MD-102: Microsoft Endpoint Administrator Practice Exam

What the MD-102 exam covers

• Deploy Windows Client160 questions
• Manage Identity and Compliance151 questions
• Manage, Maintain, and Protect Devices154 questions
• Manage Applications139 questions

Free MD-102 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 604.

1. Question 1Deploy Windows Client

   Your organization plans to deploy Windows 11 to 500 new devices using Windows Autopilot. You need to ensure that devices are automatically enrolled in Microsoft Intune during the out-of-box experience (OOBE). What must you do first?

   • AInstall the Microsoft Intune Company Portal app on each device
   • BCreate a Group Policy Object (GPO) that enables automatic MDM enrollment
   • CRegister the hardware hashes of the devices in Windows AutopilotCorrect
   • DCreate a provisioning package using Windows Configuration Designer
   ✓ Correct answer: C

   Windows Autopilot requires devices to be registered by their hardware hashes in the Autopilot service before deployment. The hardware hash is a unique identifier that associates the physical device with your tenant and enables Autopilot to recognize and provision the device automatically during OOBE. Registration with hardware hashes is the foundational step that must be completed before any other Autopilot configuration takes effect.

   Why the other options are wrong

   • AInstall the Microsoft Intune Company Portal app on each device is incorrect because the Company Portal is installed automatically during enrollment as part of the OOBE process, not as a prerequisite.
   • BCreate a Group Policy Object (GPO) that enables automatic MDM enrollment is incorrect because GPOs apply only to on-premises domain-joined devices and are not part of the Autopilot registration process.
   • DCreate a provisioning package using Windows Configuration Designer is incorrect because provisioning packages are optional tools that can supplement Autopilot deployment but are not required for basic hardware registration.
2. Question 2Deploy Windows Client

   VanArsdel Ltd. wants to use subscription activation to upgrade Windows 11 Pro devices to Windows 11 Enterprise. Which license is required?

   • AWindows Server CAL
   • BMicrosoft 365 Business Basic
   • CWindows 11 Enterprise E3 or E5 subscriptionCorrect
   • DOffice 365 E1
   ✓ Correct answer: C

   Subscription Activation enables organizations to upgrade Windows 11 Pro devices to Windows 11 Enterprise by assigning a subscription license to users rather than individual devices. The upgrade is performed automatically when a user with the appropriate Enterprise E3 or E5 subscription signs into the device. This licensing model provides flexibility for organizations transitioning to cloud-based asset management and eliminates the need for traditional volume licensing product keys.

   Why the other options are wrong

   • AWindows Server CAL is incorrect because it is designed for server environments and does not facilitate desktop operating system upgrades.
   • BMicrosoft 365 Business Basic is incorrect because it does not include Windows 11 Enterprise subscription licensing—it provides email and collaboration services only.
   • DOffice 365 E1 is incorrect because it provides only Microsoft Office applications and does not include any Windows licensing components.
3. Question 3Manage Identity and Compliance

   You are configuring Microsoft Entra device settings. You want to limit which users can join devices to Microsoft Entra ID. What should you configure?

   • AConfigure device enrollment restrictions in Intune
   • BSet 'Users may join devices to Microsoft Entra ID' to Selected and choose specific users or groupsCorrect
   • CCreate a Conditional Access policy blocking device registration
   • DDisable the Microsoft Intune enrollment cloud app
   ✓ Correct answer: B

   Microsoft Entra device settings provide granular control over which users possess permission to perform device join operations. By configuring the 'Users may join devices to Microsoft Entra ID' setting to Selected rather than All, administrators can restrict device registration to specific user groups or security groups. This approach enables organizations to delegate device join authority only to authorized personnel such as device administrators or IT staff, preventing unauthorized personal device registrations and maintaining device inventory control while still allowing self-service enrollment for designated users.

   Why the other options are wrong

   • AConfigure device enrollment restrictions in Intune is incorrect because Intune enrollment restrictions control which device types and models can enroll, not who has permission to join devices to Entra ID.
   • CCreate a Conditional Access policy blocking device registration is incorrect because Conditional Access policies control access to applications and services, not the fundamental device join process itself.
   • DDisable the Microsoft Intune enrollment cloud app is incorrect because this would disable Intune enrollment entirely rather than targeting the specific permission to join devices to Entra ID.
4. Question 4Manage Identity and Compliance

   You manage a fleet of Windows 11 devices enrolled in Intune. You need to ensure that USB storage devices are blocked on all managed devices. Which Intune configuration profile should you create?

   • ADevice restrictions profile with Removable storage settingsCorrect
   • BEndpoint protection profile with BitLocker settings
   • CWindows Update ring with delivery optimization
   • DDevice compliance policy with encryption requirements
   ✓ Correct answer: A

   To block USB storage devices and other removable storage on Windows 11 devices managed by Intune, you create a device restrictions configuration profile and enable the "Removable storage" restriction setting. This setting allows IT administrators to prevent users from accessing external storage devices, USB drives, and SD cards, protecting sensitive corporate data from being copied to unauthorized devices. The device restrictions profile is the appropriate configuration tool for this type of device behavior control.

   Why the other options are wrong

   • BEndpoint protection profile with BitLocker settings is incorrect because BitLocker settings control encryption of the device's internal storage, not external removable storage access.
   • CWindows Update ring with delivery optimization is incorrect because Windows Update rings manage operating system updates and download optimization, not removable storage restrictions.
   • DDevice compliance policy with encryption requirements is incorrect because compliance policies evaluate device state against requirements but do not directly restrict USB storage access; restrictions are configured through device configuration profiles.
5. Question 5Manage, Maintain, and Protect DevicesSelect all that apply

   Contoso wants to configure endpoint security in Microsoft Intune. Which three of the following endpoint security policy types are available in Intune? (Choose three.)

   • AAntivirusCorrect
   • BNetwork load balancing
   • CFirewallCorrect
   • DVirtual private network
   • EDisk encryptionCorrect
   ✓ Correct answer: A, C, E

   Intune endpoint security provides three primary policy types aligned with security foundations: Antivirus policies for malware protection through Windows Defender or third-party solutions, Firewall policies for network perimeter control and inbound/outbound connection management, and Disk encryption policies for protecting data at rest through BitLocker or FileVault. These three categories represent core endpoint security controls that address protection at the software, network, and storage layers respectively, forming a comprehensive defense strategy for managed devices.

   Why the other options are wrong

   • BNetwork load balancing is incorrect because load balancing is an infrastructure service, not an endpoint security policy type available in Intune.
   • DVirtual private network is incorrect because while VPN profiles exist in Intune, they are classified as device configuration features rather than endpoint security policy types in the Endpoint Security node.
6. Question 6Manage, Maintain, and Protect DevicesSelect all that apply

   You are configuring Windows Update rings in Intune. Which THREE settings can you configure in an update ring? (Choose three.)

   • AQuality update deferral periodCorrect
   • BWindows edition upgrade
   • CAutomatic update behaviorCorrect
   • DFeature update deferral periodCorrect
   ✓ Correct answer: A, C, D

   Windows Update rings in Intune allow administrators to control when quality updates and feature updates are deployed by specifying deferral periods measured in days, and to configure how automatic updates should behave (such as requiring user interaction or forcing installation). These three settings provide granular control over the Windows Update deployment timeline and installation behavior across managed devices.

   Why the other options are wrong

   • BWindows edition upgrade is incorrect because update rings manage patches and feature updates but do not control operating system edition upgrades such as upgrading from Home to Pro or Pro to Enterprise.
7. Question 7Manage Applications

   Contoso is using Microsoft Intune to manage app configurations for Outlook on Android devices. They need to pre-configure the email server settings so users do not have to enter them manually. Which Intune feature should they use?

   • ADevice configuration profile
   • BApp configuration policyCorrect
   • CApp protection policy
   • DCompliance policy
   ✓ Correct answer: B

   App configuration policies in Intune provide managed settings for applications without requiring manual configuration by users. For Outlook on Android, administrators can pre-populate email server settings, authentication credentials (where supported), and other configuration parameters through an app configuration policy. This approach eliminates first-run setup screens and reduces support burden by ensuring all users have correctly configured applications immediately upon deployment.

   Why the other options are wrong

   • AApp configuration policies are distinct from device configuration profiles because they target application-level settings rather than OS-level settings. Device configuration profile is incorrect because device configuration profiles manage OS and hardware settings (Wi-Fi, VPN, certificates) rather than application-specific settings.
   • CApp protection policy is incorrect because app protection policies enforce security controls (PIN requirements, encryption, data loss prevention) rather than configuring application functionality.
   • DCompliance policy is incorrect because compliance policies report on device states and requirements but do not configure application settings.
8. Question 8Manage Applications

   You are troubleshooting a Win32 app installation failure on a Windows 11 device. The app shows a status of 'Failed' in the Intune admin center. Where should you look for detailed installation logs on the device?

   • AC:\Users\<user>\AppData\Local\Temp
   • BC:\Windows\SoftwareDistribution\Download
   • CC:\ProgramData\Microsoft\IntuneManagementExtension\LogsCorrect
   • DC:\Windows\System32\winevt\Logs
   ✓ Correct answer: C

   Detailed Win32 application installation logs for Intune-managed deployments are stored in the IntuneManagementExtension logs directory on the device. This directory contains comprehensive installation records, including success and failure details, making it the primary location for troubleshooting application deployment issues. These logs provide step-by-step installation activity and error codes that help administrators identify the root cause of installation failures reported in the Intune admin center.

   Why the other options are wrong

   • AC:\Users\<user>\AppData\Local\Temp is incorrect because this directory contains general temporary files created by various applications during runtime. While some application logs may be stored here temporarily, it is not the primary location for Intune application installation logs.
   • BC:\Windows\SoftwareDistribution\Download is incorrect because this directory is used by Windows Update for downloading and storing Windows and driver updates, not for Intune-managed application logs. It is specific to the Windows Update mechanism, not Intune deployments.
   • DC:\Windows\System32\winevt\Logs is incorrect because this directory contains Windows Event Viewer logs for system events, driver behavior, and security events. Intune-specific application deployment logs are not stored in the Windows Event Viewer directory.
9. Question 9Manage Identity and Compliance

   When implementing Manage practices in Manage Identity and Compliance, which approach is recommended?

   • AImplement untested solutions found in online forums
   • BSkip planning and configure based on assumptions
   • CFollow documented best practices and vendor guidelinesCorrect
   • DUse default settings without any review or modification
   ✓ Correct answer: C

   When implementing management practices within identity and compliance, following documented best practices and vendor guidelines ensures that identity governance and compliance controls are established according to proven standards. Best practices documentation addresses topics such as Azure AD conditional access design, device compliance baselines, and governance workflows. Adhering to vendor recommendations ensures that your identity and compliance infrastructure aligns with enterprise security standards and remains compatible with Azure AD and Intune updates.

   Why the other options are wrong

   • AImplement untested solutions found in online forums is incorrect because untested identity solutions carry significant security risks.
   • BSkip planning and configure based on assumptions is incorrect because assumptions about compliance requirements often result in gaps in policy coverage.
   • DUse default settings without any review or modification is incorrect because default settings do not meet specific organizational compliance requirements.
10. Question 10Manage Identity and ComplianceSelect all that apply

    Datum Corporation needs to implement a solution that involves a specific service and a particular feature. Which two components should the administrator configure? (Choose two.)

    • Aenrollment restrictions
    • Bdevice configuration profiles
    • CMicrosoft Intune enrollmentCorrect
    • Dcompliance policies
    • Eterms and conditionsCorrect
    ✓ Correct answer: C, E

    This solution pairs the management service with a user-acceptance feature. Microsoft Intune enrollment brings devices under management so policies and apps can be delivered, and terms and conditions present users with the organization's acceptable-use statement that they must accept during onboarding. Together they establish managed devices whose users have acknowledged the required terms. These two components match the service-and-feature pairing the scenario describes.

    Why the other options are wrong

    • AEnrollment restrictions limit which devices may enroll and are not the management service or the user-acceptance feature this solution combines.
    • BDevice configuration profiles deliver settings to enrolled devices and are not the enrollment service or the terms-acceptance feature called for.
    • DCompliance policies report device health and are unrelated to presenting terms and conditions during enrollment.

MD-102 practice exam FAQ