100+ Hands‑On Intune MD‑102 Labs and Tips for Endpoint Administrators (2025 Guide)

Lab 1 – Create an Intune lab tenant and enroll a Windows 11 VM

Goal: Have a working test tenant with at least one Windows 11 device enrolled.

1. Sign up for a Microsoft 365 dev tenant (if you don’t have one).
   • Go to the Microsoft 365 Developer Program page and create a new E5 dev tenant.learn.microsoft​
2. Sign in to the Intune portal.
   • Browse to https://endpoint.microsoft.com and log in with your new admin account.learn.microsoft​
3. Create a Windows 11 VM.
   • On your host, create a Hyper‑V or other VM and install Windows 11 Pro/Enterprise.
4. Enable automatic MDM enrollment.
   • In the Entra admin center, go to Devices → Device settings.
   • Make sure Users may join devices to Microsoft Entra ID is set to All.
   • In Intune, go to Devices → Enroll devices → Automatic Enrollment and set MDM user scope to All.learn.microsoft​
5. Enroll the VM into Intune.
   • On the VM, open Settings → Accounts → Access work or school → Connect.
   • Enter the test user UPN (e.g., user@yourtenant.onmicrosoft.com) and sign in.
   • Confirm you see the connection line showing “Connected to <tenant>”.learn.microsoft​
6. Confirm the device in Intune.
   • In Intune: Devices → Windows → Windows devices.
   • Verify your VM appears and shows Managed with a successful check‑in time.learn.microsoft​

---

Lab 2 – Build a basic Autopilot deployment (user‑driven)

Goal: Capture a device, register it with Autopilot, assign a profile, and run OOBE.

1. Capture the hardware hash from your VM.
   • On the VM, open PowerShell as admin.
   • Install the script/module if needed, then run a hardware info script to export a CSV with the hardware hash (e.g., to C:\hardwareinfo.csv).alexandrumarin+1​
2. Import the device into Autopilot.
   • In Intune, go to Devices → Enroll devices → Windows Autopilot devices.
   • Click Import and upload hardwareinfo.csv.
   • Wait until the device shows up in the Windows Autopilot devices list.alexandrumarin​
3. Create a device group for Autopilot.
   • In the Entra admin center, go to Groups → New group.
   • Create a Security group (e.g., Autopilot-Win11).
   • Add the imported Autopilot device to this group.alexandrumarin​
4. Create a Windows Autopilot deployment profile.
   • In Intune: Devices → Enroll devices → Windows enrollment → Deployment Profiles.
   • Click Create profile → Windows PC.
   • Set Deployment mode to User‑driven, Join to Microsoft Entra ID as = Microsoft Entra joined.
   • Leave other OOBE settings default for now.learn.microsoft​
5. Assign the Autopilot profile.
   • On the profile, go to Assignments and add the Autopilot-Win11 group.
   • Save and wait a few minutes for assignment to apply.alexandrumarin​
6. Reset the VM and test Autopilot.
   • In the VM, do a full reset (or redeploy the image to OOBE).
   • On first boot, confirm you see the Autopilot branded login experience.
   • Sign in with the test user and make sure the device joins the tenant and appears as Autopilot‑managed.learn.microsoft+1​

---

Lab 3 – Create and assign a Windows 11 configuration profile

Goal: Push a simple but visible policy (e.g., block Control Panel or set a Start menu layout) to the enrolled device.

1. Create a new configuration profile.
   • In Intune: Devices → Windows → Configuration profiles → Create profile.
   • Platform: Windows 10 and later.
   • Profile type: Settings catalog.learn.microsoft​
2. Configure a simple setting.
   • In the profile, click Add settings.
   • Search for Control Panel or Start.
   • Example: under Control Panel and Settings, enable a setting like Prohibit access to Control Panel and PC settings.learn.microsoft​
3. Assign the profile.
   • On the profile, go to Assignments.
   • Add either:
     • The device (direct assignment), or
     • A group that contains your test device.
   • Save the assignment.learn.microsoft​
4. Force a sync on the device.
   • On the Windows 11 VM: Settings → Accounts → Access work or school → your connection → Info → Sync.
   • Wait a few minutes.learn.microsoft​
5. Verify the setting applied.
   • Try opening Control Panel or Settings on the VM.
   • Confirm you see that access is blocked, matching the policy.
   • In Intune, open the profile → Device status to confirm policy is Succeeded on that device.learn.microsoft​

---

Lab 4 – Create a Windows compliance policy and connect it to Conditional Access

Goal: Require BitLocker and mark devices non‑compliant if they are not encrypted, then block access to M365 apps for non‑compliant devices.

1. Create a Windows compliance policy.
   • In Intune: Devices → Compliance policies → Policies → Create policy.
   • Platform: Windows 10 and later.
   • Name: Win11-BitLocker-Compliance.ninjaone+1​
2. Configure compliance settings.
   • Under System Security, set Require BitLocker to Required.
   • Optionally require Firewall and Real‑time protection as Required.ninjaone​
3. Configure actions for non‑compliance.
   • Go to Actions for noncompliance.
   • Set Mark device as noncompliant after a short grace period (e.g., 1 day or 0 days for the lab).
   • Optionally configure Send email to end user for non‑compliance.ninjaone​
4. Assign the compliance policy.
   • Under Assignments, target either:
     • All users with managed Windows devices, or
     • A dedicated test group/user.
   • Save and let the device evaluate the policy.ninjaone+1​
5. Create a Conditional Access policy to require compliance.
   • In the Entra portal: Security → Conditional Access → Policies → New policy.learn.microsoft​
   • Users: target your test user or group.
   • Cloud apps: select Office 365 or specific apps like Exchange Online.learn.microsoft​
   • Conditions → Device platforms: include Windows.
   • Grant: select Require device to be marked as compliant (and optionally MFA). Enable the policy.learn.microsoft+1​
6. Test the effect.
   • On the test device, ensure BitLocker is off, then do a policy sync.
   • In Intune, confirm the device shows Non‑compliant due to encryption.ninjaone​
   • Try to open Outlook on the web or SharePoint as the test user; you should be blocked by Conditional Access.
   • Then turn BitLocker on, let the device re‑evaluate, and confirm access is restored once compliance is met.learn.microsoft+1​

---

Lab 5 – Package and deploy a simple Win32 app

Goal: Create a Win32 app (.intunewin), deploy it as Required, and verify detection.

1. Prepare a simple installer.
   • Download a small MSI (e.g., Notepad++ MSI) and save it in C:\IntuneApps\NotepadPlus.
2. Package the app.
   • Download the IntuneWinAppUtil tool from Microsoft.
   • Run it from a console:
     • Source folder: C:\IntuneApps\NotepadPlus
     • Setup file: notepadplusplus.msi
     • Output folder: C:\IntuneApps\Output
   • Confirm you get a .intunewin file.learn.microsoft​
3. Create the Win32 app in Intune.
   • In Intune: Apps → All apps → Add → Windows app (Win32).
   • Upload the .intunewin file.learn.microsoft​
4. Configure install and detection.
   • Install command: msiexec /i "notepadplusplus.msi" /qn.
   • Uninstall command (if from MSI): msiexec /x "{ProductCode}" /qn (or use the same MSI with /x).
   • Detection:
     • Type: File.
     • Path: C:\Program Files\Notepad++ (or correct install folder).
     • File: notepad++.exe.
     • Rule: File exists.learn.microsoft​
5. Assign the app as Required.
   • On the app, go to Assignments → Required.
   • Add your test device or a group containing that device.
   • Save.learn.microsoft​
6. Force sync and verify the install.
   • On the Windows VM: trigger a device sync.
   • Wait a few minutes, then check:
     • The app appears in Programs and Features / Installed apps.
     • The folder and notepad++.exe exist at the path used for detection.
   • In Intune, check the app’s Device install status shows Installed for the test device.learn.microsoft​

---

Lab 6 – Configure a Windows Update ring and test behaviour

Goal: Create a Windows Update ring and apply it to the test device.

1. Create an update ring.
   • In Intune: Devices → Windows → Update rings for Windows 10 and later → Create profile.
   • Name it Win11-Test-Ring.learn.microsoft​
2. Configure the ring settings.
   • Quality update deferral: e.g., 7 days.
   • Feature update deferral: e.g., 120 days.
   • Active hours: e.g., 08:00–17:00.
   • Automatic restart: allow, but set a graceful deadline for the lab.learn.microsoft​
3. Assign the update ring.
   • Under Assignments, target your test device or group.
   • Save.learn.microsoft​
4. Monitor status.
   • Go to the ring → Device status and confirm the device shows Succeeded once the policy applies.
   • On the device, check Windows Update → Advanced options and confirm some options are greyed or controlled by your policy.learn.microsoft​

---

Lab 7 – Try a few basic remote actions

Goal: Use Intune remote actions to manage the device.

1. Restart the device from Intune.
   • In Intune: Devices → Windows → Windows devices → select your VM.
   • Click Restart and confirm.
   • Watch the VM to confirm it reboots.learn.microsoft​
2. Sync the device.
   • On the same device page, click Sync.
   • Check the Last check‑in time updates shortly after.learn.microsoft​
3. Test a “Retire” on a non‑critical/test device (optional).
   • For a spare test device, choose Retire.
   • Confirm the device eventually removes corporate data and shows as retired in Intune.learn.microsoft​

---

Here are the next labs in the same step‑by‑step style, focusing on Autopilot pre‑provisioning and Android/iOS enrollment, which are core MD‑102 skills.learn.microsoft+1​

---

Lab 8 – Autopilot pre‑provisioning (white glove)

Goal: Simulate an IT tech pre‑provisioning a Windows 11 device so the end user gets a faster first sign‑in.

1. Confirm your device is in Autopilot and has a profile.
   • In Intune: Devices → Enroll devices → Windows Autopilot devices.
   • Make sure your test device is listed, and a Deployment profile is assigned (user‑driven, Entra join).learn.microsoft​
2. Allow pre‑provisioning in the profile.
   • Open the Autopilot profile.
   • Under Out‑of‑box experience (OOBE), ensure Allow pre‑provisioned deployment is Yes (or enabled, depending on UI wording).learn.microsoft​
   • Save the profile and wait a few minutes for it to apply.
3. Reset the device back to OOBE.
   • On the VM: Settings → System → Recovery → Reset this PC (or redeploy a fresh image).
   • Choose a full reset so the device boots into OOBE again.learn.microsoft​
4. Start Autopilot pre‑provisioning mode.
   • At the first OOBE screen, press Windows key + Ctrl + Shift + F3 to enter technician mode if you’re following older guidance, or:
   • On newer Autopilot flows, look for the “Windows Autopilot pre‑provisioning (White glove)” prompt and choose Provision on the technician screen when available.techcommunity.microsoft+1​
5. Let device ESP run as technician.
   • The device will:
     • Join Entra ID per the profile.
     • Enroll to Intune.
     • Apply device‑targeted policies and apps (but not user‑targeted yet).
   • Wait for the green check on the technician ESP screen (or equivalent “Provisioning completed” message).learn.microsoft​
6. Reseal the device.
   • On the pre‑provisioning result screen, choose Reseal to return the device to the user‑ready OOBE state.learn.microsoft​
7. Complete user sign‑in.
   • Reboot the VM and go through OOBE as the end user.
   • Sign in with the test user account.
   • Device should be mostly ready because apps and policies were pre‑applied during pre‑provisioning (only user‑scoped settings need to finish).learn.microsoft​
8. Verify in Intune.
   • In Intune: Devices → Windows → Windows devices → select the device.
   • Confirm deployment profile is Autopilot, and apps/configs show as Succeeded for Device assignments.learn.microsoft+1​

---

Lab 9 – Enroll an Android work profile device

Goal: Set up Android Enterprise (work profile), enroll an Android device/emulator, and confirm you see both work and personal sides.

1. Configure Android enrollment type.
   • In Intune: Devices → Android → Android enrollment.
   • Under Corporate‑owned devices with work profile or Personally‑owned devices with work profile, ensure the appropriate option is enabled (for a simple lab, start with Personally‑owned work profile).learn.microsoft​
2. Link your tenant to Google for Android Enterprise (if not done).
   • Still under Android enrollment, follow the instructions to Connect to Google Play.
   • Sign in with a Google account when prompted.
   • Approve the connection so Intune can manage Android Enterprise.learn.microsoft​
3. Prepare the Company Portal and enrollment instructions.
   • Decide whether you will:
     • Use a physical Android device, or
     • Use an Android emulator that has Play Store access.
   • On the Android device, open Google Play and install Microsoft Intune Company Portal.learn.microsoft​
4. Start work profile enrollment on the device.
   • Open the Company Portal app.
   • Sign in with the test user (user@yourtenant.onmicrosoft.com).
   • Follow the prompts to Set up work profile (this will create a separate work container on the device).learn.microsoft​
5. Approve at least one Android app for the work profile.
   • In Intune: Apps → Android → Managed Google Play.
   • Click Browse, search for an app (e.g., Microsoft Outlook).
   • Approve it, then sync back to Intune so it appears as an Android app you can assign.learn.microsoft​
6. Assign an app to the Android work profile.
   • In Intune: Apps → All apps, pick the approved Android app.
   • Assign it as Required to a user or device group that your enrolled Android device belongs to.
   • Save the assignment.learn.microsoft​
7. Verify enrollment and app deploy.
   • On the Android device, open the Work profile section; you should see “Outlook (work)” or similar.
   • In Intune: Devices → Android → Android devices.
   • Confirm the device shows as Compliant (if compliance policies exist) and enrolled with a work profile.learn.microsoft​

---

Lab 10 – Enroll an iOS device with Apple user enrollment (simpler: device enrollment)

Goal: Enroll an iOS device, push a basic policy or app, and see it in Intune.

(This lab uses simple device enrollment, not full ABM/DEP, to keep it easy in a test tenant.)

1. Enable iOS/iPadOS enrollment.
   • In Intune: Devices → iOS/iPadOS → iOS/iPadOS enrollment.
   • Confirm there is at least the Device enrollment method available (default is usually fine).learn.microsoft​
2. Make sure the user has a license.
   • In Microsoft 365 admin center, verify your test user has a license that includes Intune (e.g., Microsoft 365 E5 dev).learn.microsoft​
3. Install the Company Portal on iOS.
   • On an iPhone or iPad, open the App Store.
   • Search for Intune Company Portal and install it.learn.microsoft​
4. Start enrollment on iOS.
   • Open Company Portal.
   • Sign in with the test user.
   • Follow the prompts:
     • Allow device management.
     • Download the management profile.
   • Go to Settings → General → VPN & Device Management (or similar path) and tap the downloaded profile.
   • Tap Install and follow the prompts to complete MDM profile installation.learn.microsoft​
5. Confirm the iOS device in Intune.
   • Back in Intune: Devices → iOS/iPadOS → iOS/iPadOS devices.
   • Check that your device appears with Managed status.learn.microsoft​
6. Assign a simple configuration or app.
   • For a quick test, create an iOS compliance policy requiring a passcode:
     • Devices → Compliance policies → Policies → Create policy → iOS/iPadOS.
     • Require a password and set minimum length.
     • Assign it to the user or a group.
   • Sync the device in Company Portal and verify it reports Compliant or Non‑compliant based on your settings.learn.microsoft​

---

Lab 11 – Test an Intune app protection (MAM) policy without full device enrollment

Goal: Protect data in Outlook on mobile without enrolling the full device (BYOD scenario), which is a common MD‑102 scenario.learn.microsoft+1​

1. Make sure the user has no device enrollment (optional but cleaner).
   • For this lab, you can use a separate mobile device or user with no MDM enrollment, just the app.learn.microsoft​
2. Create an app protection policy for iOS or Android.
   • In Intune: Apps → App protection policies → Create policy.
   • Choose Android or iOS/iPadOS.
   • Under Apps, select common Microsoft 365 apps like Outlook and OneDrive.learn.microsoft​
3. Configure basic data protection settings.
   • Under Data protection:
     • Set Prevent backup to Yes.
     • Set Restrict cut, copy, and paste to “Policy managed apps with paste in” (wording may vary).learn.microsoft​
   • Under Access requirements:
     • Require a PIN for access.
     • Optionally require biometrics if available.learn.microsoft​
4. Assign the policy to a user group.
   • In Assignments, target your test user group (this is user‑based, not device‑based).
   • Save the policy.learn.microsoft​
5. Test on a mobile device.
   • On an iOS or Android device, install Outlook from the store.
   • Sign in with the test user and wait for policy to apply (can take a few minutes).
   • You should be prompted for a PIN and see that copy/paste is restricted between Outlook and unmanaged apps.learn.microsoft+1​

---

Lab 12 – End‑to‑end: Autopilot + ESP + compliance + Conditional Access

Goal: Combine several labs into a single scenario similar to an MD‑102 case study.

1. Start with an Autopilot‑registered device.
   • Use the device from earlier Autopilot labs, with a user‑driven profile and ESP enabled.learn.microsoft​
2. Create a compliance policy requiring BitLocker and AV.
   • As in Lab 4, create Win11-Secure-Compliance for Windows, requiring BitLocker and Defender real‑time protection.
   • Assign it to the user group.ninjaone+1​
3. Create a basic Conditional Access policy requiring compliant devices.
   • As in Lab 4, create a CA policy:
     • Users: your test user or group.
     • Apps: Office 365 (or at least Exchange Online).
     • Grant: Require device to be marked as compliant.learn.microsoft+1​
4. Add a required app to ESP.
   • In Intune: pick a small Win32 or Store app.
   • Under Properties → Assignments, mark it Required for the Autopilot device group so it installs during ESP.learn.microsoft​
5. Reset the device and run Autopilot again.
   • Reset the VM / physical device back to OOBE.
   • Go through Autopilot sign‑in with the test user.
   • Watch ESP:
     • Device phase completes.
     • User phase completes.
     • Apps phase installs your required app.learn.microsoft​
6. Check compliance and CA behaviour.
   • Once at the desktop, force a sync and let compliance evaluate.
   • In Intune: confirm the device is Compliant under Devices → Windows devices.
   • Log into Outlook on the web or Teams; you should be allowed because the device is compliant and CA requirement is met.
   • If you turn off BitLocker or Defender and wait for a re‑evaluation, the device should move to Non‑compliant and CA should block access.ninjaone+1​

---

Here are step‑by‑step labs for the next MD‑102 areas you mentioned: Endpoint security (BitLocker, Defender, baselines) and Intune Suite (Remote Help, Endpoint Privilege Management).certlibrary+1​

---

Lab 13 – Configure BitLocker with Intune and verify encryption

Goal: Use Intune to enforce BitLocker on a Windows 11 device and confirm keys are escrowed.

1. Open the Disk encryption blade.
   • In Intune: go to Endpoint security → Disk encryption.oneconsult​
2. Create a BitLocker policy.
   • Click Create Policy.
   • Platform: Windows 10 and later.
   • Profile: BitLocker (or similar wording under Disk encryption).oneconsult​
   • Name it Win11-BitLocker-Policy.
3. Configure OS drive encryption.
   • In the Configuration settings:
     • Require BitLocker on OS drive: Enabled.
     • Encryption method: choose a strong option (e.g., XTS‑AES 256 or baseline recommended).learn.microsoft+1​
     • Allow BitLocker without a compatible TPM: usually Disabled for production; for a lab VM without TPM, you may need to Enable this temporarily.learn.microsoft​
4. Configure recovery key storage.
   • Ensure Store recovery information in Azure AD is Enabled.
   • Require 48‑digit recovery password (baseline default) is usually recommended.learn.microsoft​
5. Assign the policy.
   • In the policy, go to Assignments.
   • Target:
     • Your test Windows 11 device, or
     • A device group containing it.
   • Save the assignment.oneconsult​
6. Force sync and start encryption.
   • On the Windows 11 test machine:
     • Settings → Accounts → Access work or school → your connection → Info → Sync.
   • Wait a few minutes.
   • If BitLocker does not start automatically, open Control Panel → BitLocker Drive Encryption and confirm policy is applied (options may be greyed and enforcing encryption).oneconsult​
7. Confirm BitLocker and key escrow.
   • On the device, confirm C: shows BitLocker On.
   • In Entra admin center, locate the device under Devices → All devices → select device → BitLocker keys and verify you see a recovery key.oneconsult​
   • Optionally, in Intune: Devices → Windows → select device → Recovery keys (if exposed in your tenant) to confirm escrow.msadvance​

---

Lab 14 – Deploy a Microsoft Defender security baseline

Goal: Apply an Intune security baseline to a Windows 11 device to harden Defender and core security settings.

1. Open security baselines.
   • In Intune: go to Endpoint security → Security baselines.learn.microsoft​
2. Choose a baseline.
   • Click + Create profile.
   • Select Microsoft Defender for Endpoint or Windows 10 and later Security Baseline (naming may vary slightly but both are valid for MD‑102).learn.microsoft+1​
3. Create the baseline profile.
   • Name it Win11-Defender-Baseline.
   • Optionally add a description like “Baseline for lab VMs”.
   • Click Next to open configuration.learn.microsoft​
4. Review and adjust key settings.
   • Leave most defaults, but spot‑check a few important items that show up in exam scenarios, for example:linkedin+1​
     • BitLocker: ensure “Deny write access to removable drives not protected by BitLocker” is Enabled.
     • Windows Defender SmartScreen: ensure it is Enabled, with “Warn and prevent bypass” where recommended.
     • Defender AV cloud‑delivered protection: On.
   • Don’t over‑tune; keep it mostly default to see baseline behaviour.
5. Assign the baseline.
   • Under Assignments, target your Win11 test device or a pilot device group.
   • Use a small scope first (just one or two devices) to see impact before wider use.reddit+1​
6. Monitor baseline status.
   • After some time, go back to the baseline profile and open Device status.
   • Confirm the test device shows as Compliant or see any Error / Conflict states.
   • If there’s a conflict, that typically means another policy (GPO or Intune config profile) is trying to set the same setting differently.learn.microsoft+1​
7. Validate on the device.
   • On the Windows device:
     • Check Windows Security → Virus & threat protection for Defender settings.
     • Try plugging in a USB stick; if removable drive protection is enabled, you may see restricted write access.
   • This confirms that the baseline is actually enforcing settings, not just “configured” in the portal.learn.microsoft+1​

---

Lab 15 – Basic Microsoft Defender Antivirus policy via Endpoint security

Goal: Create a dedicated Defender Antivirus policy, assign it, and verify it on the device.

1. Open the Antivirus policy area.
   • In Intune: Endpoint security → Antivirus.eccentrix+1​
2. Create a Defender Antivirus policy.
   • Click Create Policy.
   • Platform: Windows 10 and later.
   • Profile: Microsoft Defender Antivirus.
   • Name: Win11-Defender-AV.
3. Configure key AV settings.
   • In Configuration settings, set:
     • Real‑time protection: Enabled.
     • Cloud‑delivered protection: Enabled.
     • Automatic sample submission: Enabled.
     • Scheduled scan: pick a specific day/time (e.g., daily at 2 AM).learn.microsoft​
4. Assign the AV policy.
   • Under Assignments, choose your target device group or specific device.
   • Save.eccentrix​
5. Validate the policy on the endpoint.
   • On the Windows 11 device:
     • Open Windows Security → Virus & threat protection → Manage settings.
     • Confirm that Real‑time protection and Cloud‑delivered protection are On and may be managed by your organization (grayed out).learn.microsoft​
   • In Intune, check the policy’s Device status to ensure the device shows Succeeded.learn.microsoft​

---

Lab 16 – Enable and test Intune Remote Help

Goal: Turn on Remote Help, assign permissions, and run a basic support session with a test user.

Note: Requires appropriate Intune Suite or Remote Help licensing in the tenant.microsoft​

1. Check licensing and feature availability.
   • In Intune, go to Tenant administration → Intune add‑ons (naming may vary).
   • Confirm Remote Help shows as available or enabled; if not, you may need to assign a trial or ensure the dev tenant includes the feature.microsoft​
2. Enable Remote Help in tenant settings.
   • In Intune: Tenant administration → Remote help.
   • Turn Enable Remote help to On.
   • Configure any basic settings (e.g., allow sessions, data collection), leaving defaults for the lab.inthecloud247+1​
3. Create or assign an RBAC role for helpers.
   • Go to Tenant administration → Roles.
   • Either:
     • Edit an existing helpdesk role, or
     • Create a new custom role that has Remote help permissions.
   • Assign this role to a test admin account and scope it to a group of users or devices.inthecloud247​
4. Install the Remote Help app on a test device.
   • On the Windows test device, download the Remote Help client from the official Microsoft link (or from the Intune portal link under Remote help).inthecloud247+1​
   • Install the app.
5. Start a Remote Help session as the helper.
   • On the helper/admin machine, open Remote Help.
   • Sign in with the helper account.
   • Click Start a session to generate a security code.
6. Connect from the end‑user device.
   • On the end‑user test device, open Remote Help.
   • Choose Get help, enter the security code provided by the helper.
   • Accept the prompt to share the screen or allow control.inthecloud247​
7. Test view vs full control.
   • As helper, first use View only to see the user’s screen.
   • Then request Full control and confirm you can move the mouse and perform actions.
   • If elevation is allowed, test running an elevated app during the session (depending on your lab’s policies).microsoft+1​
8. End and review the session.
   • End the session on either side.
   • In Intune, check any Remote Help logs or reporting available under Reports or the Remote help blade.microsoft+1​

---

Lab 17 – Get started with Endpoint Privilege Management (EPM)

Goal: Enable EPM and create a simple elevation rule that allows standard users to run a specific app with admin rights.microsoft+1​

Note: Requires Endpoint Privilege Management licensing (part of Intune Suite or add‑on).microsoft​

1. Activate Endpoint Privilege Management.
   • In Intune: Endpoint security → Endpoint Privilege Management.
   • If not yet active, click Activate Endpoint Privilege Management for your tenant now, review details, and confirm.petervanderwoude​
2. Ensure your test user/device is licensed.
   • In Microsoft 365 admin center, confirm the test user has an EPM‑eligible license assigned (Intune Suite or EPM add‑on).microsoft​
3. Create an EPM elevation policy.
   • In Intune: Endpoint security → Endpoint Privilege Management → Elevation rules (or similar wording).
   • Click Create policy.
   • Name it Win11-EPM-Notepad-Elevate.petervanderwoude​
4. Define an elevation rule for a test app.
   • In the policy, add an elevation rule:
     • Target file: choose a simple executable that normally requires admin rights in your environment (for lab, you can point to a harmless EXE you place under C:\Program Files\ that you want to elevate).
     • Matching criteria:
       • File path, or
       • File hash for more specific matching.
     • Elevation behavior:
       • For lab, select User confirmed (user has to approve elevation) so you can see the prompt.techpress+1​
5. Assign the EPM policy.
   • Under Assignments, target either:
     • A user group (user rules take precedence), or
     • A device group.
   • Save the policy.petervanderwoude​
6. Test EPM behaviour on the client.
   • On the Windows test device (signed in as a standard user with no local admin rights):
     • Wait for policy sync, or manually sync via Access work or school → Info → Sync.
     • Run the target application.
   • You should see an elevation prompt coming from EPM, not a standard UAC asking for admin credentials.techpress+1​
7. Observe precedence (optional).
   • If you configure conflicting rules (e.g., one rule Allow, one Deny for the same app), note:
     • Deny rules take precedence.
     • User‑based rules take precedence over device‑based rules.
     • Rules with hash and more attributes take precedence over broader ones.techpress+1​

---

Here are labs focused on Endpoint analytics, device queries, and Conditional Access with compliance, in the same step‑by‑step style.learn.microsoft+1​

---

Lab 18 – Enable Endpoint Analytics and onboard devices

Goal: Turn on Endpoint analytics in Intune and confirm your Windows 11 test device sends data.

1. Open Endpoint analytics.
   • In the Intune admin center, go to Reports → Analytics → Endpoint analytics (or Reports → Endpoint analytics depending on UI).learn.microsoft+1​
2. Enable data collection (if not already on).
   • In Endpoint analytics, go to Settings.
   • Confirm that Data collection is On for your tenant.
   • If you see options for “Allow Endpoint analytics” or similar privacy toggles, set them to allow collection for managed devices.cbtnuggets+1​
3. Create an Endpoint analytics data collection policy (if shown).
   • Some tenants show a specific Endpoint analytics data collection configuration profile template.
   • Go to Devices → Configuration → Create profile.
   • Platform: Windows 10 and later.
   • Template: Endpoint analytics data collection (or similarly named).linkedin+1​
   • Name: EA-Data-Collection.
4. Configure and assign the policy.
   • Use default settings for data collection (default usually enables the necessary functional data).
   • Under Assignments, target a device group that includes your Windows 11 lab device (e.g., All-Windows-Test).
   • Save the profile.learn.microsoft+1​
5. Verify the device is eligible.
   • Ensure the device:
     • Is Intune‑enrolled.
     • Has supported Windows 10/11 edition for Endpoint analytics.
     • Has telemetry settings set to at least the minimum required (usually handled by Intune template).learn.microsoft+1​
6. Wait for analytics data to appear.
   • Data is not instant; initial data can take several hours (official docs mention up to 24 hours in some cases).
   • After some time, go back to Reports → Endpoint analytics → Startup performance.
   • Confirm your test device shows up with boot time and other metrics.learn.microsoft+1​

---

Lab 19 – Explore Endpoint analytics reports and health scores

Goal: Use Endpoint analytics to identify a performance issue and link it to potential remediation.

1. Open the Startup performance report.
   • In Endpoint analytics, choose Startup performance from the left menu.petervanderwoude+1​
2. Review the overall score and distribution.
   • Look at:
     • Overall Startup score (0–100).
     • Breakdown of devices by “Good,” “Fair,” “Poor” (or similar labels).
   • Identify where your test device sits in the distribution.cbtnuggets+1​
3. Drill into device details.
   • Click on your test device from the list.
   • Note:
     • Average startup time.
     • Startup processes count.
     • Any highlighted causes (e.g., many startup apps).petervanderwoude+1​
4. Identify a simple optimisation.
   • Based on the details:
     • If startup apps are high, plan to disable some via policy or script.
     • If the device has old hardware settings, you might plan a hardware refresh in real life.
   • For the lab, pick something you can control: for example, reducing startup apps.recastsoftware+1​
5. Apply a basic remediation (optional).
   • Use a simple PowerShell remediation script in Intune to disable non‑essential startup entries or to enable Storage Sense:
     • Devices → Remediations (if available) or Scripts → Add.
     • Deploy to the same test device group.
   • After it runs, wait for another analytics cycle and check if the device’s startup metric improves.ninjaone+1​

---

Lab 20 – Use Device Query (Advanced Endpoint Analytics) for real‑time troubleshooting

Goal: Run a real‑time query against a single device to check app versions or configuration.

Note: Device query is part of Advanced Endpoint Analytics / Intune Suite in many tenants.learn.microsoft+1​

1. Confirm Device Query availability.
   • In Intune, go to Devices → Windows → Windows devices.
   • Select your test Windows 11 device.
   • Look in the left pane under Monitor or similar for Device query.recastsoftware+1​
2. Open the Device Query blade.
   • Click Device query for that device.
   • You should see a panel with a KQL query editor and results area.recastsoftware+1​
3. Run a basic query to list installed apps.
   • In the query box, paste a simple KQL query, for example:
     • InstalledApps
   • Click Run.
   • Wait for results; confirm you see a list of installed apps, including name and version.learn.microsoft+1​
4. Filter to a specific app.
   • Adjust the query to something like:
     • InstalledApps | where Name contains "Notepad"
   • Run again and confirm the result shows your target app and version.
   • This is useful for quickly confirming if a Win32 app deployment succeeded and which version is present.github+1​
5. Try a configuration‑related query.
   • Example for services:
     • Services | where StartType == "Auto"
   • Run it and see which services are configured to start automatically.
   • This supports troubleshooting scenarios like “Is the AV or update service running?”petervanderwoude+1​
6. Consider support scenarios.
   • Think about classic helpdesk tasks:
     • Check if a specific service is running.
     • Confirm a registry value is set.
     • Validate disk free space.
   • Many of these can be done via Device Query instead of a full remote session, which is exactly how Intune’s advanced analytics story is evolving.petervanderwoude+1​

---

Lab 21 – Advanced Conditional Access with compliance and app protection

Goal: Require both device compliance and an app protection policy for mobile access to Exchange Online.

1. Confirm you have:
   • A working compliance policy for the device platform (e.g., Windows or mobile) from previous labs.
   • An app protection policy (MAM) targeting Outlook for the mobile platform (from earlier MAM lab).
   • Appropriate Entra ID P1/P2 licensing for Conditional Access.learn.microsoft​
2. Create a new Conditional Access policy.
   • Go to Entra admin center: Security → Conditional Access → Policies → New policy.
   • Name it CA-Require-Compliant-And-MAM.
   • Assign it to:
     • Users: a test user or test group.
     • Cloud apps: Exchange Online (or Office 365 as a whole).youtube​learn.microsoft​
3. Set conditions.
   • Under Conditions → Device platforms, include iOS and Android (for mobile scenario).
   • Under Client apps, you can restrict to Mobile apps and desktop clients.youtube​learn.microsoft​
4. Configure access controls (Grant).
   • In Access controls → Grant, select:
     • Require device to be marked as compliant.
     • Require app protection policy (if available in your licensing level).
   • Set it to Grant access but require all selected controls.
   • Enable the policy (for a lab, you can start in Report‑only mode first).learn.microsoft​youtube​
5. Test with a non‑compliant or unmanaged device.
   • On a mobile device without enrollment or compliance:
     • Install Outlook and sign in with the test user.
   • Attempt to access mailbox.
   • You should be blocked or prompted because the device is not compliant and/or not using the protected app path.ninjaone+1​
6. Test with a compliant device and MAM policy.
   • Make sure:
     • The device is enrolled and Compliant in Intune, or
     • For MAM‑only scenarios, that the app protection policy is applied to Outlook.
   • Retry logging into Outlook on the mobile device; the app should work while obeying your app protection restrictions (PIN, restricted copy/paste).learn.microsoft+1​
7. Review sign‑in logs.
   • In Entra: Security → Sign‑in logs.
   • Filter by the test user and look at recent sign‑ins.
   • Check the Conditional Access tab for each sign‑in to see whether your policy was evaluated and if it blocked or granted access.ninjaone+1​

---

Lab 22 – Use Intune reports to troubleshoot policy and app deployment

Goal: Practice finding where to look when a device or app is not in the expected state.

1. Use the All devices operational report.
   • In Intune: Reports → Devices → All devices (or similar).
   • Filter down to your Windows 11 test device.
   • Check:
     • Last check‑in time.
     • Compliance state.
     • Primary user.learn.microsoft​
2. Check device assignment status for a configuration profile.
   • Go to Devices → Configuration profiles.
   • Pick one of your test profiles (e.g., control panel restriction).
   • Open Device assignment status.
   • Confirm the target device shows:
     • Success if applied.
     • Error or Conflict if something went wrong.learn.microsoft​
3. Check app deployment status.
   • Go to Apps → All apps, pick your Win32 app.
   • Open Device install status.
   • Look at:
     • Install status (Installed, Failed, Not applicable).
     • Error codes for any failures (like 0x643 / 1603).
   • Use this to decide whether the problem is scope (not targeted) or install/detection errors.learn.microsoft​
4. Use the device‑centric report.
   • In Intune: Devices → Windows → select device → Overview.
   • Check:
     • Device configuration status.
     • Compliance status.
     • User experience (if Endpoint analytics is active).
   • This mirrors what you’d do as a support engineer when a user says “something’s not working.”ninjaone+1​
5. Link back to Endpoint analytics where relevant.
   • If a device seems slow or unstable, go to Reports → Endpoint analytics → Startup performance and cross‑check the same device.
   • Now you have both “policy/app status” and “experience/health data” for the same endpoint.learn.microsoft+1​

---