πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 4
Domain 4 β€” Module 2 of 5 40%
24 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 4: Protect Devices Premium ⏱ ~11 min read

Attack Surface Reduction & Security Baselines

ASR rules block common attack techniques before they execute. Security baselines apply Microsoft's recommended security settings across your fleet. Together, they harden devices proactively.

Attack Surface Reduction (ASR)

β˜• Simple explanation

If antivirus is a guard who catches intruders inside the building, ASR is boarding up the windows they’d use to break in.

ASR rules block the TECHNIQUES attackers use β€” like Office macros that download malware, scripts that run from email attachments, or processes that inject code into other programs. Instead of detecting malware after it runs, ASR prevents the attack method from working in the first place.

Attack Surface Reduction (ASR) rules target specific behaviours commonly used in malware attacks. They operate at the operating system level, blocking techniques like Office macro code execution, script obfuscation, credential theft from LSASS, and unsigned/untrusted processes. ASR rules are configured through Intune endpoint security policies and report status through the Microsoft Defender portal.

Key ASR rules

RuleWhat It BlocksWhy It Matters
Block Office apps from creating executable contentMacros that drop .exe filesPrevents macro-based malware delivery
Block Office apps from injecting code into other processesProcess injection from OfficeStops Office from being a launchpad for attacks
Block executable content from email client and webmailExecutables opened from emailPrevents phishing attachments from executing
Block JavaScript or VBScript from launching downloaded contentScript-based downloadersStops β€œdownload and execute” attack chains
Block credential stealing from LSASSMemory scraping of credentialsPrevents pass-the-hash attacks
Block untrusted/unsigned processes from USBUSB-based attacksStops malware from USB drives
Block process creations from PSExec and WMILateral movement toolsPrevents attackers from spreading across the network

ASR rule modes

ModeBehaviourWhen to Use
Not configuredRule is offDefault state
BlockRule actively blocks the behaviourProduction β€” after testing
AuditRule logs the behaviour but doesn’t blockTesting β€” see impact before blocking
WarnUser sees a warning but can overrideTransition β€” educate users before enforcing
πŸ’‘ Exam tip: audit mode first

The exam expects you to know the recommended deployment approach:

  1. Audit mode first β€” deploy rules in audit to see which legitimate activities would be blocked
  2. Review audit logs (Defender portal β†’ Reports β†’ ASR)
  3. Create exclusions for legitimate business processes that trigger rules
  4. Switch to Block mode for production enforcement

If a question asks β€œhow should Chen Wei deploy ASR rules to 10,000 devices safely?” β€” start with Audit, then move to Block after testing.

Security baselines

What are they?

Security baselines are Microsoft-recommended security configuration templates. Instead of configuring hundreds of individual security settings, you apply a baseline that represents Microsoft’s best-practice security posture.

Available baselines in Intune

BaselineWhat It Configures
Microsoft Defender for EndpointDefender AV settings, ASR rules, network protection, exploit protection
Windows 365 Security BaselineCloud PC-specific security settings
Microsoft Edge BaselineBrowser security: SmartScreen, password manager, extension control
Windows MDM Security BaselineOS-level settings: BitLocker, firewall, account lockout, audit policies

Security baselines vs custom policies

FeatureSecurity BaselinesCustom Policies
Configuration sourceMicrosoft's recommended settingsAdmin defines every setting
Effort to createLow β€” select baseline, override where neededHigh β€” configure each setting individually
UpdatesMicrosoft releases new baseline versions periodicallyAdmin must update manually
FlexibilityCan override individual settingsComplete control over every setting
Best forStarting point β€” apply baseline, then customiseOrganisations with specific security requirements
Conflict riskCan conflict with existing config profilesYou control everything β€” fewer surprises
ℹ️ Deep dive: baseline versioning and conflicts

Microsoft periodically releases new versions of security baselines. When a new version arrives:

  • Existing baseline assignments don’t automatically update β€” they stay on the version you deployed
  • You must manually create a new profile with the new baseline version and assign it
  • Compare old vs new version to understand what changed before deploying

Conflict warning: If you have a security baseline AND a custom device configuration profile that configure the same setting with different values, there will be a conflict. The conflict is flagged in device status. Resolution: either remove the setting from the custom profile or override it in the baseline.

🎬 Video walkthrough

🎬 Video coming soon

Attack Surface Reduction & Security Baselines β€” MD-102 Module 24

Attack Surface Reduction & Security Baselines β€” MD-102 Module 24

~11 min

Flashcards

Question

What do Attack Surface Reduction (ASR) rules do?

Click or press Enter to reveal answer

Answer

Block specific attack TECHNIQUES rather than specific malware. They prevent behaviours like Office macros creating executables, scripts downloading content, credential theft from LSASS, and USB-based attacks. Configured in Intune endpoint security β†’ Attack surface reduction.

Click to flip back
Question

What's the recommended way to deploy ASR rules?

Click or press Enter to reveal answer

Answer

Start in Audit mode (logs but doesn't block), review logs for false positives, create exclusions for legitimate processes, then switch to Block mode. Never deploy straight to Block on a large fleet.

Click to flip back
Question

What is a security baseline in Intune?

Click or press Enter to reveal answer

Answer

A Microsoft-recommended template of security settings that represents best-practice configuration. Available for Defender for Endpoint, Windows MDM, Edge, and Windows 365. Apply as a starting point, then override individual settings where your org needs differ.

Click to flip back

Knowledge Check

Knowledge Check

Chen Wei wants to block Office macros from creating executable files on all 10,000 Meridian Bank devices. But he's worried about blocking legitimate macro-based workflows in the finance department. What's the recommended approach?
Knowledge Check

Chen Wei applies a Microsoft Defender for Endpoint security baseline AND a custom device configuration profile to the same device group. Both configure the 'Cloud-delivered protection level' setting but with different values. What happens?

Next up: Defender for Endpoint: Integrate & Onboard β€” connecting Intune with Microsoft Defender for Endpoint for advanced threat protection.

← Previous

Endpoint Security: Antivirus, Firewall & Encryption

Next β†’

Defender for Endpoint: Integrate & Onboard

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.