The MD-102 certification is Microsoft's current associate-level credential for IT professionals who manage and maintain Windows endpoints in enterprise and cloud-connected environments. Endpoint administrators in modern organizations are responsible for deploying Windows client devices, configuring security and compliance policies, managing identities through Microsoft Entra ID (formerly Azure AD), maintaining devices using Intune and Configuration Manager, and supporting application deployment and protection across managed endpoints. The MD-102 exam validates that a candidate can perform all of these functions at a professional level in a Microsoft 365-enabled environment.

The certification replaced the MD-101 (Managing Modern Desktops) exam in 2023 as Microsoft updated its credential framework to reflect the growing importance of cloud-native device management. Where earlier endpoint management certifications focused heavily on traditional on-premises tools like SCCM, MD-102 reflects the hybrid reality of modern enterprise IT — environments where devices may be managed through Intune, Configuration Manager, or co-management scenarios, and where identity is increasingly rooted in Entra ID rather than on-premises Active Directory alone. Candidates who held MD-101 need to pass MD-102 to maintain a current associate-level endpoint certification.

MD-102 is appropriate for IT professionals working as endpoint administrators, desktop support engineers, systems administrators with a device management focus, or IT infrastructure engineers who are transitioning into more modern endpoint management roles. The exam is designed for individuals with at least one to two years of hands-on experience with Windows endpoint management, Microsoft 365 services, and enterprise security concepts. While the exam is available to candidates without work experience, those who lack practical familiarity with Intune, Entra ID, and Windows deployment scenarios typically find the exam significantly more difficult than those with real-world exposure to these technologies.

Passing MD-102 qualifies candidates for roles such as endpoint administrator, modern desktop administrator, Microsoft 365 administrator, and similar IT infrastructure titles. In the job market, the Microsoft 365 Certified: Endpoint Administrator Associate credential signals fluency with modern device management, which is a key hiring criterion as more organizations complete migrations to cloud-based management and zero-trust security architectures. The certification is frequently listed as a preferred or required qualification in IT support and endpoint management job postings at mid-size and enterprise organizations.

This guide covers the MD-102 exam domains, study strategies, key technical concepts to prioritize, and free practice questions to assess your readiness before exam day.

The MD-102 exam structure reflects the evolution of Microsoft's certification framework toward role-based credentials. Rather than testing on a single product or feature set, MD-102 tests the full scope of what an endpoint administrator actually does — which means the exam spans Windows deployment, identity management, device configuration, security, and application management in an integrated way. This breadth makes MD-102 a demanding exam for candidates who are specialists in only one area, but it also means that passing the exam genuinely demonstrates broad competency across the modern endpoint management stack.

Candidates for MD-102 should understand the difference between Microsoft Intune-only management, Configuration Manager-only management, and co-management scenarios. Co-management — in which devices are managed simultaneously by both Intune and Configuration Manager — is a significant topic on the exam because it represents the real-world state of many enterprise environments that are partially through a transition to cloud-native management. Understanding co-management workloads, how to pilot workloads between Configuration Manager and Intune, and the conditions under which each tool's policies take precedence is important for scenario questions that involve transitional hybrid environments.

The role of Microsoft Entra ID in endpoint management has expanded dramatically since the introduction of Azure AD-joined devices and Hybrid Azure AD Join scenarios. MD-102 expects candidates to understand the enrollment implications of different Entra ID join types — Entra ID registered (BYOD), Entra ID joined (cloud-native), and Hybrid Entra ID joined (on-premises domain plus Entra ID) — and to know which Intune enrollment flows apply to each scenario. Knowing how device identity in Entra ID connects to Intune enrollment, compliance policy evaluation, and Conditional Access grant controls is a thread that runs through multiple exam domains.

Microsoft 365 Apps deployment is one of the more practically complex topics on MD-102 for candidates who have not deployed Office in an enterprise environment. The exam tests knowledge of Office Deployment Tool (ODT) configuration, the difference between Current Channel and Monthly Enterprise Channel for update management, and the configuration of Microsoft 365 Apps through Intune versus the ODT. Understanding when to use each deployment method and how to configure update channels through both Intune and the ODT positions candidates well for the application management domain of the exam.

Candidates who are new to Microsoft certification should understand the format of scenario-based Microsoft exam questions. Rather than asking you to recite a definition or identify a configuration option in isolation, Microsoft exam questions present a business or technical scenario and ask which action, policy, or configuration setting best solves the described problem.

These questions test judgment — whether you can identify the correct Microsoft tool for a given scenario, configure it appropriately, and avoid common mistakes. Reading each question carefully and eliminating options that misidentify the relevant tool or misconfigure an important setting is the core skill needed to perform well on MD-102.

For candidates who already hold the MD-101 certification, the transition to MD-102 requires attention to the new content areas that were not covered in the previous exam — particularly cloud-native Autopilot deployment scenarios and the updated Entra ID identity management content that reflects Microsoft's 2023 branding and feature changes. Reviewing the MD-102 exam skills outline and mapping it against MD-101 content helps identify the specific new areas requiring focused study.

MD-102 also expects familiarity with Windows security features at the device level — BitLocker encryption, Windows Hello for Business, and Controlled Folder Access (a Defender feature protecting against ransomware). These topics appear in both the device management and identity domains, and candidates should understand how each is configured and enforced through Intune policy rather than through manual device configuration.

Effective MD-102 preparation requires a combination of conceptual knowledge and hands-on lab practice. Unlike some certification exams that can be passed through content review alone, MD-102 scenario-based questions test your ability to make configuration decisions in realistic endpoint management situations. The best preparation strategy is to study each domain's concepts while simultaneously practicing the corresponding tasks in a Microsoft 365 developer tenant (available free for 90 days through the Microsoft 365 Developer Program) or in a personal Azure sandbox environment.

The Microsoft Learn platform is the most authoritative free study resource for MD-102. Microsoft publishes an official learning path for the MD-102 exam that covers all four domains with explanations, guided exercises, and knowledge checks. Completing the official learning path provides a solid theoretical foundation and ensures alignment with the exam's current scope. Because Microsoft updates the exam content periodically, the official learning path on Microsoft Learn always reflects the current exam version, making it more reliable than third-party study materials that may lag behind exam updates.

Intune is central to all four MD-102 domains in different ways. For deployment, you need to understand how Autopilot integrates with Intune enrollment. For identity, you need to understand how Intune compliance policies interact with Conditional Access in Entra ID. For device management, you configure device configuration profiles and endpoint security policies in Intune. For applications, you deploy and manage apps through the Intune apps blade. Building proficiency with the Intune admin center — both through lab practice and through reviewing Microsoft documentation on specific configuration scenarios — is the single most impactful preparation activity for MD-102 candidates.

Windows Autopilot is heavily tested and represents a technology that many candidates find conceptually straightforward but operationally complex. Understanding the difference between user-driven Autopilot, self-deploying Autopilot, and pre-provisioned (white glove) Autopilot scenarios — and knowing which mode is appropriate for which business scenario — is a high-priority preparation topic. Similarly, understanding how Autopilot profile settings interact with enrollment status pages, device groups, and Entra ID join configurations helps you work through scenario questions that present a specific business requirement and ask how to configure Autopilot to meet it.

Conditional Access is another heavily tested topic. Exam questions frequently present a scenario involving an organization's access control requirements — for example, requiring compliant devices and MFA for specific users accessing sensitive applications — and ask how to configure Conditional Access policies to implement those requirements. Understanding the components of a Conditional Access policy (assignments, conditions, access controls, and grant/session controls), and knowing how compliance policies from Intune flow into Conditional Access device compliance conditions, provides the foundation for answering these questions correctly.

For candidates targeting the MD-102 as part of a broader Microsoft certification pathway, the endpoint administrator credential pairs well with the Security Administrator Associate (SC-300, AZ-500) and the Microsoft 365 Administrator Expert (MS-102). Building this credential stack positions candidates for senior security and cloud infrastructure roles that require deep cross-domain Microsoft 365 expertise.

Microsoft Defender for Endpoint integration with Intune is increasingly tested as organizations adopt Microsoft's unified endpoint security stack. Candidates should understand how to onboard Windows devices to Defender for Endpoint through Intune, how to configure Defender antivirus and firewall policies through endpoint security profiles, and how to interpret Defender threat intelligence in the context of device management decisions. Candidates who have not worked with Defender for Endpoint in a production environment should spend time in the Microsoft documentation and sandbox environments to build familiarity with the interface and configuration options.

Application protection policies in Intune deserve focused study time. These policies, which protect organizational data within managed applications on both enrolled and unenrolled devices, are tested across both the device management and application management domains. Candidates should understand the difference between app protection policies for enrolled devices (which can enforce stricter controls) and app protection policies for unenrolled BYOD devices (which operate without full MDM control). The specific settings available in app protection policies — data transfer restrictions, PIN requirements, copy-paste controls — and the scenarios in which each is appropriate are consistently tested exam content.

Windows Update for Business and Intune update rings are tested throughout the deployment and device management domains. Candidates should understand how to configure Windows Update for Business settings through Intune, including the quality update deferral period, feature update deferral period, active hours, and restart behavior settings. Understanding the update ring concept — where a pilot ring with minimal deferral is used for early adopters and broader rings with longer deferrals are used for the general workforce — helps answer scenario questions about balancing speed of update adoption with stability requirements.

Endpoint analytics and Windows health monitoring are areas that newer endpoint administrators may not have encountered in previous roles but that appear on the exam. Endpoint analytics in the Intune admin center provides data about device health, startup performance, restart frequency, and app reliability. Candidates should understand at a conceptual level what data endpoint analytics surfaces and how it can inform remediation decisions — even without deep technical expertise in interpreting specific metrics, understanding the purpose and general functionality of endpoint analytics tools is sufficient for the exam questions in this area.

Practice question strategy matters as much as volume. When you complete a practice question incorrectly, identify whether the error was a knowledge gap (you did not know the relevant Intune setting), a concept gap (you understood the setting but misapplied it to the scenario), or a reading error (you misread a key detail in the scenario). Categorizing errors this way directs your review to the right type of remediation — knowledge gaps require content review, concept gaps require scenario practice, and reading errors require test-taking discipline.

Tracking your error patterns across 200+ practice questions provides a data-driven preparation plan for the final weeks before your exam.

The MD-102 exam is delivered by Pearson VUE and can be taken at a Pearson VUE testing center or through online proctoring from home or office. Online proctored exams require a webcam, a stable internet connection, and a quiet private room. Microsoft's online proctoring partner (typically Pearson VUE OnVUE) performs a pre-check of your testing environment before the exam begins. Scheduling your exam 2–3 weeks in advance ensures you have time to complete final preparation and to arrange your testing environment if choosing online delivery.

Microsoft Learn's sandbox environments allow practice without a full tenant in some modules, which is useful for candidates who prefer not to manage a developer tenant. The sandboxes are limited in scope but sufficient for following along with guided exercises in the official MD-102 learning path modules. Combining Microsoft Learn sandbox exercises with a developer tenant for free-form practice provides the most complete lab preparation for the MD-102 exam.

The most common mistake MD-102 candidates make is underestimating the depth of Intune knowledge required. Surface-level familiarity with what Intune does is not sufficient — exam questions test specific policy settings, enrollment prerequisites, assignment scoping, and behavior differences across device types. Candidates who treat Intune as a single tool rather than learning its specific feature areas in depth consistently underperform relative to their preparation effort.

After passing MD-102, plan to complete the free annual renewal assessment on Microsoft Learn before your certification expires. The renewal assessment covers new and updated content added to the exam scope since you were certified and takes approximately 30–45 minutes to complete. Completing it on time preserves your certification record without requiring a full exam retake.