This David Mark Papkin page has course info on Microsoft MD-102 Endpoint Administrator
Microsoft 365 Endpoint Administrator Courseware
Deployment
| Feature / Aspect | Microsoft Deployment Workbench (MDT) | Windows Autopilot |
|---|---|---|
| Deployment Type | Traditional, image-based | Modern, cloud-based |
| Target Environment | On-premises (LAN) | Cloud-native or hybrid |
| Infrastructure Required | Requires servers (WDS, MDT, file shares, possibly AD) | Requires Azure AD + Intune (Microsoft Endpoint Manager) |
| Use Case | Custom imaging, task sequences, heavy customization | Provisioning new devices with minimal IT interaction |
| Network Dependency | Local network-dependent | Internet-capable (anywhere deployment) |
| User Interaction | Typically technician-driven (manual PXE boot or USB) | User-driven, guided out-of-box experience (OOBE) |
| Integration | Works with SCCM/ConfigMgr | Deep integration with Azure AD, Intune, and Microsoft Store |
| Customization Level | High: scripting, app packages, GPOs, driver injection, etc. | Moderate: profiles and policies set via Intune |
| Ideal For | Re-imaging existing hardware, complex deployments | Provisioning new devices from OEMs or zero-touch scenarios |
| Device Ownership | Often corporate-owned and fully managed | Supports corporate-owned, BYOD, and hybrid scenarios |
Intune Policies
1. Configuration Policies
Used to configure device settings (security, Wi-Fi, VPN, email, compliance baselines, etc.).
Often include OMA-URI custom settings for advanced or unsupported configurations.
Goal: ensure devices meet organizational setup requirements.
2. Device Compliance Policies
Define rules a device must meet to be considered compliant (e.g., PIN required, encryption enabled, OS version).
Devices that fail compliance can be blocked from accessing company resources.
Typically paired with Conditional Access.
3. Conditional Access Policies
Control user and device access to corporate resources (Office 365, company apps, VPN).
Works with Azure AD and compliance results.
Example: Only allow access if the device is compliant and the user passes MFA.
4. Corporate Device Enrollment Policies
Define rules for enrolling corporate devices into Intune.
Help ensure only authorized devices/users can enroll.
Can enforce automatic enrollment for Azure AD-joined devices.
OMA-URI stands for Open Mobile Alliance Uniform Resource Identifier.
It’s a standardized way to reference and configure device settings through Mobile Device Management (MDM) systems like Microsoft Intune.
How it works:
-
Each setting that can be managed on a device (Windows, Android, iOS) has a unique OMA-URI path.
-
By specifying the correct OMA-URI, you can push that setting to the device through Intune (or another MDM).
-
For example:
-
A Windows 10/11 setting might have an OMA-URI like:
./Device/Vendor/MSFT/Policy/Config/Password/MinimumPasswordLength -
Assigning a value to this path enforces a minimum password length policy.
Key points:
-
Windows: Uses OMA-URI values tied to Configuration Service Providers (CSPs) (e.g., Policy CSP).
-
Android: Uses OMA-URI for Android Enterprise custom profiles to control features.
-
Apple (iOS/macOS): Uses custom profiles, often generated via Apple Configurator, which can also include OMA-URI-style settings.
In short: OMA-URI is the “address” of a setting that Intune (or another MDM) can configure on managed devices.
Lab issues
Lab 0501
Invalid JWT token Solution
Update Powershell 7.3 to 7.5.0
————————————-
Import-Module Microsoft.Graph
———————————————————–
“https://github.com/MicrosoftLearning/MD-102T00-Microsoft-365-Endpoint-Administrator/tree/master/Instructions/Labs”
Lab 0201: Configuring and managing Entra Join
Temporary mobile number for SMS verification. Use at your own risk!!!
https://receive-smss.com/sms/447577225734/
Here is the fix. Insert after Task 1 Step 14..
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-sms-signin
Task 1
14. On the Device settings page, select Save.
Enable SMS-based authentication for your Microsoft Entra tenant.
- Browse to Protection > Authentication methods > Policies.
- From the list of available authentication methods, select SMS.
- Select Enable and select Target users. Enable SMS-based authentication for All users
- Select Save
End of David Mark Papkin page on Microsoft MD-102 Endpoint Administrator