MD-102 Study Guide

Exam Quick Facts

Official Learning Paths

1. 📘 Deploy Windows clients — Entra join, Intune enrollment, Autopilot
2. 📘 Manage, maintain, and protect devices — Configuration profiles, updates, security baselines
3. 📘 Manage apps — App deployment, protection policies, Microsoft 365 Apps
4. 📘 Plan and implement endpoint security — Defender for Endpoint, antivirus, encryption, firewall

📖 Study Resources

Skills at a Glance

Who is this exam for?

The MD-102 is for endpoint administrators — the people who manage devices (Windows, iOS, Android, macOS) at scale using Microsoft Intune. If you deploy laptops with Autopilot, push apps through Intune, configure compliance policies, and manage Windows updates, this exam covers your daily work.

You should have experience with Intune, Microsoft Entra ID, Windows Autopilot, Defender for Endpoint, and Windows 365. This is a hands-on, practical exam — expect scenario-based questions about device enrollment, configuration profiles, and compliance policies.

This exam was updated on April 28, 2026 and now includes Intune Suite add-ons (Endpoint Privilege Management, Remote Help, Cloud PKI, Advanced Analytics), Windows 365 Cloud PC deployment, and Security Copilot integration. It also counts toward the Microsoft 365 Certified: Administrator Expert certification.

Skills Measured — with Microsoft Learn Links

Prepare infrastructure for devices (25–30%)

This domain covers getting devices into your management environment — joining them to Entra ID, enrolling them in Intune, and setting up compliance and identity requirements. You need to know the difference between Entra join, hybrid join, and registration, and how enrollment works across platforms.

Add devices to Microsoft Entra ID

Devices can connect to Entra ID in three ways: Entra join (cloud-only), Entra hybrid join (synced with on-premises AD), and Entra registration (BYOD). Each has different capabilities and use cases. You also need to know how to plan device groups for targeting policies.

• Choose an appropriate device join type
• Join devices to Microsoft Entra ID
• Register devices to Microsoft Entra ID
• Plan and implement groups for devices in Microsoft Entra ID

Enroll devices to Microsoft Intune

Enrollment brings devices under Intune management. Automatic enrollment works for Windows devices joined to Entra ID. iOS, Android, and macOS devices have their own enrollment methods. You need to know how to configure enrollment profiles for different Android deployment scenarios (fully managed, dedicated, work profile).

• Configure enrollment settings
• Configure automatic enrollment for Windows and bulk enrollment for iOS/iPadOS and Android
• Configure enrollment profiles for Android devices

Implement identity and compliance

Compliance policies define the minimum requirements for a device to be considered “healthy” (e.g., must have a PIN, must be encrypted, must not be jailbroken). Conditional Access policies can then block non-compliant devices from accessing corporate resources. This section also covers LAPS and managing local admin groups.

• Manage roles in Intune
• Implement compliance policies for all supported device platforms
• Implement Entra Conditional Access policies that require compliance status
• Configure Windows Hello for Business
• Implement and manage Windows LAPS
• Manage the membership of local groups on Windows devices

Manage and maintain devices (30–35%)

This is the largest domain. It covers deploying Windows using Autopilot and provisioning packages, creating configuration profiles for all platforms, using Intune Suite add-ons, performing remote actions, and deploying Windows 365 Cloud PCs. Heavy hands-on content here.

Deploy and upgrade Windows clients by using cloud-based tools

Windows Autopilot enables zero-touch deployment — a new device boots up, connects to the internet, and automatically configures itself with apps, settings, and policies. You need to know the different Autopilot deployment modes (user-driven, self-deploying, pre-provisioned) and how to create an Enrollment Status Page.

• Choose between Windows Autopilot and provisioning packages
• Choose a Windows Autopilot deployment mode
• Apply a device name template
• Implement Windows client deployment by using Windows Autopilot
• Create an Enrollment Status Page (ESP)
• Plan and implement provisioning packages
• Plan and implement device upgrades for Windows 11
• Implement a Windows 365 Cloud PC deployment

Plan and implement device configuration profiles

Configuration profiles are how you push settings to devices — Wi-Fi, VPN, email, certificates, restrictions, and more. Intune supports profiles for Windows, Android, iOS/iPadOS, macOS, and Windows 11 Enterprise multi-session (for AVD). Filters let you target profiles to specific subsets of devices.

• Create device configuration profiles for Windows devices, including importing ADMX files
• Create device configuration profiles for Android devices
• Create device configuration profiles for iOS/iPadOS devices
• Create device configuration profiles for macOS devices
• Create device configuration profiles for Windows 11 Enterprise multi-session devices
• Target a profile by using filters

Implement Intune Suite add-on capabilities

The Intune Suite adds premium features beyond the base Intune licence. Endpoint Privilege Management lets standard users elevate specific apps without giving them full admin access. Remote Help provides helpdesk-style screen sharing. Cloud PKI issues certificates without on-premises infrastructure.

• Configure Endpoint Privilege Management
• Manage applications by using the Enterprise App Catalog
• Implement Microsoft Intune Advanced Analytics
• Configure Microsoft Intune Remote Help
• Identify use cases for Microsoft Cloud PKI
• Implement Microsoft Tunnel for Mobile Application Management

Perform remote actions on devices

Remote actions let you manage devices without physical access — sync policies, restart, retire (remove corporate data), or full wipe (factory reset). Bulk actions let you do this across hundreds of devices. Device query using KQL lets you run real-time queries against device inventory.

• Sync, restart, retire, or wipe devices
• Perform bulk remote actions
• Update Microsoft Defender Antivirus security intelligence
• Rotate BitLocker recovery keys
• Run a device query by using KQL

Manage applications (15–20%)

This domain covers deploying apps to managed devices (Win32 apps, MSI, Microsoft 365 Apps, store apps) and protecting corporate data within apps using app protection policies. App protection is especially important for BYOD scenarios where you don’t manage the device itself.

Deploy and update apps

• Prepare applications for deployment by using Intune
• Deploy apps by using Intune
• Deploy Microsoft 365 Apps by using Intune
• Configure policies for Office apps
• Deploy Microsoft 365 Apps as part of a Windows Autopilot deployment
• Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center
• Deploy apps from platform-specific app stores by using Intune

Plan and implement app protection and app configuration policies

App protection policies (APP, formerly MAM) protect corporate data within apps — even on unmanaged devices. For example, you can prevent users from copying data from Outlook to a personal app, or require a PIN to open a managed app. App configuration policies push settings to apps (like pre-configuring an email account).

• Plan and implement app protection policies
• Implement Entra Conditional Access policies for app protection policies
• Plan and implement app configuration policies for managed apps and managed devices

Protect devices (15–20%)

This domain covers endpoint security — antivirus, disk encryption, firewalls, attack surface reduction, security baselines, and Defender for Endpoint integration. It also covers managing Windows updates through Intune (update rings, feature updates, driver updates) and handling updates for iOS, Android, and macOS.

Configure endpoint security

Security baselines are pre-configured sets of Windows settings recommended by Microsoft’s security team. Applying them gives you a solid security foundation without configuring dozens of individual settings. You also need to know how to create custom antivirus, encryption, and firewall policies.

• Create antivirus policies
• Create disk encryption policies
• Create firewall policies
• Configure Attack surface reduction policies
• Plan and implement security baselines
• Integrate Intune with Microsoft Defender for Endpoint
• Onboard devices into Microsoft Defender for Endpoint

Manage device updates by using Intune

Windows update management in Intune uses update rings (control quality and feature update timing), update policies (target specific feature updates), and Delivery Optimization (peer-to-peer download to reduce bandwidth). For iOS, macOS, and Android, updates are managed differently through configuration profiles or FOTA.

• Plan for device updates
• Create and manage update rings by using Intune
• Create and manage update policies by using Intune, including iOS/iPadOS and macOS
• Manage Android updates by using configuration profiles or FOTA deployments
• Configure Windows client Delivery Optimization by using Intune
• Monitor updates

Quick Links

• 📝 Official Exam Page
• 📖 Microsoft Study Guide
• 🎯 Practice Assessment | Prepare infrastructure for devices | 25-30% | | Manage and maintain devices | 30-35% | | Manage applications | 15-20% | | Protect devices | 15-20% |

Skills Measured

Prepare infrastructure for devices (25–30%)

Add devices to Microsoft Entra ID

• Choose an appropriate device join type
• Join devices to Microsoft Entra ID
• Register devices to Microsoft Entra ID
• Plan and implement groups for devices in Microsoft Entra ID

Enroll devices to Microsoft Intune

• Configure enrollment settings
• Configure automatic enrollment for Windows and bulk enrollment for iOS/iPadOS and Android
• Configure enrollment profiles for Android devices, including fully managed, dedicated, corporate owned, and work profile

Implement identity and compliance

• Manage roles in Intune
• Implement compliance policies for all supported device platforms by using Intune
• Implement Microsoft Entra Conditional Access policies that require a compliance status
• Configure Windows Hello for Business
• Implement and manage Windows Local Administrator Password Solution (Windows LAPS)
• Manage the membership of local groups on Windows devices by using Intune

Manage and maintain devices (30–35%)

Deploy and upgrade Windows clients by using cloud-based tools

• Choose between Windows Autopilot and provisioning packages
• Choose a Windows Autopilot deployment mode
• Apply a device name template
• Implement Windows client deployment by using Windows Autopilot
• Create an Enrollment Status Page (ESP)
• Plan and implement provisioning packages
• Plan and implement device upgrades for Windows 11
• Implement a Windows 365 Cloud PC deployment

Plan and implement device configuration profiles

• Create device configuration profiles for Windows devices, including importing ADMX files
• Create device configuration profiles for Android devices
• Create device configuration profiles for iOS/iPadOS devices
• Create device configuration profiles for macOS devices
• Create device configuration profiles for Windows 11 Enterprise multi-session devices
• Target a profile by using filters

Implement Intune Suite add-on capabilities

• Configure Endpoint Privilege Management
• Manage applications by using the Enterprise App Catalog
• Implement Microsoft Intune Advanced Analytics
• Configure Microsoft Intune Remote Help
• Identify use cases for Microsoft Cloud PKI
• Implement Microsoft Tunnel for Mobile Application Management

Perform remote actions on devices

• Sync, restart, retire, or wipe devices
• Perform bulk remote actions
• Update Microsoft Defender Antivirus security intelligence
• Rotate BitLocker recovery keys
• Run a device query by using KQL

Manage applications (15–20%)

Deploy and update apps

• Prepare applications for deployment by using Intune
• Deploy apps by using Intune
• Deploy Microsoft 365 Apps by using Intune
• Configure policies for Office apps
• Deploy Microsoft 365 Apps as part of a Windows Autopilot deployment by using the Office Deployment Tool (ODT) or Office Customization Tool (OCT)
• Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center
• Deploy apps from platform-specific app stores by using Intune

Plan and implement app protection and app configuration policies

• Plan and implement app protection policies
• Implement Microsoft Entra Conditional Access policies for app protection policies
• Plan and implement app configuration policies for managed apps and managed devices

Protect devices (15–20%)

Configure endpoint security

• Create antivirus policies
• Create disk encryption policies
• Create firewall policies
• Configure Attack surface reduction policies
• Plan and implement security baselines
• Integrate Intune with Microsoft Defender for Endpoint
• Onboard devices into Microsoft Defender for Endpoint

Manage device updates by using Intune

• Plan for device updates
• Create and manage update rings by using Intune
• Create and manage update policies by using Intune, including iOS/iPadOS and macOS
• Manage Android updates by using configuration profiles or firmware-over-the-air (FOTA) deployments
• Configure Windows client Delivery Optimization by using Intune
• Monitor updates

Quick Links

• 📝 Official Exam Page
• 📖 Microsoft Study Guide
• 🎯 Practice Assessment