🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 4
Domain 4 — Module 5 of 5 100%
27 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 4: Protect Devices Premium ⏱ ~10 min read

Cross-Platform Updates & Delivery Optimization

Managing updates isn't just Windows. Learn to handle Android updates via config profiles and FOTA, plus configure Delivery Optimization to save bandwidth across your network.

Android update management

☕ Simple explanation

Android updates are like different postal services — it depends on who made the device and how it’s managed.

Unlike Windows (where Microsoft controls updates directly), Android updates come through the device manufacturer (Samsung, Google, etc.). Intune can influence WHEN updates install and which updates are allowed, but it works differently depending on the management level and the OEM.

Android update management in Intune varies by enrollment type and OEM. For Android Enterprise devices, Intune provides device configuration profiles that control system update behaviour (install window, freeze periods). For Samsung devices, Samsung’s firmware-over-the-air (FOTA) integration with Intune enables granular firmware version control. Google Pixel devices support similar controls through Android Enterprise.

Android update options

MethodWhat It ControlsSupported Devices
System update configuration profileWhen updates install (immediate, scheduled, postpone 30 days)All Android Enterprise managed devices
Freeze periodsBlock updates during critical business periodsAndroid Enterprise (API level 28+)
Samsung FOTA (Knox E-FOTA)Specific firmware versions, force or block updatesSamsung devices with Knox
Managed Google Play auto-updateApp updates from Play StoreAll Android Enterprise devices

System update behaviour settings

SettingBehaviour
AutomaticDevice downloads and installs updates when available
WindowedUpdates only install during a defined time window (e.g., 2 AM - 5 AM)
PostponeDelay system updates for up to 30 days
DefaultDevice follows its default OEM update behaviour

Samsung FOTA with Intune

Samsung’s Enterprise Firmware Over The Air (E-FOTA) provides deeper control:

  • Pin devices to a specific firmware version — prevent uncontrolled updates
  • Force a specific update — push a tested firmware version to all Samsung devices
  • Schedule updates — install during maintenance windows
  • Requires Samsung Knox Mobile Enrollment and Knox E-FOTA licence
💡 Exam tip: Android updates vary by OEM

The exam recognises that Android update management is more limited than Windows:

  • Standard Android Enterprise — you can schedule install windows and postpone up to 30 days
  • Samsung Knox — deeper control with firmware pinning and forced updates
  • Personal work profile devices — you generally can’t control system updates (user manages the device)

If a question asks about forcing a specific Android firmware version → Samsung FOTA is the answer.

Delivery Optimization

What is it?

☕ Simple explanation

Think of Delivery Optimization like a neighbourhood lending library.

Instead of every house (device) driving to the bookshop (Microsoft’s servers) to buy the same book (update), the first house buys the book and shares it with the neighbours. Delivery Optimization lets devices share update content with each other over the local network — dramatically reducing internet bandwidth usage.

Delivery Optimization (DO) is a peer-to-peer content distribution technology built into Windows. It allows devices to download update and app content from other devices on the local network (or optionally the internet), reducing the amount of bandwidth consumed from Microsoft’s CDN. DO is configured via Intune configuration profiles or update rings.

Download modes

ModeBehaviourBest For
HTTP only (0)No peering — download only from MicrosoftTesting, or when peering isn’t desired
LAN (1)Share with devices on the same local networkMost organisations (default)
Group (2)Share within a defined group (AD site, domain, Entra group)Multi-site organisations
Internet (3)Share with any device running DO, including internet peersLarge distributed organisations
Simple (99)HTTP only, no peering, no cloud serviceEnvironments with strict network policies
Bypass (100)Use BITS instead of DOFallback for troubleshooting

Configuration via Intune

Where: Intune admin center → Devices → Configuration → Settings catalog → Search “Delivery Optimization”

SettingPurposeSam’s Choice
Download modeHow devices share contentGroup (2) — share within each office location
Max cache sizePercentage of disk for cached content20%
Max cache ageHow long to keep cached content7 days
Bandwidth limitsMaximum upload/download bandwidth for DO50% foreground, 30% background

Sam configures Group mode so devices in the Wellington office share with each other, and devices in the Auckland office share separately — preventing cross-site WAN traffic.

Monitoring updates

Where to monitor

DashboardWhat It Shows
Intune admin center → Reports → Windows updatesUpdate ring compliance, feature update status, quality update status
Intune admin center → Devices → MonitorPer-device update status, pending updates, failed updates
Microsoft Defender portal → Device inventorySecurity update status per device
Endpoint AnalyticsUpdate impact on device performance (boot times, crashes)

Key reports

ReportPurpose
Windows update complianceWhich devices are current vs behind on updates
Feature update statusProgress of a targeted feature update rollout
Quality update statusWhich devices have the latest security patches
Update failuresDevices where updates failed with error codes
Delivery OptimizationBandwidth savings from peer-to-peer sharing
ℹ️ Deep dive: update monitoring workflow

Sam’s weekly update monitoring routine:

  1. Monday: Check quality update report — any devices missing last week’s patches?
  2. Tuesday: Review update failures — investigate and remediate failed devices
  3. Wednesday: Check Delivery Optimization report — verify bandwidth savings
  4. Friday: Review feature update rollout progress (if active)

For Ring 0 (IT preview), Sam monitors daily for the first 3 days after updates release. If issues appear, he pauses the update ring for Ring 1 and Ring 2 before they receive the update.

🎬 Video walkthrough

🎬 Video coming soon

Cross-Platform Updates & Delivery Optimization — MD-102 Module 27

Cross-Platform Updates & Delivery Optimization — MD-102 Module 27

~10 min

Flashcards

Question

How does Intune manage Android system updates?

Click or press Enter to reveal answer

Answer

Through device configuration profiles: set update behaviour to automatic, windowed (specific time), or postpone (up to 30 days). For Samsung devices, Knox E-FOTA provides deeper control including firmware version pinning. Personal work profile devices can't be controlled for system updates.

Click to flip back
Question

What is Delivery Optimization and why use it?

Click or press Enter to reveal answer

Answer

A peer-to-peer content sharing technology in Windows. Devices share update and app content with nearby devices instead of each downloading from Microsoft's servers. Reduces internet bandwidth usage. Default mode is LAN (local network sharing).

Click to flip back
Question

Name three places to monitor update status in Intune.

Click or press Enter to reveal answer

Answer

1. Intune admin center → Reports → Windows updates (compliance overview). 2. Devices → Monitor (per-device status). 3. Endpoint Analytics (update impact on performance). Additionally, the Defender portal shows security update status.

Click to flip back

Knowledge Check

Knowledge Check

Riko has 20 Samsung tablets at Pixel & Co that must stay on a specific Android firmware version because the design app hasn't been tested on newer firmware. How should Riko control this?
Knowledge Check

Sam notices that every time a Windows update is released, his office's internet bandwidth is overwhelmed because all 300 Wellington office devices download the update simultaneously from Microsoft. What should Sam configure?

🎉 Congratulations! You’ve completed all 27 modules of the MD-102 study guide. Review any modules you found challenging, then head to the practice questions to test your knowledge.

← Previous

Plan and Manage Windows Updates

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.