollmentStandard auto-enrollmentRequires specific enrollment config
Profile targetingUser or device profilesDevice profiles only (user profiles may not apply correctly)
Available settingsFull Settings CatalogSubset — some settings are per-machine only
ℹ️ Deep dive: targeting multi-session VMs

When creating profiles for multi-session VMs:

  • Use device-based configuration profiles (not user-based)
  • Some user-scoped settings may not apply because multiple users share the device
  • Use filters to target multi-session VMs specifically (filter by OS edition)
  • Security baselines are supported but verify compatibility with multi-session

Sam at Tui Solutions uses multi-session VMs for the warehouse team — 30 warehouse workers share 10 AVD session hosts. He creates a device-targeted profile that configures Wi-Fi, disables USB storage, and locks down the desktop.

Assignment filters

Filters let you refine which devices within a group actually receive a profile. Instead of creating dozens of groups, you use one broad group plus filters.

How filters work

  1. Create a filter rule based on device properties (OS version, manufacturer, model, enrollment type)
  2. When assigning a profile, add a filter in “Include” or “Exclude” mode
  3. Intune evaluates the filter at assignment time — only matching devices get the profile

Filter examples

Filter NameRulePurpose
Windows 11 only(device.osVersion -startsWith "10.0.22")Target only Windows 11 devices
HP laptops(device.manufacturer -eq "HP")Apply HP-specific driver settings
Corporate-owned(device.deviceOwnership -eq "Company")Exclude BYOD devices
Not Cloud PC(device.model -ne "Cloud PC")Skip Windows 365 Cloud PCs

Filters vs groups

ApproachWhen to Use
GroupsPrimary targeting mechanism — who gets the policy
FiltersSecondary refinement — within that group, which devices specifically
Groups + FiltersPowerful combination: “All corporate devices” group + “Windows 11 only” filter

Key exam concept: Filters do NOT replace groups — they refine group assignments. A profile must be assigned to at least one group; filters narrow the scope within that assignment.

🎬 Video walkthrough

🎬 Video coming soon

Configure Windows Devices with Intune — MD-102 Module 12

Configure Windows Devices with Intune — MD-102 Module 12

~13 min

Flashcards

Question

What's the difference between the Settings Catalog and Templates in Intune?

Click or press Enter to reveal answer

Answer

Settings Catalog: 5000+ searchable individual settings, per-setting conflict detection, Microsoft's recommended approach. Templates: pre-grouped settings for common scenarios (Wi-Fi, VPN, email), easier to set up quickly but less granular.

Click to flip back
Question

When do you need to import ADMX files into Intune?

Click or press Enter to reveal answer

Answer

When you need to configure settings for third-party applications (Google Chrome, custom LOB apps) or legacy GPO settings not yet available in the Settings Catalog. Built-in Windows and Edge ADMX templates are already available without importing.

Click to flip back
Question

What's special about configuring Windows 11 Enterprise multi-session devices?

Click or press Enter to reveal answer

Answer

Multi-session VMs (used in Azure Virtual Desktop) require device-based configuration profiles, not user-based. User-scoped settings may not apply correctly because multiple users share the device. Use filters to target multi-session VMs specifically.

Click to flip back
Question

How do assignment filters differ from groups in Intune?

Click or press Enter to reveal answer

Answer

Groups are the primary targeting mechanism (who gets the policy). Filters refine group assignments (within that group, which specific devices). A profile must be assigned to at least one group — filters narrow the scope within that assignment.

Click to flip back

Knowledge Check

Knowledge Check

Sam needs to configure Google Chrome settings (homepage, proxy) on all Tui Solutions Windows devices. The Settings Catalog doesn't include Chrome settings. What should Sam do?
Knowledge Check

Sam assigns a device restrictions profile to the 'All Corporate Devices' group. He wants the profile to apply ONLY to Windows 11 devices, not Windows 10. What should he add?

Next up: Config Profiles: Android, iOS & macOS — managing non-Windows devices with platform-specific profiles.

← Previous

Windows 365: Your PC in the Cloud

Next →

Config Profiles: Android, iOS & macOS

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.