MD-102 Study Guide: Intune, Entra ID, Defender, Android Enrollment, and App Deployment Explained
Can You Register an Android Device by Using Microsoft Entra Connect?
Scenario
You have a Microsoft Entra tenant and purchase a new Android device. You need to register the device in the tenant.
A proposed solution suggests using Microsoft Entra Connect.
Correct Answer
No
Why
Microsoft Entra Connect is used to synchronize identities from on-premises Active Directory to Microsoft Entra ID. It is not a device registration or device enrollment tool.
If the task is to register or enroll an Android device, the correct path is through Microsoft Intune enrollment methods, not Entra Connect.
Exam Tip
Use this shortcut:
- Entra Connect = identity synchronization
- Intune = device enrollment and management
This is a common exam trap because it mixes identity services with device services.
Key Takeaway
Do not choose Entra Connect when the task is about enrolling or registering mobile devices.
Which Role Can Rotate BitLocker Recovery Keys in Intune?
Scenario
You have Microsoft Entra joined devices enrolled in Intune. A new admin account is created, and you need to ensure that the user can rotate BitLocker recovery keys by using Intune.
A proposed solution suggests assigning the Helpdesk Administrator role from Microsoft Entra.
Correct Answer
No
Why
The Helpdesk Administrator role in Microsoft Entra is not the correct role for performing this Intune remote action.
For rotating BitLocker recovery keys in Intune, the required permissions come from Intune RBAC. Roles such as Help Desk Operator or Endpoint Security Manager are appropriate, and a custom Intune role can also be used if the right permissions are assigned.
Exam Trap
This is one of those questions where Microsoft wants you to know which service owns the action.
- If the action happens in Intune, think about Intune RBAC
- Do not assume a similarly named Entra role will work
Key Takeaway
For BitLocker recovery key rotation through Intune, focus on Intune roles, not just Entra admin roles.
Which Tool Compares Devices Against Security Benchmarks?
Scenario
You have Windows 11 devices onboarded to Microsoft Defender for Endpoint. You need to compare their configuration against industry standard benchmarks.
Correct Answer
Security baselines assessment
Why
The correct feature is security baselines assessment. It is used to assess endpoint configuration against benchmark standards and recommended security baselines.
Why the Other Options Are Wrong
- Attack surface map is about exposure and relationships
- Events are activity records
- Initiatives does not match this endpoint benchmark comparison task
Key Takeaway
If the question asks you to compare device settings against industry benchmarks, think security baselines assessment.
How Do You Track Which Cloud Apps Were Audited?
Scenario
You use Microsoft Defender for Cloud Apps and want to perform a security audit of all the apps detected by Cloud Discovery. You must track which apps were audited, and the list must be visible in the cloud app catalog.
Correct Answer
Apply a custom app tag to each app
Why
A custom app tag is the best way to label apps that have been reviewed or audited. Tags are visible and filterable in the cloud app catalog, which makes them a good fit for this requirement.
Why the Other Options Are Wrong
- Conditional Access App Control is about session monitoring and control
- Critical asset is not the right labeling mechanism for this purpose
- Snapshot report is reporting, not ongoing tracking in the catalog
- App governance is broader and does not directly match the requirement
Exam Tip
When the question includes words like:
- track
- classify
- label
- display in catalog
- filter later
think tags.
Key Takeaway
Use custom app tags when you need a simple, visible way to mark cloud apps for later review.
How Do You Enroll an Android Enterprise Fully Managed Device?
Scenario
You have an Intune enrollment profile for Android Enterprise corporate-owned, fully managed devices and need to enroll a new Android device by using that profile.
Correct Answer
Use a QR code
Why
For corporate-owned, fully managed Android Enterprise devices, enrollment is commonly performed during device setup by using an enrollment token, often delivered through a QR code.
Exam Trap
It is easy to confuse this with Company Portal enrollment.
A simple way to remember it:
- BYOD / work profile often points to Company Portal
- Corporate-owned fully managed often points to QR code during setup
Key Takeaway
For Android Enterprise fully managed corporate-owned devices, QR code enrollment is the best answer.
What Is the Easiest Way to Upgrade Windows Pro to Enterprise?
Scenario
You have Microsoft Entra joined Windows 10 Pro devices. Users are assigned Microsoft 365 E5 licenses. You need to upgrade the devices to Windows Enterprise with minimal administrative effort.
Correct Answer
Subscription Activation
Why
Subscription Activation automatically upgrades supported Windows Pro devices to Enterprise when a properly licensed user signs in.
This method avoids reimaging, installation media, or manual upgrade processes.
Why This Matters
This is one of the most important edition-upgrade concepts for MD-102:
- the device already has Windows Pro
- the user gets the correct license
- Windows steps up to Enterprise automatically
Key Takeaway
If the question says minimal effort and the users already have the right Microsoft 365 licensing, choose Subscription Activation.
How Do You Deploy Microsoft 365 Apps for Enterprise in Intune?
Scenario
You have Windows devices enrolled in Intune and need to deploy Microsoft 365 Apps for enterprise.
Correct Answer
From the Microsoft Intune admin center, add an app
Why
Microsoft 365 Apps for enterprise is deployed in Intune as an app, not as a device profile or an Entra app registration.
Simple Rule
If you are deploying software such as:
- Microsoft 365 Apps
- Win32 apps
- Store apps
- web links
you are usually working in the Apps workload of Intune.
Key Takeaway
Microsoft 365 Apps deployment is an Intune app deployment task.
When Will Intune Retry a Failed Required App Install?
Scenario
A required app is assigned to a device and the installation fails. You are asked when Intune will attempt the installation again.
Correct Answer
The next day
Why
For exam purposes, the expected answer is usually the next day.
Real-World Note
This is one of those exam questions that is more simplified than real life. In production, retry behavior can depend on:
- app type
- check-in schedule
- Intune Management Extension behavior
- detection rules
- return codes
- user actions or restarts
So for the test, the answer is straightforward. In real administration, the actual retry pattern can be more nuanced.
Key Takeaway
For exam logic, remember: failed required app install = retry on the next day.
How Do You Prevent Users from Disabling Microsoft Defender for Endpoint?
Scenario
You have Windows 11 devices onboarded to Microsoft Defender for Endpoint. You need to prevent users from disabling Defender protections.
Correct Answer
Enable tamper protection
Why
Tamper protection is specifically designed to prevent important Microsoft Defender security settings from being changed or disabled by users or malware.
Why the Other Options Are Wrong
- ASR policies reduce attack surface, but they do not directly serve as the main control for preventing users from turning Defender settings off
- Account protection policies focus on identity and credential protections
- Compliance policies report device state, but they do not block setting changes
Key Takeaway
If the exam asks how to stop users from disabling Defender protections, the answer is usually tamper protection.
Quick Answer Review
Here are the correct answers in plain language:
- Do not use Entra Connect to register an Android device
- Do not use Helpdesk Administrator if the task is rotating BitLocker recovery keys in Intune
- Use security baselines assessment to compare devices against industry benchmarks
- Use custom app tags to track audited cloud apps
- Use a QR code to enroll a corporate-owned fully managed Android device
- Use Subscription Activation to upgrade Windows Pro to Enterprise with minimal effort
- Deploy Microsoft 365 Apps for enterprise as an app in Intune
- Expect Intune to retry a failed required app install the next day for exam purposes
- Use tamper protection to prevent users from disabling Defender protections
What You Should Memorize from This Topic Set
Understand identity tools versus device tools
A lot of MD-102 questions become easier when you separate these clearly:
- Entra Connect handles identity sync
- Intune handles device enrollment, app deployment, compliance, and remote actions
Know which portal owns the task
Many exam questions are really asking:
- Is this an Entra task?
- Is this an Intune task?
- Is this a Defender task?
That service ownership often leads you to the correct answer quickly.
Memorize common Android enrollment patterns
Android questions often follow this pattern:
- Personal device / BYOD = Company Portal or work profile
- Corporate-owned fully managed = QR code or token during setup
Learn high-frequency MD-102 topics
These themes come up again and again:
- BitLocker key access and recovery
- Android and Windows enrollment
- Windows edition upgrades
- app deployment in Intune
- Defender security controls
- role-based access in Intune
Final Thoughts
This is a strong study set because it reflects the real blend of technologies endpoint admins deal with every day: Microsoft Entra, Intune, Defender for Endpoint, Defender for Cloud Apps, and Windows licensing.
The biggest lesson is this: do not just memorize answer letters. Learn to identify:
- which service owns the feature
- which portal performs the action
- whether the task is about identity, enrollment, security, or deployment
That approach will help you far more on MD-102 than memorizing raw dump answers.
