MD-102 Study Guide 2026: Complete Endpoint Administrator Exam Prep
Everything you need to pass the MD-102 Microsoft Endpoint Administrator exam — all domains, a study plan, hands-on lab strategy, and what shows up on test day.
Quick Summary
- • MD-102 is an Associate-level exam with 40–60 questions, 120 minutes, 700/1000 passing score
- • Covers 4 domains: deploy Windows, manage identity/compliance, manage/maintain/protect devices, deploy/manage apps
- • Most candidates need 6–10 weeks of preparation (hands-on Intune experience essential)
- • Exam cost: $165 USD
What is the MD-102 Exam?
MD-102 is the Microsoft Endpoint Administrator Associate certification. It validates that you can deploy, configure, and manage devices, apps, and compliance settings for Windows clients in enterprise environments using Microsoft Intune, Microsoft Entra ID, and related tools.
Passing MD-102 earns the Microsoft Certified: Endpoint Administrator Associate credential. It replaced the older MD-100 and MD-101 exams and is entirely focused on modern management (cloud-based Intune) rather than on-premises SCCM/ConfigMgr.
This is a highly practical exam. Candidates who only read documentation without hands-on Intune experience consistently underperform. Getting access to a Microsoft Intune environment (via a developer tenant or work account) is essential.
| Detail | Information |
|---|---|
| Exam Code | MD-102 |
| Credential Earned | Endpoint Administrator Associate |
| Number of Questions | 40–60 questions |
| Time Limit | 120 minutes |
| Passing Score | 700 out of 1000 |
| Exam Price | $165 USD |
| Exam Level | Associate |
| Prerequisites | None (M365 experience recommended) |
MD-102 Exam Domains & Weightings
MD-102 covers four domains. Domain 3 (manage, maintain, and protect devices) is by far the largest and is almost entirely Intune-focused.
Domain 1: Deploy Windows Client
25–30%- • Windows Autopilot — deployment profiles, Autopilot Reset, pre-provisioning (white glove)
- • Enrollment methods — user-driven, self-deploying, bulk enrollment via provisioning packages
- • Microsoft Deployment Toolkit (MDT) and Windows Imaging concepts
- • Upgrade paths — in-place upgrade, fresh installation, migration scenarios
- • Windows 365 Cloud PC provisioning and management
- • Azure Virtual Desktop (AVD) basics from endpoint management perspective
Study tip: Autopilot is the most heavily tested deployment topic. Know all four deployment modes (user-driven AAD join, user-driven hybrid AAD join, self-deploying, pre-provisioning) and when to use each.
Domain 2: Manage Identity and Compliance
15–20%- • Microsoft Entra ID join vs. hybrid Entra ID join vs. Entra ID registered
- • Device compliance policies — compliance settings, grace periods, actions for non-compliance
- • Conditional Access integration — require compliant device, require hybrid join
- • Microsoft Entra ID roles and RBAC for endpoint management
- • Windows Hello for Business — deployment, certificate vs. key trust
- • Local administrator password solution (LAPS) for managed devices
Domain 3: Manage, Maintain, and Protect Devices
40–45%The core of the exam. Almost entirely Microsoft Intune (Endpoint Manager) focused:
- • Configuration profiles — settings catalog, templates, administrative templates (ADMX)
- • Endpoint security policies — antivirus, disk encryption, firewall, EDR, attack surface reduction
- • Microsoft Defender for Endpoint onboarding and configuration via Intune
- • Windows Update for Business — Update rings, feature update policies, driver updates
- • Device inventory and reporting in Intune admin center
- • Remote actions — remote lock, wipe, retire, sync, restart, BitLocker key rotation
- • Troubleshooting enrollment failures and policy conflicts
Study tip: Know the difference between wipe (factory reset) and retire (remove corporate data only). Device wipe questions are common.
Domain 4: Deploy and Manage Apps
10–15%- • App deployment types in Intune — required, available for enrolled devices, available with enrollment
- • Win32 app packaging — IntuneWin format, detection rules, requirement rules
- • Microsoft 365 Apps deployment via Intune — Office Deployment Tool (ODT), update channels
- • App protection policies (MAM) — for enrolled and unenrolled devices
- • Microsoft Store for Business and WinGet integration
- • App inventory and reporting
Ready to test yourself?
Try 40 Free MD-102 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →How Hard is MD-102?
MD-102 is considered a moderately difficult Associate-level exam. The breadth of Intune configuration options combined with scenario questions that require you to choose between similar policy types makes it challenging without hands-on experience. Candidates who work with Intune daily often find it manageable. Those coming from pure on-premises SCCM environments typically need extra study time to adapt to the modern management approach.
Why candidates fail MD-102
- • No hands-on Intune experience: Domain 3 is 40–45% of the exam and requires you to navigate Intune configuration decisions in detail
- • Autopilot mode confusion: The four deployment modes have subtle differences that exam questions exploit
- • Mixing MDM policies with MAM policies: Mobile Device Management vs. Mobile Application Management have different scope and enrollment requirements
- • Wipe vs. retire vs. Autopilot Reset: These three remote actions are frequently tested and easily confused
6-Week MD-102 Study Plan
This plan assumes 1.5–2 hours per day. You need access to Microsoft Intune — use a free Microsoft 365 developer tenant for labs.
Week 1: Windows Deployment
- Days 1–2: Windows Autopilot — all four deployment modes, enrollment status page (ESP)
- Days 3–4: MDT and imaging concepts, in-place upgrade vs. fresh install scenarios
- Days 5–6: Windows 365 and Azure Virtual Desktop basics from management perspective
- Day 7: Lab — configure Autopilot deployment profile in Intune test tenant
Week 2: Identity & Compliance
- Days 1–2: Entra ID join types — AAD join, hybrid AAD join, AAD registered — differences and use cases
- Days 3–4: Device compliance policies — create policies, set compliance settings, configure non-compliance actions
- Days 5–6: Conditional Access + compliance, Windows Hello for Business, LAPS
- Day 7: Lab — create a compliance policy and link it to a Conditional Access policy
Weeks 3–4: Managing & Protecting Devices (Domain 3)
- Days 1–3: Configuration profiles — settings catalog, device restrictions, endpoint protection templates
- Days 4–6: Endpoint security policies — antivirus, firewall, disk encryption (BitLocker), EDR, ASR rules
- Days 7–9: Windows Update for Business — update rings, feature update policies, reporting
- Days 10–14: Remote actions (wipe/retire/sync/restart), Intune reporting, troubleshooting enrollment
Week 5: App Deployment
- Days 1–2: Win32 app packaging — create IntuneWin package, configure detection rules
- Days 3–4: Microsoft 365 Apps deployment via Intune, update channels (Current/Monthly Enterprise/Semi-Annual)
- Days 5–6: App protection policies — MAM with and without enrollment, iOS vs. Android vs. Windows
- Day 7: Lab — deploy a Win32 app and configure an app protection policy
Week 6: Mock Exams & Review
- Days 1–2: Review Domain 3 weak spots — this domain is 40–45% of your score
- Day 3: Full 120-minute timed mock exam
- Days 4–5: Targeted review of any domain below 70%
- Day 6: Second full mock exam — aim for 80%+
- Day 7: Light review only. Book exam if consistently 80%+.
Best MD-102 Study Resources
1. Microsoft Learn MD-102 Learning Path (Free)
The official learning path covers all four domains with interactive sandbox labs. The Intune labs are especially valuable — complete every hands-on exercise, not just the reading. This is the most important free resource for MD-102 candidates.
2. Microsoft 365 Developer Tenant (Free Lab Environment)
The Microsoft 365 Developer Program provides a free 90-day tenant with Microsoft Intune, Entra ID P2, and full Microsoft 365 E5 capabilities. This is the best free lab environment for MD-102 preparation. You can enroll test devices, configure policies, and practice remote actions without affecting production.
3. MSCertQuiz Practice Tests
500 MD-102 practice questions covering all four domains with detailed explanations. Particularly strong coverage of Autopilot scenarios, compliance policy configuration, and app deployment — the areas where most candidates struggle.
Start free MD-102 practice →4. Microsoft Intune Documentation
For complex Intune scenarios (Autopilot modes, update ring interactions, policy conflict resolution), the official Intune documentation is the most authoritative source. The "What is..." and "Configure..." articles for each feature area are written at exam-relevant depth.
MD-102 Exam Day Tips
Do
- • For device removal questions: wipe = full factory reset, retire = remove corp data only, Autopilot Reset = reset while keeping AAD/Intune enrollment
- • For Autopilot mode questions: identify whether it's user-driven or self-deploying, then AAD join vs. hybrid AAD join
- • Read compliance policy questions carefully — "what is the quickest way to block non-compliant devices" usually requires Conditional Access integration
- • Flag long scenario questions and return to them with fresh eyes
Don't
- • Don't confuse MDM enrollment (device management) with MAM without enrollment (app-only protection)
- • Don't assume Configuration Profiles and Endpoint Security policies are interchangeable — they have different scopes
- • Don't ignore Windows Update for Business — update ring configuration questions appear consistently
- • Don't pick SCCM/ConfigMgr answers unless the question explicitly mentions co-management or on-premises infrastructure
Ready to Practice MD-102?
500 scenario-based questions across all 4 domains. Practice mode with explanations + timed exam simulation.
Start Free Practice →Frequently Asked Questions
What replaced MD-100 and MD-101?
MD-102 replaced both MD-100 (Windows Client) and MD-101 (Managing Modern Desktops) in 2023. It consolidates both exams into a single certification focused entirely on modern management via Microsoft Intune, dropping most of the on-premises Group Policy content from the older exams.
Is hands-on experience required for MD-102?
Not officially, but practically yes. Domain 3 is 40–45% of the exam and tests Intune configuration in significant depth. Candidates without hands-on Intune experience — even just in a free developer tenant — consistently struggle with the detail level required to pass. Set up a dev tenant and spend at least 20–30 hours doing lab work.
How does MD-102 relate to MS-102?
MD-102 focuses on endpoint/device management (Windows clients, Intune, Autopilot). MS-102 focuses on Microsoft 365 tenant administration (Exchange Online, Teams, SharePoint, compliance, security). They complement each other — many enterprise IT admins hold both. MD-102 is the device specialist; MS-102 is the cloud services administrator.
What comes after MD-102?
MD-102 is a strong foundation for the Microsoft 365 Enterprise Administrator Expert role. The companion certification is MS-102 (Microsoft 365 Administrator). For security depth, SC-300 (Identity and Access Administrator) builds naturally on the identity concepts in MD-102.