MD-102: Microsoft 365 Endpoint Administrator
Browse certifications
Interactive Study Guide
Each module covers one exam topic with plain-English explanations, real-world scenarios, and built-in practice. Everything you need to understand and retain the material — no tab-switching required.
Domain 1: Prepare Infrastructure for Devices ›
Domain 2: Manage and Maintain Devices ›
Domain 3: Manage Applications ›
Domain 4: Protect Devices ›
Exam Resources
Official learning paths, exam details, skills measured, and community resources to supplement your study.
Exam Quick Facts
| Detail | Value |
|---|---|
| Exam Code | MD-102 |
| Title | Microsoft 365 Endpoint Administrator |
| Level | Associate |
| Pass Score | 700 / 1000 |
| Duration | 100 minutes |
| Questions | ~40–60 (multiple choice, case studies, labs) |
| Cost | $165 USD (varies by region) |
| Scheduling | Pearson VUE |
| Skills Updated | April 28, 2026 |
Official Learning Paths
- 📘 Deploy Windows clients — Entra join, Intune enrollment, Autopilot
- 📘 Manage, maintain, and protect devices — Configuration profiles, updates, security baselines
- 📘 Manage apps — App deployment, protection policies, Microsoft 365 Apps
- 📘 Plan and implement endpoint security — Defender for Endpoint, antivirus, encryption, firewall
📖 Study Resources
| Resource | Link |
|---|---|
| 📝 Official Exam Page | Microsoft Learn — MD-102 |
| 📖 Official Study Guide | Microsoft Study Guide |
| 🎯 Free Practice Assessment | Start Practice Assessment |
| 🖥️ Exam Sandbox | Try the exam interface |
| 🎬 Exam Readiness Zone | Video prep series |
| 📄 Intune Documentation | Microsoft Intune docs |
Skills at a Glance
| Skill Area | Weight |
|---|---|
| Prepare infrastructure for devices | 25–30% |
| Manage and maintain devices | 30–35% |
| Manage applications | 15–20% |
| Protect devices | 15–20% |
Who is this exam for?
The MD-102 is for endpoint administrators — the people who manage devices (Windows, iOS, Android, macOS) at scale using Microsoft Intune. If you deploy laptops with Autopilot, push apps through Intune, configure compliance policies, and manage Windows updates, this exam covers your daily work.
You should have experience with Intune, Microsoft Entra ID, Windows Autopilot, Defender for Endpoint, and Windows 365. This is a hands-on, practical exam — expect scenario-based questions about device enrollment, configuration profiles, and compliance policies.
This exam was updated on April 28, 2026 and now includes Intune Suite add-ons (Endpoint Privilege Management, Remote Help, Cloud PKI, Advanced Analytics), Windows 365 Cloud PC deployment, and Security Copilot integration. It also counts toward the Microsoft 365 Certified: Administrator Expert certification.
Skills Measured — with Microsoft Learn Links
Prepare infrastructure for devices (25–30%)
This domain covers getting devices into your management environment — joining them to Entra ID, enrolling them in Intune, and setting up compliance and identity requirements. You need to know the difference between Entra join, hybrid join, and registration, and how enrollment works across platforms.
Add devices to Microsoft Entra ID
Devices can connect to Entra ID in three ways: Entra join (cloud-only), Entra hybrid join (synced with on-premises AD), and Entra registration (BYOD). Each has different capabilities and use cases. You also need to know how to plan device groups for targeting policies.
- Choose an appropriate device join type
- Join devices to Microsoft Entra ID
- Register devices to Microsoft Entra ID
- Plan and implement groups for devices in Microsoft Entra ID
Enroll devices to Microsoft Intune
Enrollment brings devices under Intune management. Automatic enrollment works for Windows devices joined to Entra ID. iOS, Android, and macOS devices have their own enrollment methods. You need to know how to configure enrollment profiles for different Android deployment scenarios (fully managed, dedicated, work profile).
- Configure enrollment settings
- Configure automatic enrollment for Windows and bulk enrollment for iOS/iPadOS and Android
- Configure enrollment profiles for Android devices
Implement identity and compliance
Compliance policies define the minimum requirements for a device to be considered “healthy” (e.g., must have a PIN, must be encrypted, must not be jailbroken). Conditional Access policies can then block non-compliant devices from accessing corporate resources. This section also covers LAPS and managing local admin groups.
- Manage roles in Intune
- Implement compliance policies for all supported device platforms
- Implement Entra Conditional Access policies that require compliance status
- Configure Windows Hello for Business
- Implement and manage Windows LAPS
- Manage the membership of local groups on Windows devices
Manage and maintain devices (30–35%)
This is the largest domain. It covers deploying Windows using Autopilot and provisioning packages, creating configuration profiles for all platforms, using Intune Suite add-ons, performing remote actions, and deploying Windows 365 Cloud PCs. Heavy hands-on content here.
Deploy and upgrade Windows clients by using cloud-based tools
Windows Autopilot enables zero-touch deployment — a new device boots up, connects to the internet, and automatically configures itself with apps, settings, and policies. You need to know the different Autopilot deployment modes (user-driven, self-deploying, pre-provisioned) and how to create an Enrollment Status Page.
- Choose between Windows Autopilot and provisioning packages
- Choose a Windows Autopilot deployment mode
- Apply a device name template
- Implement Windows client deployment by using Windows Autopilot
- Create an Enrollment Status Page (ESP)
- Plan and implement provisioning packages
- Plan and implement device upgrades for Windows 11
- Implement a Windows 365 Cloud PC deployment
Plan and implement device configuration profiles
Configuration profiles are how you push settings to devices — Wi-Fi, VPN, email, certificates, restrictions, and more. Intune supports profiles for Windows, Android, iOS/iPadOS, macOS, and Windows 11 Enterprise multi-session (for AVD). Filters let you target profiles to specific subsets of devices.
- Create device configuration profiles for Windows devices, including importing ADMX files
- Create device configuration profiles for Android devices
- Create device configuration profiles for iOS/iPadOS devices
- Create device configuration profiles for macOS devices
- Create device configuration profiles for Windows 11 Enterprise multi-session devices
- Target a profile by using filters
Implement Intune Suite add-on capabilities
The Intune Suite adds premium features beyond the base Intune licence. Endpoint Privilege Management lets standard users elevate specific apps without giving them full admin access. Remote Help provides helpdesk-style screen sharing. Cloud PKI issues certificates without on-premises infrastructure.
- Configure Endpoint Privilege Management
- Manage applications by using the Enterprise App Catalog
- Implement Microsoft Intune Advanced Analytics
- Configure Microsoft Intune Remote Help
- Identify use cases for Microsoft Cloud PKI
- Implement Microsoft Tunnel for Mobile Application Management
Perform remote actions on devices
Remote actions let you manage devices without physical access — sync policies, restart, retire (remove corporate data), or full wipe (factory reset). Bulk actions let you do this across hundreds of devices. Device query using KQL lets you run real-time queries against device inventory.
- Sync, restart, retire, or wipe devices
- Perform bulk remote actions
- Update Microsoft Defender Antivirus security intelligence
- Rotate BitLocker recovery keys
- Run a device query by using KQL
Manage applications (15–20%)
This domain covers deploying apps to managed devices (Win32 apps, MSI, Microsoft 365 Apps, store apps) and protecting corporate data within apps using app protection policies. App protection is especially important for BYOD scenarios where you don’t manage the device itself.
Deploy and update apps
- Prepare applications for deployment by using Intune
- Deploy apps by using Intune
- Deploy Microsoft 365 Apps by using Intune
- Configure policies for Office apps
- Deploy Microsoft 365 Apps as part of a Windows Autopilot deployment
- Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center
- Deploy apps from platform-specific app stores by using Intune
Plan and implement app protection and app configuration policies
App protection policies (APP, formerly MAM) protect corporate data within apps — even on unmanaged devices. For example, you can prevent users from copying data from Outlook to a personal app, or require a PIN to open a managed app. App configuration policies push settings to apps (like pre-configuring an email account).
- Plan and implement app protection policies
- Implement Entra Conditional Access policies for app protection policies
- Plan and implement app configuration policies for managed apps and managed devices
Protect devices (15–20%)
This domain covers endpoint security — antivirus, disk encryption, firewalls, attack surface reduction, security baselines, and Defender for Endpoint integration. It also covers managing Windows updates through Intune (update rings, feature updates, driver updates) and handling updates for iOS, Android, and macOS.
Configure endpoint security
Security baselines are pre-configured sets of Windows settings recommended by Microsoft’s security team. Applying them gives you a solid security foundation without configuring dozens of individual settings. You also need to know how to create custom antivirus, encryption, and firewall policies.
- Create antivirus policies
- Create disk encryption policies
- Create firewall policies
- Configure Attack surface reduction policies
- Plan and implement security baselines
- Integrate Intune with Microsoft Defender for Endpoint
- Onboard devices into Microsoft Defender for Endpoint
Manage device updates by using Intune
Windows update management in Intune uses update rings (control quality and feature update timing), update policies (target specific feature updates), and Delivery Optimization (peer-to-peer download to reduce bandwidth). For iOS, macOS, and Android, updates are managed differently through configuration profiles or FOTA.
- Plan for device updates
- Create and manage update rings by using Intune
- Create and manage update policies by using Intune, including iOS/iPadOS and macOS
- Manage Android updates by using configuration profiles or FOTA deployments
- Configure Windows client Delivery Optimization by using Intune
- Monitor updates
Quick Links
- 📝 Official Exam Page
- 📖 Microsoft Study Guide
- 🎯 Practice Assessment | Prepare infrastructure for devices | 25-30% | | Manage and maintain devices | 30-35% | | Manage applications | 15-20% | | Protect devices | 15-20% |
Skills Measured
Prepare infrastructure for devices (25–30%)
Add devices to Microsoft Entra ID
- Choose an appropriate device join type
- Join devices to Microsoft Entra ID
- Register devices to Microsoft Entra ID
- Plan and implement groups for devices in Microsoft Entra ID
Enroll devices to Microsoft Intune
- Configure enrollment settings
- Configure automatic enrollment for Windows and bulk enrollment for iOS/iPadOS and Android
- Configure enrollment profiles for Android devices, including fully managed, dedicated, corporate owned, and work profile
Implement identity and compliance
- Manage roles in Intune
- Implement compliance policies for all supported device platforms by using Intune
- Implement Microsoft Entra Conditional Access policies that require a compliance status
- Configure Windows Hello for Business
- Implement and manage Windows Local Administrator Password Solution (Windows LAPS)
- Manage the membership of local groups on Windows devices by using Intune
Manage and maintain devices (30–35%)
Deploy and upgrade Windows clients by using cloud-based tools
- Choose between Windows Autopilot and provisioning packages
- Choose a Windows Autopilot deployment mode
- Apply a device name template
- Implement Windows client deployment by using Windows Autopilot
- Create an Enrollment Status Page (ESP)
- Plan and implement provisioning packages
- Plan and implement device upgrades for Windows 11
- Implement a Windows 365 Cloud PC deployment
Plan and implement device configuration profiles
- Create device configuration profiles for Windows devices, including importing ADMX files
- Create device configuration profiles for Android devices
- Create device configuration profiles for iOS/iPadOS devices
- Create device configuration profiles for macOS devices
- Create device configuration profiles for Windows 11 Enterprise multi-session devices
- Target a profile by using filters
Implement Intune Suite add-on capabilities
- Configure Endpoint Privilege Management
- Manage applications by using the Enterprise App Catalog
- Implement Microsoft Intune Advanced Analytics
- Configure Microsoft Intune Remote Help
- Identify use cases for Microsoft Cloud PKI
- Implement Microsoft Tunnel for Mobile Application Management
Perform remote actions on devices
- Sync, restart, retire, or wipe devices
- Perform bulk remote actions
- Update Microsoft Defender Antivirus security intelligence
- Rotate BitLocker recovery keys
- Run a device query by using KQL
Manage applications (15–20%)
Deploy and update apps
- Prepare applications for deployment by using Intune
- Deploy apps by using Intune
- Deploy Microsoft 365 Apps by using Intune
- Configure policies for Office apps
- Deploy Microsoft 365 Apps as part of a Windows Autopilot deployment by using the Office Deployment Tool (ODT) or Office Customization Tool (OCT)
- Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center
- Deploy apps from platform-specific app stores by using Intune
Plan and implement app protection and app configuration policies
- Plan and implement app protection policies
- Implement Microsoft Entra Conditional Access policies for app protection policies
- Plan and implement app configuration policies for managed apps and managed devices
Protect devices (15–20%)
Configure endpoint security
- Create antivirus policies
- Create disk encryption policies
- Create firewall policies
- Configure Attack surface reduction policies
- Plan and implement security baselines
- Integrate Intune with Microsoft Defender for Endpoint
- Onboard devices into Microsoft Defender for Endpoint
Manage device updates by using Intune
- Plan for device updates
- Create and manage update rings by using Intune
- Create and manage update policies by using Intune, including iOS/iPadOS and macOS
- Manage Android updates by using configuration profiles or firmware-over-the-air (FOTA) deployments
- Configure Windows client Delivery Optimization by using Intune
- Monitor updates
Quick Links
Frequently asked questions
The MD-102 questions I hear most often from device admins — usually starting with ‘is this the right cert for me, or should I do MS-102?’
What's the difference between MD-102 and MS-102? #
Do I need hands-on Intune experience to pass MD-102? #
How long does it take to prepare for MD-102? #
Does MD-102 still count toward the M365 Administrator Expert? #
What does the MD-102 exam cost and what's the retake policy? #
Compare MD-102 across AWS & Google Cloud → Cert Compass
Frequently Asked Questions
1. What's the difference between MD-102 and MS-102?
MD-102 is for endpoint admins — Intune, Autopilot, Windows, device compliance, the people managing a fleet of laptops and phones. [MS-102](/cert-tracker/ms-102/) is for tenant admins — M365 deployment, identity, Defender XDR, Purview, the people running the whole tenant. Different daily jobs, but both count toward the same [Microsoft 365 Certified: Administrator Expert](https://learn.microsoft.com/en-us/credentials/certifications/m365-administrator-expert/) badge. If you live in Intune all day, MD-102. If you run the broader tenant, MS-102. Plenty of people take both.
2. Do I need hands-on Intune experience to pass MD-102?
Strongly recommended — yes. MD-102 includes scenario-based and lab questions on Autopilot, configuration profiles, compliance policies, and Defender for Endpoint. Reading alone won't get you there. Minimum setup: a trial Intune tenant + a Windows 11 VM you can enrol, configure, and break. Microsoft offers a [free Intune trial](https://learn.microsoft.com/en-us/mem/intune/fundamentals/free-trial-sign-up) — set it up before you book the exam.
3. How long does it take to prepare for MD-102?
Six to ten weeks of part-time study for most people. Less if you manage Intune day-to-day already, more if you're new to MDM or Windows admin. Block at least a quarter of your study time for hands-on Intune labs. The April 2026 skills update added Intune Suite add-ons (Endpoint Privilege Management, Remote Help, Cloud PKI), Windows 365 Cloud PCs, and Security Copilot — don't skip these even if older study material doesn't cover them.
4. Does MD-102 still count toward the M365 Administrator Expert?
Yes. MD-102 is one of the qualifying associate exams for the [Microsoft 365 Certified: Administrator Expert](https://learn.microsoft.com/en-us/credentials/certifications/m365-administrator-expert/) badge, alongside [MS-102](/cert-tracker/ms-102/). You need one associate + the expert capstone. The endpoint path (MD-102) is common for IT pros from desktop support or device management — also the most practical of the M365 associates if your day job is mostly managing the laptops.
5. What does the MD-102 exam cost and what's the retake policy?
USD $165, with regional pricing — $99 in some countries. Microsoft sometimes runs free voucher promos through partner training events. [Pearson VUE](https://learn.microsoft.com/en-us/credentials/certifications/schedule-through-pearson-vue?examUid=exam.MD-102) lets you sit it online with a proctor or at a test centre. Failed attempt: wait 24 hours before retake #1, then 14 days for each subsequent retake — $165 each time.