MD-102 Study Guide 2026: Complete Endpoint Administrator Exam Prep
Everything you need to pass the MD-102 Microsoft Endpoint Administrator exam — all domains, a study plan, hands-on lab strategy, and what shows up on test day.
Quick Summary
- • MD-102 is an Associate-level exam with 40–60 questions, 120 minutes, 700/1000 passing score
- • Covers 4 domains: prepare infrastructure for devices, manage and maintain devices, manage applications, protect devices
- • Most candidates need 6–10 weeks of preparation (hands-on Intune experience essential)
- • Exam cost: $165 USD
What is the MD-102 Exam?
MD-102 is the Microsoft Endpoint Administrator Associate certification. It validates that you can deploy, configure, and manage devices, apps, and compliance settings for Windows clients in enterprise environments using Microsoft Intune, Microsoft Entra ID, and related tools.
Passing MD-102 earns the Microsoft Certified: Endpoint Administrator Associate credential. It replaced the older MD-100 and MD-101 exams and is entirely focused on modern management (cloud-based Intune) rather than on-premises SCCM/ConfigMgr.
This is a highly practical exam. Candidates who only read documentation without hands-on Intune experience consistently underperform. Getting access to a Microsoft Intune environment (via a developer tenant or work account) is essential.
| Detail | Information |
|---|---|
| Exam Code | MD-102 |
| Credential Earned | Endpoint Administrator Associate |
| Number of Questions | 40–60 questions |
| Time Limit | 120 minutes |
| Passing Score | 700 out of 1000 |
| Exam Price | $165 USD |
| Exam Level | Associate |
| Prerequisites | None (M365 experience recommended) |
MD-102 Exam Domains & Weightings
MD-102 covers four domains. Domain 3 (manage, maintain, and protect devices) is by far the largest and is almost entirely Intune-focused.
Domain 1: Prepare Infrastructure for Devices
25–30%- • Add devices to Microsoft Entra ID — choose join type, join/register devices, plan groups
- • Enroll devices to Microsoft Intune — enrollment settings, automatic enrollment (Windows), bulk enrollment (iOS/Android)
- • Configure enrollment profiles for Android (fully managed, dedicated, corporate owned, work profile)
- • Manage roles in Intune
- • Implement compliance policies for all supported platforms
- • Implement Microsoft Entra Conditional Access policies requiring compliance status
- • Configure Windows Hello for Business and Windows LAPS
- • Manage membership of local groups on Windows devices via Intune
Study tip: Know the three device states (Entra ID joined, hybrid Entra ID joined, Entra ID registered) and which enrollment scenarios apply to each.
Domain 2: Manage and Maintain Devices
30–35%The largest domain. Covers deployment, configuration profiles, Intune Suite add-ons, and remote actions:
- • Windows Autopilot vs. provisioning packages — choose deployment mode, apply name templates, create Enrollment Status Page (ESP)
- • Plan and implement Windows 11 upgrades and Windows 365 Cloud PC deployment
- • Device configuration profiles for Windows, Android, iOS/iPadOS, macOS, Windows 11 Enterprise multi-session
- • Target profiles using filters
- • Intune Suite add-ons — Endpoint Privilege Management, Enterprise App Catalog, Advanced Analytics, Remote Help, Cloud PKI, Microsoft Tunnel for MAM
- • Remote actions — sync, restart, retire, wipe (bulk), Defender AV security intelligence update, BitLocker key rotation
- • Run device queries using KQL
Study tip: Know all Autopilot deployment modes and when to use each. The Intune Suite add-ons (Endpoint Privilege Management, Remote Help, Cloud PKI) are new exam topics — don't skip them.
Domain 3: Manage Applications
15–20%- • Prepare and deploy apps using Intune
- • Deploy Microsoft 365 Apps via Intune, configure Office app policies
- • Deploy Microsoft 365 Apps as part of Autopilot using ODT or OCT
- • Manage Microsoft 365 Apps via the Microsoft 365 Apps admin center
- • Deploy apps from platform-specific app stores
- • Plan and implement app protection policies (MAM)
- • Implement Conditional Access policies for app protection
- • Plan and implement app configuration policies for managed apps and managed devices
Domain 4: Protect Devices
15–20%- • Create antivirus, disk encryption, firewall, and Attack Surface Reduction (ASR) policies
- • Plan and implement security baselines
- • Integrate Intune with Microsoft Defender for Endpoint and onboard devices
- • Plan for device updates and create/manage Windows Update rings
- • Create and manage update policies for iOS/iPadOS and macOS
- • Manage Android updates via configuration profiles or FOTA deployments
- • Configure Windows Delivery Optimization via Intune and monitor updates
Study tip: Know the difference between Update rings (feature and quality updates for Windows) and Expedite policies (emergency security patches). Both appear in exam scenarios.
Ready to test yourself?
Try 40 Free MD-102 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →How Hard is MD-102?
MD-102 is considered a moderately difficult Associate-level exam. The breadth of Intune configuration options combined with scenario questions that require you to choose between similar policy types makes it challenging without hands-on experience. Candidates who work with Intune daily often find it manageable. Those coming from pure on-premises SCCM environments typically need extra study time to adapt to the modern management approach.
Why candidates fail MD-102
- • No hands-on Intune experience: Domain 2 (30–35%) and Domain 4 (15–20%) require you to navigate Intune configuration decisions in detail
- • Autopilot mode confusion: The deployment modes have subtle differences that exam questions exploit
- • Mixing MDM policies with MAM policies: Mobile Device Management vs. Mobile Application Management have different scope and enrollment requirements
- • Wipe vs. retire vs. Autopilot Reset: These three remote actions are frequently tested and easily confused
- • Unfamiliar with Intune Suite add-ons: Endpoint Privilege Management, Remote Help, and Cloud PKI are now exam topics — don't skip them
6-Week MD-102 Study Plan
This plan assumes 1.5–2 hours per day. You need access to Microsoft Intune — use a free Microsoft 365 developer tenant for labs.
Week 1: Prepare Infrastructure for Devices (Domain 1)
- Days 1–2: Entra ID join types — Entra ID joined, hybrid Entra ID joined, Entra ID registered — differences and enrollment scenarios
- Days 3–4: Intune enrollment settings, automatic enrollment for Windows, bulk enrollment for iOS/Android, Android enrollment profiles
- Days 5–6: Compliance policies for all platforms, Conditional Access integration, Windows Hello for Business, Windows LAPS
- Day 7: Lab — create a compliance policy and link it to a Conditional Access policy in Intune test tenant
Weeks 2–3: Manage and Maintain Devices (Domain 2)
- Days 1–3: Windows Autopilot — all deployment modes (user-driven, self-deploying, pre-provisioning), Enrollment Status Page (ESP), provisioning packages
- Days 4–5: Windows 11 upgrade paths, Windows 365 Cloud PC deployment
- Days 6–8: Configuration profiles — Windows, Android, iOS/iPadOS, macOS, multi-session; using filters for targeting
- Days 9–10: Intune Suite add-ons — Endpoint Privilege Management, Enterprise App Catalog, Remote Help, Cloud PKI, Microsoft Tunnel for MAM
- Days 11–14: Remote actions (sync, restart, retire, wipe, bulk actions, BitLocker rotation), KQL device queries
Week 4: Manage Applications (Domain 3)
- Days 1–2: Win32 app packaging — IntuneWin format, detection rules; deploying apps via Intune
- Days 3–4: Microsoft 365 Apps deployment via Intune (ODT/OCT), update channels, M365 Apps admin center
- Days 5–6: App protection policies (MAM) with and without enrollment; app configuration policies
- Day 7: Lab — deploy a Win32 app and configure an app protection policy
Week 5: Protect Devices (Domain 4)
- Days 1–2: Endpoint security policies — antivirus, disk encryption (BitLocker), firewall, ASR rules
- Days 3–4: Security baselines, Defender for Endpoint integration and onboarding via Intune
- Days 5–6: Windows Update rings, feature update policies, iOS/macOS update policies, Android FOTA, Delivery Optimization, update monitoring
- Day 7: Lab — configure security baseline and update rings for Windows devices
Week 6: Mock Exams & Review
- Days 1–2: Review Domain 2 weak spots — Manage and Maintain Devices is 30–35% of your score
- Day 3: Full 120-minute timed mock exam
- Days 4–5: Targeted review of any domain below 70%
- Day 6: Second full mock exam — aim for 80%+
- Day 7: Light review only. Book exam if consistently 80%+.
Best MD-102 Study Resources
1. Microsoft Learn MD-102 Learning Path (Free)
The official learning path covers all four domains with interactive sandbox labs. The Intune labs are especially valuable — complete every hands-on exercise, not just the reading. This is the most important free resource for MD-102 candidates.
2. Microsoft 365 Developer Tenant (Free Lab Environment)
The Microsoft 365 Developer Program provides a free 90-day tenant with Microsoft Intune, Entra ID P2, and full Microsoft 365 E5 capabilities. This is the best free lab environment for MD-102 preparation. You can enroll test devices, configure policies, and practice remote actions without affecting production.
3. MSCertQuiz Practice Tests
500 MD-102 practice questions covering all four domains with detailed explanations. Particularly strong coverage of Autopilot scenarios, compliance policy configuration, and app deployment — the areas where most candidates struggle.
Start free MD-102 practice →4. Microsoft Intune Documentation
For complex Intune scenarios (Autopilot modes, update ring interactions, policy conflict resolution), the official Intune documentation is the most authoritative source. The "What is..." and "Configure..." articles for each feature area are written at exam-relevant depth.
MD-102 Exam Day Tips
Do
- • For device removal questions: wipe = full factory reset, retire = remove corp data only, Autopilot Reset = reset while keeping AAD/Intune enrollment
- • For Autopilot mode questions: identify whether it's user-driven or self-deploying, then AAD join vs. hybrid AAD join
- • Read compliance policy questions carefully — "what is the quickest way to block non-compliant devices" usually requires Conditional Access integration
- • Flag long scenario questions and return to them with fresh eyes
Don't
- • Don't confuse MDM enrollment (device management) with MAM without enrollment (app-only protection)
- • Don't assume Configuration Profiles and Endpoint Security policies are interchangeable — they have different scopes
- • Don't ignore Windows Update for Business — update ring configuration questions appear consistently
- • Don't pick SCCM/ConfigMgr answers unless the question explicitly mentions co-management or on-premises infrastructure
Ready to Practice MD-102?
500 scenario-based questions across all 4 domains. Practice mode with explanations + timed exam simulation.
Start Free Practice →Frequently Asked Questions
What replaced MD-100 and MD-101?
MD-102 replaced both MD-100 (Windows Client) and MD-101 (Managing Modern Desktops) in 2023. It consolidates both exams into a single certification focused entirely on modern management via Microsoft Intune, dropping most of the on-premises Group Policy content from the older exams.
Is hands-on experience required for MD-102?
Not officially, but practically yes. Domain 3 is 40–45% of the exam and tests Intune configuration in significant depth. Candidates without hands-on Intune experience — even just in a free developer tenant — consistently struggle with the detail level required to pass. Set up a dev tenant and spend at least 20–30 hours doing lab work.
How does MD-102 relate to MS-102?
MD-102 focuses on endpoint/device management (Windows clients, Intune, Autopilot). MS-102 focuses on Microsoft 365 tenant administration (Exchange Online, Teams, SharePoint, compliance, security). They complement each other — many enterprise IT admins hold both. MD-102 is the device specialist; MS-102 is the cloud services administrator.
What comes after MD-102?
MD-102 is a strong foundation for the Microsoft 365 Enterprise Administrator Expert role. The companion certification is MS-102 (Microsoft 365 Administrator). For security depth, SC-300 (Identity and Access Administrator) builds naturally on the identity concepts in MD-102.