πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 2
Domain 2 β€” Module 3 of 10 30%
10 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 2: Manage and Maintain Devices Premium ⏱ ~11 min read

Provisioning Packages & Windows 11 Upgrades

When Autopilot isn't an option, provisioning packages offer offline device setup. Plus: planning and implementing Windows 11 upgrades for existing devices.

Provisioning packages

β˜• Simple explanation

Think of a provisioning package like a recipe card you hand to a new cook.

Instead of teaching them every step from scratch (Autopilot’s approach), you give them a card with all the instructions pre-written. They plug in a USB drive, the device reads the instructions, and sets itself up β€” even without internet. It’s not as elegant as Autopilot, but it works when you can’t rely on a network connection.

A provisioning package (.ppkg) is a container of configuration settings created with Windows Configuration Designer (WCD). It can be applied during OOBE or after setup via Settings or USB. Provisioning packages can configure Entra join, Intune enrollment, Wi-Fi, certificates, policies, and even install apps β€” all without requiring internet during application.

Creating a provisioning package

Tool: Windows Configuration Designer (WCD) β€” available from the Microsoft Store or as part of the Windows ADK.

StepWhat You Do
1. Choose a project typeSimple provisioning (wizard) or advanced provisioning (full control)
2. Configure settingsDevice name, Entra join, Wi-Fi, certificates, shared device mode
3. Add apps (optional)Include .msi or .exe installers in the package
4. Build the packageExport as a .ppkg file
5. Apply the packageUSB drive during OOBE, or double-click the .ppkg file on a running device

When provisioning packages beat Autopilot

ScenarioWhy Provisioning Package Wins
No internet during setupPackages work offline β€” Autopilot requires internet
Factory floor kiosksPre-configured USB applied to dozens of identical devices
Shared lab computersBulk setup with identical config, no user sign-in needed
Legacy devices without TPMPackages don’t require TPM β€” self-deploying Autopilot does
Quick one-off setupFaster to create a package than register devices in Autopilot
πŸ’‘ Exam tip: provisioning packages and security

Provisioning packages can include sensitive data like Wi-Fi passwords and certificates. Keep these secure:

  • Packages can be encrypted and signed with a certificate
  • Without encryption, anyone with the USB drive can extract the settings
  • Without signing, a tampered package could configure malicious settings

The exam may ask about securing provisioning packages β€” the answer involves encryption and certificate signing.

Windows 11 upgrades

Aroha at CloudForge has 30 devices running Windows 10 that need upgrading to Windows 11. There are several paths, and the right choice depends on the scenario.

Upgrade methods

Windows 11 Upgrade Methods
FeatureFeature Update (Intune)Windows Update for BusinessIn-Place Upgrade (ISO)Autopilot Reset
Managed viaIntune feature update policyUpdate rings in IntuneManual ISO or SCCM task sequenceIntune remote action
User data preservedYesYesYes (in-place) or No (clean)No β€” full reset
Apps preservedYesYesYes (in-place) or No (clean)No β€” reinstalled via Intune
Internet requiredYesYesNo (ISO can be local)Yes
Best forTargeted feature updates to specific groupsBroad update management with ringsLegacy devices or offline upgradesStarting fresh on cloud-managed devices
Admin effortLow β€” policy-drivenLow β€” automatedHigh β€” manual or scriptedLow β€” remote action

Feature update policies in Intune

The most common cloud-managed approach:

  1. Intune admin center β†’ Devices β†’ Manage updates β†’ Windows 10 and later updates β†’ Feature updates
  2. Create a policy specifying the target Windows version (e.g., Windows 11, version 24H2)
  3. Assign to a device group
  4. Devices download and install the feature update automatically

Hardware compatibility

Before upgrading, verify devices meet Windows 11 requirements:

RequirementMinimum
Processor1 GHz, 2+ cores, 64-bit
RAM4 GB
Storage64 GB
TPMVersion 2.0
Secure BootUEFI with Secure Boot
Display9 inches, 720p
GraphicsDirectX 12 with WDDM 2.0
ℹ️ Deep dive: Windows 11 readiness with Intune

Intune can help assess Windows 11 readiness:

  • Endpoint Analytics shows which devices meet Windows 11 hardware requirements
  • Windows Update compatibility holds prevent upgrades on devices with known compatibility issues
  • Gradual rollout using update rings lets you upgrade pilot groups first, then broader waves

Aroha’s approach at CloudForge:

  1. Check Endpoint Analytics for compatibility (28 of 30 devices qualify)
  2. Upgrade 5 pilot devices (IT team) using a feature update policy
  3. Wait one week, verify no issues
  4. Roll out to remaining 23 devices
  5. Replace 2 incompatible devices with new hardware

🎬 Video walkthrough

🎬 Video coming soon

Provisioning Packages & Windows 11 Upgrades β€” MD-102 Module 10

Provisioning Packages & Windows 11 Upgrades β€” MD-102 Module 10

~11 min

Flashcards

Question

What tool do you use to create a provisioning package?

Click or press Enter to reveal answer

Answer

Windows Configuration Designer (WCD) β€” available from the Microsoft Store or as part of the Windows ADK. It exports .ppkg files that can be applied via USB during OOBE or on a running device.

Click to flip back
Question

What are the key Windows 11 hardware requirements?

Click or press Enter to reveal answer

Answer

1 GHz 64-bit dual-core processor, 4 GB RAM, 64 GB storage, TPM 2.0, UEFI with Secure Boot, DirectX 12 compatible graphics. TPM 2.0 and Secure Boot are the most commonly missed requirements.

Click to flip back
Question

What's the recommended way to upgrade Windows 10 devices to Windows 11 via Intune?

Click or press Enter to reveal answer

Answer

Create a Feature Update policy in Intune (Devices β†’ Manage updates β†’ Feature updates). Specify the target Windows 11 version and assign to a device group. Devices download and install the update automatically.

Click to flip back

Knowledge Check

Knowledge Check

Aroha needs to set up 10 kiosk devices in a warehouse with no Wi-Fi access. The devices should join Entra ID and enroll in Intune when they next connect to the internet. What's the best deployment method?
Knowledge Check

Sam wants to upgrade 500 Windows 10 devices to Windows 11 using Intune. He wants to upgrade the IT team first, then finance, then everyone else over three weeks. What should Sam configure?

Next up: Windows 365: Your PC in the Cloud β€” deploying and managing Cloud PCs for remote and flexible work.

← Previous

Autopilot: Device Names, ESP & Rollout

Next β†’

Windows 365: Your PC in the Cloud

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.