πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MS-102 Domain 3
Domain 3 β€” Module 5 of 8 63%
20 of 28 overall

MS-102 Study Guide

Domain 1: Deploy and Manage a Microsoft 365 Tenant

  • Establish and Configure Your M365 Tenant
  • Monitor Tenant Health and Network Readiness
  • Adoption Tracking and Microsoft 365 Backup
  • Manage Users, Contacts and External Identities
  • Groups, Shared Mailboxes and Licensing at Scale
  • Automate with PowerShell: Bulk User Operations
  • Roles, Role Groups and Workload Permissions
  • Delegate with Administrative Units and PIM

Domain 2: Implement and Manage Microsoft Entra Identity and Access

  • Prepare for Identity Synchronization
  • Implement Connect Sync and Cloud Sync
  • Monitor and Troubleshoot Identity Sync
  • Authentication Methods and Self-Service Password Reset
  • Password Protection and Authentication Troubleshooting
  • Entra Identity Protection and Risk Policies
  • Conditional Access and MFA Enforcement

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR

  • Defender XDR: Security Posture and Threat Intelligence
  • Investigate Incidents with Advanced Hunting
  • Defender for Office 365: Threat Policies
  • Email Threats, Attack Simulation and Restricted Entities
  • Defender for Endpoint: Onboard and Protect
  • Vulnerability Management
  • Defender for Cloud Apps: Connect and Govern
  • Cloud App Discovery and Activity Monitoring

Domain 4: Manage Compliance by Using Microsoft Purview

  • Sensitive Information Types and Data Classification
  • Retention Labels and Data Lifecycle
  • Sensitivity Labels and Monitoring
  • DLP Policies Across M365 Workloads
  • Endpoint DLP and Alert Response

MS-102 Study Guide

Domain 1: Deploy and Manage a Microsoft 365 Tenant

  • Establish and Configure Your M365 Tenant
  • Monitor Tenant Health and Network Readiness
  • Adoption Tracking and Microsoft 365 Backup
  • Manage Users, Contacts and External Identities
  • Groups, Shared Mailboxes and Licensing at Scale
  • Automate with PowerShell: Bulk User Operations
  • Roles, Role Groups and Workload Permissions
  • Delegate with Administrative Units and PIM

Domain 2: Implement and Manage Microsoft Entra Identity and Access

  • Prepare for Identity Synchronization
  • Implement Connect Sync and Cloud Sync
  • Monitor and Troubleshoot Identity Sync
  • Authentication Methods and Self-Service Password Reset
  • Password Protection and Authentication Troubleshooting
  • Entra Identity Protection and Risk Policies
  • Conditional Access and MFA Enforcement

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR

  • Defender XDR: Security Posture and Threat Intelligence
  • Investigate Incidents with Advanced Hunting
  • Defender for Office 365: Threat Policies
  • Email Threats, Attack Simulation and Restricted Entities
  • Defender for Endpoint: Onboard and Protect
  • Vulnerability Management
  • Defender for Cloud Apps: Connect and Govern
  • Cloud App Discovery and Activity Monitoring

Domain 4: Manage Compliance by Using Microsoft Purview

  • Sensitive Information Types and Data Classification
  • Retention Labels and Data Lifecycle
  • Sensitivity Labels and Monitoring
  • DLP Policies Across M365 Workloads
  • Endpoint DLP and Alert Response
Domain 3: Manage Security and Threats by Using Microsoft Defender XDR Premium ⏱ ~14 min read

Defender for Endpoint: Onboard and Protect

Onboard devices to Microsoft Defender for Endpoint, configure endpoint security settings, and establish your device protection baseline.

Bringing devices into the fight

β˜• Simple explanation

Defender for Endpoint turns every device into a security sensor.

Think of it like installing a black-box recorder in every company car. The car still drives normally, but now every journey, every harsh brake, and every near-miss is logged and sent to a central control room. If something dangerous happens β€” a crash, a theft attempt β€” the control room can react in real time: lock the engine, sound the alarm, alert the fleet manager.

That’s what onboarding does. Until a device is onboarded, it’s invisible to your security team. Once onboarded, Defender for Endpoint watches processes, network connections, file changes, and user behavior β€” and responds automatically when threats appear.

Microsoft Defender for Endpoint (MDE) is a cloud-native endpoint detection and response platform that provides:

  • Endpoint Detection and Response (EDR) β€” real-time telemetry collection and advanced threat hunting
  • Attack Surface Reduction (ASR) β€” rules that proactively block common attack techniques
  • Automated Investigation and Remediation (AIR) β€” automatic triage and response to detected threats
  • Threat and Vulnerability Management β€” continuous vulnerability assessment across your device fleet

Devices must be onboarded β€” enrolled into the MDE service β€” before any of these capabilities apply. Onboarding deploys the MDE sensor component, which sends telemetry to the Microsoft Defender portal. The method you choose depends on device count, management infrastructure, and operating system.

Plan 1 vs Plan 2 β€” what you actually get

Marcus is evaluating licensing for Oakwood Financial. The distinction between Plan 1 and Plan 2 appears on the exam regularly.

Defender for Endpoint Plan 1 vs Plan 2
FeaturePlan 1Plan 2
Next-generation protection (antimalware)truetrue
Attack surface reduction rulestruetrue
Device-based Conditional Accesstruetrue
Controlled folder accesstruetrue
Web content filteringtruetrue
Endpoint Detection and Response (EDR)falsetrue
Automated investigation and remediationfalsetrue
Threat and Vulnerability Managementfalsetrue
Advanced hunting (KQL queries)falsetrue
Sandbox detonation (deep analysis)falsetrue
Endpoint Attack Notificationsfalsetrue
Included withMicrosoft 365 E3/A3Microsoft 365 E5/A5 Security
πŸ’‘ Exam tip: Plan 1 vs Plan 2 boundary

The exam tests whether you know which capabilities require Plan 2. The key dividing line: Plan 1 is prevention-focused (ASR, antimalware, web filtering). Plan 2 adds detection and response (EDR, automated investigation, vulnerability management, advanced hunting). If a question describes investigating an alert timeline or running a KQL hunt query β€” that’s Plan 2 territory.

Onboarding methods β€” matching method to environment

Marcus needs to onboard 800 devices at Oakwood Financial. Choosing the right onboarding method is critical β€” the wrong approach means manual effort multiplied across every device.

Windows devices

MethodBest forHow it works
Local scriptTesting, POC, small batches under 10Download the onboarding script from Defender portal, run locally on each device
Intune (Microsoft Endpoint Manager)Cloud-managed devices at any scaleDeploy MDE configuration profile via Intune β€” fully automated, zero touch
Group PolicyDomain-joined devices in on-premises ADDeploy onboarding script via GPO β€” targets OUs or security groups
Configuration Manager (MECM/SCCM)Large enterprises with existing MECM infrastructureUse the MDE onboarding task sequence or client settings
VDI onboarding scriptNon-persistent virtual desktops (AVD, Citrix)Modified script designed for session-based environments that re-image frequently

Cross-platform support

MDE isn’t Windows-only. The exam expects you to know supported platforms and their onboarding mechanisms.

PlatformOnboarding methodKey limitation
macOSIntune, JAMF, manual scriptRequires system extensions approval and full disk access
LinuxPackage manager (apt/yum), Puppet, AnsibleSupported distros: RHEL, Ubuntu, Debian, SLES, Oracle Linux, Amazon Linux, Fedora, Rocky, Alma
iOSIntune via managed app (Microsoft Defender app)Supervised mode recommended (enables web protection without local VPN)
AndroidIntune via managed app (Microsoft Defender app)Requires Android 10.0 or later
ℹ️ Marcus's onboarding decision at Oakwood Financial

Marcus has 800 devices: 650 Windows laptops (Intune-managed), 80 macOS devices (JAMF-managed), 50 iPads (Intune-managed), and 20 Linux servers (Ansible-managed). His onboarding plan:

  • Windows laptops β€” Intune endpoint detection and response policy (zero touch, auto-deploys)
  • macOS β€” JAMF integration with MDE (handles system extension approval)
  • iPads β€” Intune app deployment (push Microsoft Defender app as required)
  • Linux servers β€” Ansible playbook using the MDE package repository

No local scripts needed. Every method is automated and reportable. Marcus can track onboarding status from the Defender portal’s device inventory.

Endpoint security settings β€” the protection baseline

Once devices are onboarded, you configure four core protection capabilities.

Attack Surface Reduction (ASR) rules

ASR rules block specific behaviors that malware commonly exploits. They don’t detect threats β€” they prevent attack techniques from working in the first place.

Key ASR rules for the exam:

RuleWhat it blocks
Block executable content from email and webmailStops executables, scripts, and Office macros downloaded via email from running
Block Office applications from creating child processesPrevents Word/Excel from spawning PowerShell or cmd.exe
Block credential stealing from LSASSPrevents processes from reading credentials from the LSASS memory
Block untrusted and unsigned processes from USBPrevents execution of unsigned executables from removable media
Use advanced protection against ransomwareApplies heuristic checks to block files that resemble ransomware behavior

ASR rules can run in audit mode (log only) or block mode (enforce). Always deploy in audit mode first to identify false positives.

Controlled folder access

Protects designated folders (Documents, Desktop, Pictures, and any custom folders you add) from unauthorized changes. Only trusted applications can modify files in protected folders. This is the primary anti-ransomware capability β€” ransomware that tries to encrypt files in protected folders gets blocked.

Exploit protection

System-level and per-application mitigations against memory corruption exploits. Replaces the legacy EMET tool. Configurable via Intune, GPO, or PowerShell XML export/import. Key mitigations include DEP, ASLR, and Control Flow Guard.

Network protection

Extends SmartScreen protection beyond the browser to all HTTP/HTTPS traffic on the device. Blocks connections to known-malicious domains and IP addresses. Works at the network layer β€” catches threats that web filtering alone would miss.

Question

What is the primary anti-ransomware feature in Defender for Endpoint?

Click or press Enter to reveal answer

Answer

Controlled folder access. It prevents unauthorized applications from modifying files in protected folders (Documents, Desktop, Pictures, and any custom paths). When ransomware attempts to encrypt these files, the modification is blocked. The feature must be enabled β€” it's off by default.

Click to flip back
Question

What mode should you use when first deploying ASR rules?

Click or press Enter to reveal answer

Answer

Audit mode. This logs what the rule WOULD have blocked without actually enforcing it. Review the audit logs to identify false positives (legitimate applications that trigger the rule), then add exclusions before switching to Block mode. Deploying directly in Block mode risks breaking line-of-business applications.

Click to flip back
Question

How does Intune-based onboarding work for Windows devices?

Click or press Enter to reveal answer

Answer

Create an endpoint detection and response configuration profile in Intune. This profile contains the onboarding package from your MDE tenant. Assign the profile to a device group. Intune pushes the configuration to targeted devices automatically β€” no user interaction or local scripts needed. Onboarding status is visible in both Intune and the Defender portal.

Click to flip back
Question

What is the difference between network protection and web content filtering?

Click or press Enter to reveal answer

Answer

Web content filtering blocks access to websites based on category (gambling, adult content, etc.) at the URL level. Network protection blocks connections to known-malicious domains and IPs at the network layer β€” it extends SmartScreen beyond the browser to catch malicious connections from any process on the device, not just browser traffic.

Click to flip back

Device groups and role-based access

In the Defender portal, device groups let you segment your fleet for targeted policies and assign investigation responsibilities to specific security teams.

Marcus creates device groups at Oakwood Financial:

Device groupCriteriaAssigned team
Executive devicesDevice tag: β€œVIP”Tier 2 analysts
Finance workstationsAD domain group membershipTier 1 analysts, Finance IT
BYOD mobileOS: iOS, AndroidMobile security team
ServersOS: Windows Server, LinuxInfrastructure security

Device groups control:

  • Automated remediation level β€” which device groups allow full auto-remediation vs requiring analyst approval
  • Role-based access β€” security analysts only see devices in groups assigned to their role
  • Policy targeting β€” ASR rules, antivirus settings, and other configurations can target specific groups
πŸ’‘ Exam tip: Automated remediation levels

Each device group has a remediation level: No automated response, Semi (require approval for core folders), or Full (auto-remediate everything). The exam tests whether you understand that newly onboarded devices fall into the default device group β€” and whatever remediation level is set there applies until you move devices to a custom group. Configure your default group conservatively.

Question

What happens to newly onboarded devices before you assign them to a custom device group?

Click or press Enter to reveal answer

Answer

They land in the default device group. The automated remediation level set on this default group applies to all new devices until an admin moves them to a custom group. Best practice: set the default group to Semi-automated remediation to avoid unintended automatic actions on unclassified devices.

Click to flip back

Knowledge check

Knowledge Check

Marcus onboards Oakwood Financial's 650 Windows laptops to Defender for Endpoint via Intune. A week later, the security team reports they cannot see EDR alert timelines or run advanced hunting queries β€” they only see basic antivirus detections. What is the most likely cause?
Knowledge Check

Elena is configuring ASR rules for MedGuard Health's clinical workstations. The medical records application requires Microsoft Word to launch a helper process (child process) for document generation. Elena enables the 'Block Office applications from creating child processes' ASR rule. What should she do to prevent disruption?
Knowledge Check

Priya is planning MDE onboarding for GlobalReach Corp's 200 macOS devices managed by JAMF. Which additional step is required for macOS onboarding that is NOT needed for Windows?

🎬 Video coming soon

Next up: Vulnerability Management β€” use the TVM dashboard to find and fix weaknesses before attackers exploit them.

← Previous

Email Threats, Attack Simulation and Restricted Entities

Next β†’

Vulnerability Management

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.