πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 4
Domain 4 β€” Module 1 of 5 20%
23 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 4: Protect Devices Premium ⏱ ~12 min read

Endpoint Security: Antivirus, Firewall & Encryption

The three pillars of endpoint security through Intune: antivirus policies for threat protection, firewall policies for network defense, and disk encryption for data at rest.

The three pillars of endpoint security

β˜• Simple explanation

Think of endpoint security like protecting a house.

  • Antivirus = the alarm system β€” detects and removes intruders (malware) that get inside
  • Firewall = the locked doors and windows β€” controls what comes in and goes out of the network
  • Disk encryption = a safe for your valuables β€” if someone steals the laptop, they can’t read the hard drive

All three are configured and enforced through Intune’s Endpoint Security node β€” Chen Wei at Meridian Bank manages all 10,000 devices from one dashboard.

Intune’s Endpoint Security node provides dedicated policy types for antivirus, firewall, and disk encryption. These policies offer focused management for security settings, separate from the broader device configuration profiles. They integrate with Microsoft Defender for Endpoint for advanced threat protection and are part of a defence-in-depth strategy.

Antivirus policies

What you configure

SettingOptionsChen Wei’s Choice
Real-time protectionOn/OffOn (always)
Cloud-delivered protectionOn/OffOn β€” uses Microsoft’s cloud intelligence
Cloud protection levelNot configured / High / High+ / Zero toleranceHigh+ (banking requires aggressive detection)
Scan typeQuick / FullQuick scan daily, Full scan weekly
Scheduled scanTime and frequencyDaily at 12:00 PM (lunch break)
ExclusionsFile/folder/process/extensionExclude banking app data folder (performance)
PUA detectionOn/OffOn β€” block potentially unwanted applications
Tamper protectionOn/OffOn β€” prevent users from disabling Defender

Where to create antivirus policies

Intune admin center β†’ Endpoint security β†’ Antivirus β†’ Create policy

PlatformProfile Types
WindowsMicrosoft Defender Antivirus, Microsoft Defender Antivirus Exclusions, Windows Security Experience
macOSMicrosoft Defender Antivirus (requires Defender for Endpoint on Mac)
LinuxMicrosoft Defender Antivirus (requires Defender for Endpoint on Linux)
πŸ’‘ Exam tip: tamper protection

Tamper protection prevents users and malware from disabling Microsoft Defender Antivirus settings. When enabled:

  • Users can’t turn off real-time protection
  • Malware can’t disable Defender via registry changes
  • Third-party security tools can’t override Defender settings

The exam may describe a scenario where Defender keeps getting disabled β€” the answer is enable tamper protection. It’s managed through the Microsoft Defender portal (security.microsoft.com), not just Intune.

Firewall policies

Windows Defender Firewall via Intune

SettingOptionsPurpose
Domain profileOn/Off + rulesApplies when connected to corporate network
Private profileOn/Off + rulesApplies on home/trusted networks
Public profileOn/Off + rulesApplies on public Wi-Fi (most restrictive)
Block inbound connectionsYes/No per profileBlock unsolicited incoming traffic
Firewall rulesAllow/Block specific ports, protocols, appsCustom rules for LOB apps, remote management

Firewall rule configuration

Rule SettingExample
NameAllow banking app port 8443
DirectionInbound
ActionAllow
ProtocolTCP
Local port8443
Remote address10.0.0.0/8 (corporate network only)
ApplicationC:\Program Files\BankApp\bank.exe

Disk encryption policies

BitLocker (Windows)

SettingOptionsChen Wei’s Choice
Require encryptionYes/NoYes β€” all corporate devices
Encryption methodXTS-AES 128, XTS-AES 256XTS-AES 256 (banking standard)
OS drive encryptionRequiredRequired
Fixed drive encryptionRequired / Not requiredRequired
Recovery key escrowSave to Entra IDYes β€” recovery keys stored in Entra
Startup authenticationTPM only, TPM + PIN, TPM + keyTPM only (seamless for users)
Silent encryptionYes/NoYes β€” encrypt without user interaction

FileVault (macOS)

For macOS devices, disk encryption uses FileVault (covered in Module 13). Intune manages FileVault through endpoint security or device configuration profiles.

ℹ️ Deep dive: BitLocker recovery key management

When BitLocker encrypts a drive, a recovery key is generated. This 48-digit key unlocks the drive if the normal unlock method fails (TPM issue, forgotten PIN, motherboard replacement).

Intune workflow:

  1. BitLocker encrypts the drive β†’ recovery key generated
  2. Key is automatically escrowed to Entra ID (attached to the device object)
  3. Helpdesk views the key in Intune admin center β†’ Devices β†’ select device β†’ Recovery keys
  4. After use, the key should be rotated (see Module 17)

Exam tip: If a user gets a BitLocker recovery prompt after a hardware change, the helpdesk retrieves the key from Entra ID/Intune β€” not from a file on the device or a USB drive.

🎬 Video walkthrough

🎬 Video coming soon

Endpoint Security: Antivirus, Firewall & Encryption β€” MD-102 Module 23

Endpoint Security: Antivirus, Firewall & Encryption β€” MD-102 Module 23

~12 min

Flashcards

Question

What are the three main endpoint security policy types in Intune?

Click or press Enter to reveal answer

Answer

1. Antivirus β€” real-time protection, scans, cloud intelligence, tamper protection. 2. Firewall β€” domain/private/public network profiles, custom rules. 3. Disk encryption β€” BitLocker for Windows, FileVault for macOS.

Click to flip back
Question

What is tamper protection and why is it important?

Click or press Enter to reveal answer

Answer

Tamper protection prevents users and malware from disabling Microsoft Defender Antivirus settings. It stops real-time protection from being turned off, registry changes that disable Defender, and third-party tools from overriding settings. Managed through the Defender portal.

Click to flip back
Question

Where are BitLocker recovery keys stored when managed by Intune?

Click or press Enter to reveal answer

Answer

In Microsoft Entra ID, attached to the device object. Helpdesk can view them in the Intune admin center (Devices β†’ select device β†’ Recovery keys). Keys should be rotated after use.

Click to flip back

Knowledge Check

Knowledge Check

Chen Wei discovers that a malware strain at another bank disabled Microsoft Defender before executing its payload. How can he prevent this at Meridian Bank?
Knowledge Check

A user's laptop at Meridian Bank has a motherboard replacement and now shows a BitLocker recovery screen on boot. How should the helpdesk retrieve the recovery key?

Next up: Attack Surface Reduction & Security Baselines β€” hardening devices with ASR rules and Microsoft-recommended security configurations.

← Previous

App Configuration: Managed Apps & Managed Devices

Next β†’

Attack Surface Reduction & Security Baselines

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.