Microsoft Study Guide

MD-102: Microsoft Endpoint Administrator Study Guide

MD-102: Microsoft Endpoint Administrator validates your ability to deploy Windows clients, manage identity and compliance, protect and maintain devices, and deliver applications using Microsoft Intune and the broader Microsoft 365 stack. It is aimed at endpoint administrators who manage and secure an organization's devices, apps, and identities in a cloud or hybrid Microsoft Entra ID environment. The 120-minute exam has roughly 647 questions in the bank, requires a scaled score of 700 to pass, and spans four objective domains.

Domain 1 Domain 2 Domain 3 Domain 4

Practice MD-102 questions free Create free account

Domain 1: Deploy Windows Client

Key concepts you must know · 171 practice questions

Windows Autopilot requires each device to be registered in the Autopilot service by its hardware hash (a unique device identifier) before the device can be auto-provisioned during OOBE; you can obtain the hash from the OEM/vendor or run Get-WindowsAutopilotInfo (PowerShell) to export it to CSV.
Autopilot pre-provisioning (white glove) has two phases: a technician phase that applies device-targeted apps and policies, and a user phase; if the technician phase fails, reboot and press the Windows key five times at the OOBE language screen to return to the pre-provisioning/troubleshooting menu.
Automatic MDM enrollment requires a Microsoft Entra ID Premium P1 or P2 license, and Autopilot deployment requires the device to be registered with its hardware hash.
The Windows Configuration Designer (WCD) builds provisioning packages that have the .ppkg file extension, used to apply settings to Windows devices without full reimaging.
Windows subscription activation upgrades Windows 10/11 Pro to Enterprise in-place using a Microsoft 365 E3/E5 license, with no product key and no reimaging required.
In Intune Windows Update rings, deferral periods delay how long a device waits after release before installing; feature update deferral can be set (e.g., 30 days) separately from quality update deferral (e.g., 7 days).
Compliance deadline settings for updates combine a deadline (days after which install is forced) and a grace period (additional days before forced restart); for example deadline 3 days plus grace period 2 days, or deadline 5 days plus grace period 2 days.
Delivery Optimization uses peer-to-peer caching so devices on the same subnet/LAN can share downloaded update content, reducing WAN bandwidth; key settings include download mode and maximum background download bandwidth (percentage).
Feature updates are managed in Intune with a feature update deployment policy (Windows Update for Business) that targets a specific OS version such as Windows 11 and is assigned to a device group.
Autopilot Hybrid Entra Join requires line-of-sight to an on-premises Active Directory domain controller and the Intune Connector for Active Directory installed on an on-premises server (to create the computer object in AD).
Autopilot deployment can require the device to be physically connected to Ethernet and to have a TPM 2.0 chip (TPM attestation is mandatory for self-deploying and pre-provisioning modes).
The Enrollment Status Page (ESP) controls what the user sees and can do during provisioning; based on ESP configuration the user may be allowed to continue anyway or be forced to reset the device on failure.
Windows Update for Business pulls updates from the Windows Update source (the cloud) rather than from an on-premises WSUS server; the update source setting must be Windows Update, not WSUS, for WUfB policies to work.
Auto install and restart at a scheduled maintenance time is a Windows Update ring restart behavior that minimizes disruption by deferring required reboots to off-hours.

Domain 2: Manage Identity and Compliance

Key concepts you must know · 153 practice questions

Microsoft Entra registered devices are best for personal/BYOD scenarios: the device is known to Entra ID (enabling Conditional Access) but is not joined to the directory, giving minimal organizational control.
Microsoft Entra hybrid joined describes a device joined to on-premises Active Directory and also synced into Entra ID, bridging on-prem Group Policy/Kerberos with cloud Conditional Access and Intune.
Conditional Access enforces compliance: a policy with the grant control 'Require device to be marked as compliant' checks Intune compliance status before allowing access to Microsoft 365 resources.
Valid Conditional Access grant controls include require device marked as compliant, require Entra hybrid joined device, require approved client app, and require multifactor authentication.
An Intune compliance policy grace period defines how many days a device may stay non-compliant before being formally marked non-compliant; the countdown starts when the compliance engine detects the violation (for example 5 days from detection).
The tenant-wide setting 'Mark devices with no compliance policy assigned as' (Compliant or Not compliant) determines how Intune treats devices that have no compliance policy assigned.
Enrollment restrictions include device type restrictions (you can block personally owned devices and set a minimum OS version) and device limit restrictions (cap how many devices a user can enroll).
Device limit restrictions are configured under Intune > Devices > Enrollment restrictions > Device limit restrictions.
Automatic MDM enrollment with Intune as the MDM authority lets Entra-joined devices enroll into Intune automatically when the MDM scope is configured for the user/group.
App protection policies (MAM without enrollment) protect corporate data inside managed apps on unenrolled devices, enabling selective wipe of corporate data and requiring a PIN without managing the whole device.
Conditional Access can require acceptance of a Terms of Use policy, blocking access until the user acknowledges the terms across Microsoft 365 services.
A common cause of a device appearing non-compliant in Conditional Access is that the compliance status has not yet synced to Entra ID, or the device has not synced with Intune since a setting (such as BitLocker) changed.
Autopilot devices can be auto-grouped using a dynamic device membership rule like device.devicePhysicalIds -any (_ -contains "[OrderID]:ContosoGroup"), keying off the Autopilot group tag/order ID.
You can use the filter device.isCompliant equals False to report on or scope policy to non-compliant devices, and configure non-compliance actions such as sending an email notification after a scheduled delay.

Domain 3: Manage, Maintain, and Protect Devices

Key concepts you must know · 165 practice questions

Use an endpoint security disk encryption policy to silently enable BitLocker on Microsoft Entra joined Windows devices, with automatic recovery key escrow to Entra ID and no user interaction required.
To integrate Microsoft Defender for Endpoint with Intune you must enable the connector in both portals: turn on the Microsoft Defender for Endpoint connector in the Intune admin center and enable the Intune connection in the Defender portal (security.microsoft.com).
Attack Surface Reduction (ASR) rules are configured in Intune endpoint security; common rules include 'Block Office applications from creating child processes' and 'Block executable content from email client and webmail'.
The Wipe remote action performs a full factory reset, removing all data and apps and returning the device to its out-of-box state; use it for corporate-owned devices needing a complete reset.
The Retire remote action removes the device from Intune management and deletes corporate apps/data while leaving the user's personal apps and data intact; use it for personal/BYOD devices.
Device configuration profile types that mirror on-premises Group Policy are the Settings catalog (modern, searchable, thousands of settings) and Administrative templates (ADMX-backed).
When two profiles set the same setting to different values, the conflict results in the setting not being applied and a conflict status being reported in Intune.
PlatformScripts: upload PowerShell scripts under Devices > Scripts; set 'Run this script using the logged-on credentials' to No to run in the SYSTEM/admin context rather than as the user.
Available security baselines in Intune include the Microsoft Defender for Endpoint security baseline and the Security baseline for Windows 10 and later, providing Microsoft-recommended secure defaults.
Endpoint security policy categories in Intune include Antivirus, Firewall, and Disk encryption (plus ASR, endpoint detection and response, account protection, and others).
To allow a blocked application through the firewall, add a firewall rule to the policy that permits traffic for that specific application rather than disabling the firewall.
Certificate-based authentication in Intune requires a trusted certificate profile (to push the root/intermediate CA) plus a SCEP or PKCS certificate profile to issue the client certificate.
If BitLocker must run on a device without a compatible TPM, configure the BitLocker policy to allow BitLocker without a compatible TPM, requiring a startup PIN/password or USB startup key.
Microsoft Defender Antivirus settings managed via Intune include real-time protection monitoring and the cloud-delivered protection level; Windows Hello for Business sign-in is configured under Account Protection (Identity Protection).

Domain 4: Manage Applications

Key concepts you must know · 158 practice questions

To deploy a Win32 app (including .exe installers) you must first wrap it with the Microsoft Win32 Content Prep Tool to produce a single .intunewin package containing the app and its metadata.
Win32 app detection rules verify a successful install; options include a file detection rule (checking for the app's executable) and a registry detection rule (checking for a specific key/value); the most common cause of a 'failed' status on a successfully installed app is a misconfigured detection rule.
Intune app assignment intents are Required (installs automatically), Available for enrolled devices (shown in Company Portal for optional install), and Uninstall (removes the app from assigned devices).
Use the built-in 'Microsoft 365 Apps for Windows 10 and later' app type to deploy Office; you can choose the update channel, exclude unwanted apps in the app suite configuration, and manage settings under App suite settings.
Win32 app dependencies let one app require another: add, for example, .NET Framework 4.8 as a dependency so Intune automatically installs the dependency first, then the main app.
For Win32 app updates you create a supersedence relationship; the 'Uninstall the previous version' option controls behavior - set to No (the common default) the new version installs over the existing one (the installer handles the upgrade), while Yes makes Intune uninstall the old version first before installing the new one.
App protection policies (MAM) for iOS/Android can restrict cut/copy/paste between managed and unmanaged apps ('Restrict cut, copy, and paste between other apps' set to 'Policy managed apps'), prevent backups to iCloud/iTunes, require a PIN ('Require PIN for access' = Yes), and allow fingerprint instead of PIN.
MAM without enrollment delivers app-level protection on unmanaged devices: you can require a PIN to access managed apps and selectively wipe only corporate data.
An App configuration policy for managed devices pushes configuration values to apps on enrolled devices; for Microsoft 365 Apps, configuration is set under the app suite settings in Intune.
Android Enterprise apps require connecting Intune to a managed Google Play account, then approving the app in the managed Google Play store within the Intune admin center.
VPP/volume-purchased app licenses are tracked per app: when a device or user is removed, the license is automatically revoked and returned to the VPP pool for reassignment.
The macOS line-of-business app type accepts only signed .pkg files; .dmg files are deployed through the separate 'macOS app (DMG)' app type (a DMG containing one or more .app files), not the line-of-business type.
App version enforcement through Conditional Access/app protection can block a user and prompt them to update when their app version is below the minimum required.
Microsoft Store app auto-updates can be governed through a device configuration profile that ensures automatic app updates are enabled in the Microsoft Store settings.

MD-102 exam tips

Master the join states and what each enables: Entra registered (BYOD, light control), Entra joined (cloud-only corporate), and Entra hybrid joined (on-prem AD + cloud). Many identity and Conditional Access questions hinge on choosing the correct join type and the prerequisites (such as the Intune Connector for AD for hybrid Autopilot).
Memorize the Wipe vs Retire vs Fresh Start distinction. Wipe = full factory reset of corporate devices; Retire = remove only corporate data on personal devices and keep personal data; this single distinction appears repeatedly.
Know the Win32 app lifecycle cold: wrap with the Content Prep Tool to make a .intunewin, configure install/uninstall commands, set detection rules (file/registry/MSI), use dependencies and supersedence. A 'failed install' that is actually installed almost always points to a bad detection rule.
Understand Windows Update for Business in Intune: deferral periods, deadlines, grace periods, restart behavior, feature update policies targeting a specific OS, and Delivery Optimization (download mode and bandwidth %). Watch for the trap that WUfB requires the update source to be Windows Update, not WSUS.
For Conditional Access and compliance, trace the full chain: compliance policy evaluation, the grace period before a device is marked non-compliant, sync timing to Entra ID, then the CA grant control that blocks or allows access. Sync delays are a frequent 'why is this device non-compliant' answer.

Study guide FAQ

What is the difference between MD-102 and the retired MD-101/MD-100 exams?

MD-102: Microsoft Endpoint Administrator is the current single exam that replaced the older two-exam MD-100 (Windows Client) plus MD-101 (Managing Modern Desktops) path. Passing MD-102 alone earns the Microsoft 365 Certified: Endpoint Administrator Associate certification, with a heavy focus on managing and securing devices through Microsoft Intune.

How is the exam scored and how many questions are there?

MD-102 uses Microsoft's scaled scoring from 1 to 1000, and you need 700 or higher to pass. You typically see around 40 to 60 questions in a 120-minute session (the certification practice bank here holds about 647), including multiple choice, multiple response, drag-and-drop, and case study formats.

Do I need hands-on Intune experience, or is studying theory enough?

Hands-on experience is strongly recommended. Many questions are scenario-based and ask exactly where in the Intune admin center a setting lives or which policy type to use. Use a free Microsoft 365 developer or trial tenant to practice enrollment, compliance policies, configuration profiles, app deployment, and endpoint security so the menu paths and option names become second nature.

Which areas should I prioritize given the domain weightings?

Deploy Windows Client and Manage, Maintain, and Protect Devices are the two largest areas, so prioritize Autopilot, Windows Update for Business, BitLocker/endpoint security, and Defender for Endpoint integration. Do not neglect identity/compliance (Conditional Access, join types, enrollment restrictions) and application management (Win32 packaging, MAM/app protection), as together they make up nearly half the exam.

Test yourself: 647 MD-102 practice questions