🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 3
Domain 3 — Module 2 of 5 40%
19 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 3: Manage Applications Premium ⏱ ~10 min read

Deploy Apps with Intune & App Stores

Once apps are prepared, it's time to push them to devices. Learn how Intune deploys apps and how to leverage platform-specific app stores for iOS, Android, and Windows.

How Intune deploys apps

☕ Simple explanation

Think of app deployment like a vending machine that knows your preferences.

When you assign an app as “Required,” it’s like the vending machine automatically dispensing your regular coffee every morning — no button press needed. When you assign it as “Available,” the coffee appears in the menu, but you choose when to press the button (install from Company Portal).

Different platforms have different vending machines: Windows uses the Intune Management Extension, iOS uses Apple’s MDM, Android uses Managed Google Play. But you configure everything from the same Intune admin center.

Intune uses platform-specific delivery mechanisms to install applications on enrolled devices. For Windows, the Intune Management Extension (IME) handles Win32 and LOB app installation. For iOS, apps deploy through Apple MDM push commands (with VPP for volume licensing). For Android Enterprise, apps deploy through Managed Google Play.

Deployment by platform

App Deployment Mechanisms
FeatureWindowsiOS/iPadOSAndroid Enterprise
Delivery mechanismIntune Management ExtensionApple MDM + VPPManaged Google Play
Silent install (Required)Yes — background installYes (supervised) / Prompt (unsupervised)Yes — auto-install in work profile
Self-service (Available)Company Portal app or webCompany Portal appManaged Google Play Store
Store appsMicrosoft Store (new)Apple App Store via VPPManaged Google Play
Volume licensingMicrosoft Store for Business (deprecated)Apple VPP (Volume Purchase Program)Managed Google Play (free distribution)
Update managementSupersedence or auto-updateApp Store handles updatesGoogle Play handles updates

Platform-specific app stores

Microsoft Store apps (Windows)

The new Microsoft Store integration in Intune lets you deploy Store apps directly:

  1. Intune admin center → Apps → Windows → Add → Microsoft Store app (new)
  2. Search for the app (e.g., “Windows Terminal”, “WhatsApp”)
  3. Assign as Required or Available
  4. Intune handles download and installation

Store apps auto-update through the Microsoft Store by default.

Apple App Store apps (iOS/iPadOS)

For iOS devices, apps are deployed through Apple Volume Purchase Program (VPP):

  1. Set up an Apple Business Manager account and link to Intune
  2. Purchase app licences in ABM (even free apps need licence assignment)
  3. Sync licences to Intune
  4. Assign apps to device or user groups

Supervised devices can receive silent app installs. Unsupervised devices prompt the user for consent.

Managed Google Play (Android)

For Android Enterprise devices:

  1. Link your Intune tenant to Managed Google Play (done during Android enrollment setup)
  2. Approve apps in the Managed Google Play console
  3. Apps sync to Intune
  4. Assign to user or device groups
  5. Apps appear in the work profile’s Play Store or install silently
💡 Exam tip: app deployment timing

After assigning an app, how long before it appears on the device?

  • Windows (Required): Next device sync (default every 8 hours, or force sync)
  • iOS (Required, supervised): Next MDM check-in (typically within 1 hour)
  • Android (Required): Managed Google Play syncs approximately every 30 minutes
  • Available apps: Appear in Company Portal/Play Store at next sync — user installs on their own schedule

The exam may test timing expectations. Key: Required apps deploy automatically at the next sync. Force sync if you need it faster.

App monitoring and troubleshooting

After deployment, monitor app status in Intune admin center → Apps → Monitor:

StatusMeaning
InstalledApp successfully installed on device
Install pendingApp assigned but not yet installed (waiting for sync)
FailedInstallation failed — check error code
Not applicableDevice doesn’t meet requirements (wrong OS, architecture)
Not installedApp assigned as Available but user hasn’t installed it
ℹ️ Deep dive: common app deployment failures

Common issues Aroha encounters at CloudForge:

ErrorLikely CauseFix
0x87D13B9FApp download timeoutCheck device internet connectivity
0x87D1041CDetection rule mismatchVerify detection rules match installed app
0x80073CF9Package conflictAnother version of the app is already installed
App stuck at “Install pending”Device hasn’t syncedForce sync via remote action
App shows “Not applicable”Wrong requirementsCheck OS version and architecture requirements

🎬 Video walkthrough

🎬 Video coming soon

Deploy Apps with Intune & App Stores — MD-102 Module 19

Deploy Apps with Intune & App Stores — MD-102 Module 19

~10 min

Flashcards

Question

What delivers Win32 apps to Windows devices?

Click or press Enter to reveal answer

Answer

The Intune Management Extension (IME) — a service that runs on enrolled Windows devices and handles Win32 app download, installation, and detection. It's installed automatically when a Win32 app or PowerShell script is assigned.

Click to flip back

Question

How are iOS apps deployed at scale using Intune?

Click or press Enter to reveal answer

Answer

Through Apple Volume Purchase Program (VPP) via Apple Business Manager. Licences are purchased in ABM, synced to Intune, and assigned to users or devices. Supervised devices get silent installs; unsupervised devices prompt the user.

Click to flip back

Question

Can you silently install apps on unsupervised iOS devices?

Click or press Enter to reveal answer

Answer

No. Unsupervised iOS devices always prompt the user for consent before installing apps. Silent (forced) installation requires supervised mode through Apple Automated Device Enrollment (ADE).

Click to flip back

Knowledge Check

Knowledge Check

Aroha assigns a Required Win32 app to all CloudForge devices at 2:00 PM. When will the app install?

Knowledge Check

Riko needs to deploy Slack to designers' personal iPhones (Entra Registered, not supervised). She assigns Slack as Required via VPP. What happens?


Next up: Microsoft 365 Apps: Deploy, Customize & Manage — deploying the Office suite through Intune with the ODT and M365 Apps admin center.

← Previous

App Deployment: Prepare & Package

Next →

Microsoft 365 Apps: Deploy, Customize & Manage

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.