MD-102 is the exam that leads to the Microsoft 365 Certified: Endpoint Administrator Associate certification. It tests your ability to deploy Windows, manage identity and compliance, configure and protect devices using Intune, manage apps, and now — as of the July 2026 update — automate endpoint operations using PowerShell, Microsoft Graph, and Security Copilot.
This guide is built entirely from the official Microsoft study guide. Every domain, every objective, every resource link comes from learn.microsoft.com. No shortcuts, no guesswork.
- Exam code: MD-102
- Questions: 40–60 (mix of multiple choice, case studies, drag-and-drop, simulations)
- Duration: 100 minutes
- Pass score: 700 / 1000
- Price: ~£165 / $165 USD (varies by country)
- Renewal: Free online assessment every 12 months on Microsoft Learn
- Updated: July 24, 2026 — new domain added (Optimize endpoint operations)
Exam Domains and Weights
The exam is broken into five domains. The July 24, 2026 update added a new fifth domain covering automation, monitoring, and reporting — so if you have older study materials, update them.
| Domain | Topic | Weight | Priority |
|---|---|---|---|
| 1 | Prepare infrastructure for devices | 20–25% | High |
| 2 | Manage and maintain devices | 25–30% | Critical |
| 3 | Protect devices | 15–20% | High |
| 4 | Manage and secure applications | 15–20% | High |
| 5 | Optimize endpoint operations (automation, monitoring, reporting) | 10–15% | Medium |
Domain 1 — Prepare Infrastructure for Devices (20–25%)
This domain covers getting devices into your management estate: joining them to Microsoft Entra ID, enrolling them in Intune, and building the compliance and role framework they will sit inside.
Add Devices to Microsoft Entra ID
There are three ways a Windows device can have a relationship with Entra ID. Understanding which to use — and when — is a core exam topic.
| Join Type | Who Owns the Device | Management | Typical Use Case |
|---|---|---|---|
| Entra Joined | Corporate | Intune or co-managed | Cloud-only organisations, new Windows 11 devices |
| Hybrid Entra Joined | Corporate | AD + Intune (co-managed) | Orgs with on-prem AD that need GPO + Intune |
| Entra Registered | Personal (BYOD) | MAM or MDM (user choice) | Personal devices accessing corporate resources |
To verify the join state of a Windows device, run dsregcmd /status in an elevated command prompt. The key fields to read are:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
AzureAdPrt : YES # Primary Refresh Token — SSO is working
If AzureAdJoined is YES and DomainJoined is NO, the device is cloud-only Entra joined. If both are YES, it is hybrid joined.
Enrol Devices to Microsoft Intune
The exam covers enrollment for every platform. Key areas to know:
- Windows automatic enrollment — configured via Entra ID > Mobility > Microsoft Intune. Scope can be All, Some (group), or None.
- Android enrollment — four modes: Fully Managed, Dedicated, Corporate Owned Work Profile, and Personal Work Profile. Each has different app/data isolation.
- Apple Business Manager (ABM) — required for iOS/macOS supervised enrollment. Devices pushed to Intune via the ABM portal token.
- Samsung Knox Mobile Enrollment (KME) and Google Zero Touch — zero-touch provisioning for Android corporate devices.
- Enrollment restrictions — block personal devices, limit to specific OS versions, limit device count per user.
Implement Identity and Compliance
Compliance policies in Intune define the minimum security bar a device must meet before Conditional Access grants it access to company resources. Key exam points:
- Compliance policies are platform-specific (Windows, iOS, Android, macOS are separate policies)
- Devices marked non-compliant can be given a grace period before they are blocked — configurable per policy
- Windows LAPS (Local Administrator Password Solution) — managed via Intune and Entra ID, rotates the local admin password automatically
- Windows Hello for Business — configured via Intune identity protection profiles; replaces password with PIN/biometric backed by Entra ID
- Scope tags — used to delegate Intune admin rights to specific admins without giving them global admin
Domain 2 — Manage and Maintain Devices (25–30%)
This is the highest-weighted domain. Autopilot, device configuration profiles, and the Intune Suite add-ons are all here. Expect 12–18 questions from this domain.
Windows Autopilot
Autopilot is the cloud-based zero-touch provisioning system. As of the July 2026 exam update, you need to know both the original Autopilot deployment profiles AND the newer Device Preparation Policies.
| Autopilot Mode | User Interaction | Primary Use |
|---|---|---|
| User-Driven | User signs in during OOBE | Standard corporate device provisioning |
| Pre-Provisioning | IT completes device phase; user completes user phase | Devices shipped to office first, then to user |
| Self-Deploying | No user interaction required | Kiosk, shared, or meeting room devices |
The Enrollment Status Page (ESP) blocks the desktop until required apps and policies are applied. If the ESP times out, the root cause is nearly always an app that failed to install — check the Intune Management Extension (IME) logs at:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\
# Key file: IntuneManagementExtension.log
# Filter for: [Win32App] or [Error] to find failing apps
Device Configuration Profiles
Configuration profiles are how Intune delivers policy settings to devices. There are several profile types — knowing which to use is an exam staple:
| Profile Type | When to Use | Key Point |
|---|---|---|
| Settings Catalog | Preferred for new Windows policies | Search-based UI, covers MDM CSP + ADMX policies |
| ADMX Templates | Group Policy migration | Import custom ADMX files or use built-in Office/Edge ADMX |
| Custom OMA-URI | CSP not yet in Settings Catalog | ./Vendor/MSFT/Policy/Config/... path |
| Group Policy Analytics | Assessing GPO migration readiness | Imports GPO XML, shows MDM equivalents and gaps |
When a policy fails to apply, check the Event Viewer under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider. The two MDM error codes you are most likely to see in the exam:
| Error Code | Meaning | Fix |
|---|---|---|
| 0x87D1041C | Device has not checked in with Intune | Trigger manual sync or wait for next check-in cycle |
| 0x80070057 | Invalid parameter in the policy payload | Review OMA-URI value format and data type |
To force an MDM policy sync from PowerShell (useful in a lab or troubleshooting scenario):
# Force MDM sync on Windows 10/11
$session = New-CimInstance -Namespace root/cimv2/mdm/dmmap -ClassName MDM_Client -Property @{}
Invoke-CimMethod -InputObject $session -MethodName UpdateDevice
Intune Suite Add-On Capabilities
The Intune Suite is a premium add-on. The exam covers all of these features — you do not need a Suite licence to sit the exam, but you need to understand what each does:
- Endpoint Privilege Management (EPM) — allows standard users to run specific apps with elevated rights without giving them local admin. Configured via elevation policies in Intune.
- Enterprise App Catalog — curated library of pre-packaged Win32 apps that Intune can deploy without manual packaging.
- Remote Help — IT support tool that allows screen sharing and remote control through the Intune console, without a VPN.
- Microsoft Cloud PKI — cloud-based certificate authority integrated with Intune. Automates SCEP/PKCS certificate issuance to devices.
- Microsoft Tunnel for MAM — per-app VPN for unenrolled (BYOD) devices. Only the app-layer traffic is tunnelled, not the full device.
- Advanced Analytics — anomaly detection, proactive insights, and risk-based policy recommendations built on Endpoint Analytics.
Domain 3 — Protect Devices (15–20%)
This domain covers Intune's security stack: antivirus, BitLocker, firewall, attack surface reduction, security baselines, and integration with Microsoft Defender for Endpoint. A major change in the July 2026 update is the explicit inclusion of App Control for Business and Zero Trust principles.
Endpoint Security Policies
| Policy Type | What It Controls | Exam Focus |
|---|---|---|
| Antivirus | Microsoft Defender Antivirus settings | Cloud-delivered protection, exclusions, scan schedule |
| Disk Encryption | BitLocker settings and key escrow | Silent enablement, recovery key rotation, user self-service recovery |
| Firewall | Windows Defender Firewall rules | Domain / Private / Public network profiles |
| Attack Surface Reduction | ASR rules, controlled folder access | Audit mode vs Block mode for rule testing |
| Security Baselines | Predefined CIS/Microsoft recommended settings | Microsoft 365 Security Baseline vs Defender for Endpoint Baseline |
| App Control for Business | WDAC policy enforcement (application allowlisting) | Configured via Intune Security policies; replaces AppLocker at scale |
Microsoft Defender for Endpoint Integration
Intune and Microsoft Defender for Endpoint (MDE) work together through the Defender for Endpoint connector in the Intune admin center. Once connected:
- Devices onboarded to Intune can be automatically onboarded to MDE
- Endpoint Detection and Response (EDR) policies in Intune configure MDE telemetry and onboarding packages
- Device risk level from MDE feeds into Intune compliance policies — a device with active threats becomes non-compliant
- Conditional Access can then block that non-compliant device from accessing Microsoft 365 resources
Device Updates
Windows updates via Intune come in several forms. The exam tests you on when to use each:
| Update Method | What It Does | Key Setting |
|---|---|---|
| Update Rings | Control deferral days for quality and feature updates | Quality update deferral: 0–30 days; Feature: 0–365 days |
| Feature Updates | Pin devices to a specific Windows version | Use to control when devices move from Win 10 21H2 to 22H2 etc. |
| Windows Autopatch | Microsoft manages update rings for you | Requires Microsoft 365 E3/E5; four rings: Test, First, Fast, Broad |
| Hotpatch | Security-only patches without reboot | Windows 11 24H2+ only; requires Autopatch; baseline reboots needed every 3 months |
Windows Update for Business settings can also be configured via Group Policy at: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business. The GPO and Intune policies cover the same settings — if both are applied, conflicts follow standard MDM vs GPO precedence rules (MDM wins on Entra joined devices by default).
Domain 4 — Manage and Secure Applications (15–20%)
Application management covers deploying apps to devices (MDM) and protecting app data on unmanaged devices (MAM). Both scenarios appear in the exam.
App Deployment
Intune supports multiple app types. For Win32 apps, the app must be packaged as an .intunewin file using the Microsoft Win32 Content Prep Tool before upload. Key detection rule types:
| Detection Rule Type | What to Specify | Example |
|---|---|---|
| Registry | Key path + value name + value data | HKLM\SOFTWARE\Vendor\App value exists |
| File/Folder | Path + file name + version comparison | C:\Program Files\App\app.exe version >= 2.0.0 |
| Script | PowerShell script that exits 0 (detected) or 1 (not detected) | Custom logic for complex detection scenarios |
App Protection Policies (MAM)
App Protection Policies (APP) protect corporate data inside managed apps (Outlook, Teams, Edge) even on personal unmanaged devices. There are two MAM scenarios:
- MAM-D (MAM with Device Enrollment) — device is enrolled in Intune AND has an APP. Full device management applies.
- MAM-WE (MAM Without Enrollment) — device is NOT enrolled. Only the app and its corporate data are managed. Personal data and apps are untouched. This is the BYOD scenario.
APP settings you need to know for the exam: data transfer restrictions (cut/copy/paste between managed/unmanaged apps), minimum OS version requirements, PIN requirements, offline grace period, and selective wipe on unenrolled devices.
To require an App Protection Policy for access to Exchange Online from iOS/Android, create a Conditional Access policy targeting Exchange Online, set the Grant control to Require app protection policy, and target it to the mobile platforms. This forces users to use apps enrolled in your APP — they cannot use the native iOS Mail app to access corporate email.
Domain 5 — Optimize Endpoint Operations (10–15%)
This is a brand-new domain as of July 24, 2026. It reflects the industry shift toward automation and AI-assisted management. Even at 10–15% weight, it represents 6–9 questions.
Automate Management Tasks
Intune exposes its full feature set via the Microsoft Graph API. PowerShell scripts using the Microsoft.Graph.Intune module (or the newer Graph PowerShell SDK) can automate virtually any Intune task. Example — bulk sync all non-compliant devices:
# Connect to Microsoft Graph with Intune read/write permissions
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All"
# Get all non-compliant Windows devices
$nonCompliant = Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant' and operatingSystem eq 'Windows'"
# Trigger sync on each device
$nonCompliant | ForEach-Object {
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $_.Id
Write-Host "Syncing: $($_.DeviceName)"
}
Security Copilot in Intune
Microsoft Security Copilot is now integrated directly into the Intune admin center. The exam covers three Copilot agent scenarios:
- Investigate threats — Security Copilot agents surface Defender for Endpoint threat signals within Intune and recommend remediation actions
- Analyze device performance — Copilot summarises Endpoint Analytics data and highlights devices with poor health scores
- Policy recommendations — Copilot reviews your compliance policies and configuration profiles and suggests gaps based on security best practices
Monitor and Optimize Health
Endpoint Analytics in Intune provides device health scores across three dimensions:
- Startup performance — tracks boot time and login time. Devices below the baseline trigger proactive remediations.
- Reliability — app crash frequency, Blue Screen of Death events, unexpected shutdowns
- Work from anywhere — readiness score for cloud-based management (Entra joined, MDM enrolled, cloud-managed updates)
Proactive remediations (now called Remediations in the Intune console) are PowerShell detection + remediation script pairs that run on a schedule. Detection script exits 1 if the issue is present; remediation script runs and fixes it; detection script re-runs to confirm.
Official Microsoft Learn Study Paths
| Study Path | Covers | Link |
|---|---|---|
| Deploy and manage a cloud-native endpoint with Microsoft Intune | Domains 1 & 2 | learn.microsoft.com |
| Protect endpoints with Microsoft Intune | Domain 3 | learn.microsoft.com |
| Manage apps and data by using Microsoft Intune | Domain 4 | learn.microsoft.com |
| MD-102 Exam prep on Microsoft Learn | All domains | learn.microsoft.com |
Free Lab Setup
You need hands-on time in a real Intune tenant. You have two free options:
- Microsoft 365 Developer Programme — free 90-day M365 E5 tenant at developer.microsoft.com/en-us/microsoft-365/dev-program. Includes Intune, Entra ID P2, Defender for Endpoint P2, and Intune Suite trial.
- Microsoft 365 Business Premium Trial — 30-day free trial at microsoft.com. Includes Intune and Entra ID P1.
For the lab, enrol a Windows 11 VM (Hyper-V or VMware) to practice Autopilot, compliance policies, and configuration profiles. Use the Get-WindowsAutoPilotInfo script from the PowerShell Gallery to register the VM's hardware hash:
# Install the script from PowerShell Gallery
Install-Script -Name Get-WindowsAutoPilotInfo
# Export hardware hash and upload directly to Intune
Get-WindowsAutoPilotInfo -Online
What Most Candidates Get Wrong
- Autopilot pre-provisioning is NOT the same as self-deploying. Pre-provisioning still requires a user to sign in (in the user phase). Self-deploying requires no user at all. The exam tests this distinction explicitly.
- Compliance policies do not block access by themselves. They mark a device compliant or non-compliant. It is Conditional Access that uses the compliance status to allow or block access. Without a Conditional Access policy, a non-compliant device can still access everything.
- MAM-WE does not require the device to be enrolled. Many candidates assume app protection requires MDM enrollment. It does not. The user just needs to sign into the managed app (Outlook, Teams) with their work account.
- Security baselines are not the same as endpoint security policies. Security baselines are pre-configured bundles of settings based on Microsoft security recommendations. Endpoint security policies (antivirus, firewall, etc.) are individual, granular policies. Both exist in the Intune admin center under different nodes.
- Group Policy and Intune can conflict on Hybrid Entra Joined devices. MDM policies typically win over GPO on Entra Joined devices, but on Hybrid Entra Joined devices, GPO may still apply. Use the MDM Diagnostics Tool (
MdmDiagnosticsTool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -zip C:\logs.zip) to see what is actually being applied.
Exam Day Tips
With 100 minutes and up to 60 questions, you have roughly 100 seconds per question. Spend more time on Domain 2 (25–30% = up to 18 questions). Flag anything you are unsure about and return to it. Do not spend more than 3 minutes on any single question.
- Case studies appear in most MD-102 exams. You cannot go back to the case study scenario once you leave it, so read the scenario carefully before answering.
- Interactive simulations require you to navigate a simulated Intune admin center. Practice the real portal — the simulation matches the current UI closely.
- Read the question for the word "minimum." "What is the minimum requirement to enable Autopatch?" is asking for the lowest licence tier, not the best one.
- If the question mentions a scenario with no user interaction, the answer is Self-Deploying mode, not User-Driven or Pre-Provisioning.
- Practice the free assessment at Microsoft Learn — it uses the same question format as the real exam.
References
- Exam MD-102 — Microsoft Learn
- MD-102 Study Guide (official) — Microsoft Learn
- What is Microsoft Intune? — Microsoft Learn
- Windows Autopilot overview — Microsoft Learn
- BitLocker overview — Microsoft Learn
- Device compliance policies in Microsoft Intune — Microsoft Learn
- App protection policies overview — Microsoft Learn