Microsoft · 2026 Edition
A complete preparation guide written by Microsoft-certified engineers. Covers the exam format,all 7 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
3–4 months
Prep time
Intermediate
Difficulty
50
Exam questions
700/1000
Pass mark
Exam code
MD-102
Full name
Microsoft 365 Endpoint Administrator
Vendor
Microsoft
Duration
120 minutes
Questions
50 items
Passing score
700/1000 (scaled)
Domains covered
7 blueprint domains
Recommended experience
1–2 years of endpoint administration experience; familiarity with Microsoft Intune and Windows
Typical prep time
3–4 months
MD-102 earns the Microsoft 365 Certified: Endpoint Administrator Associate designation. It validates the skills to deploy, configure, and manage Windows endpoints using Microsoft Intune and enforce device compliance across an organisation.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Deploy Windows: Windows Autopilot, OS deployment methods, update management
Tip: Windows Autopilot deployment profiles: user-driven mode (user completes OOBE), self-deploying mode (no user interaction, for kiosks/shared devices), and pre-provisioning (technician pre-provisions before user receives the device). Know when each mode is appropriate.
Weeks 4–5
Identity and Compliance: Entra ID join, Hybrid join, conditional access, compliance policies
Tip: Know the difference between Microsoft Entra ID joined (cloud-only), Hybrid Entra joined (both AD DS and Entra ID), and Microsoft Entra registered (personal device, BYOD). Each has different management capabilities and Conditional Access policy support.
Weeks 6–9
Manage and Protect Devices: Intune configuration profiles, compliance policies, Endpoint Security, Defender for Endpoint
Tip: Intune compliance policies and configuration profiles are separate. Compliance policies define what makes a device compliant (BitLocker required, minimum OS version). Configuration profiles push settings (Wi-Fi, VPN, restrictions). Conditional Access checks compliance, not configuration.
Weeks 10–13
Manage Apps: MSIX packaging, Intune app deployment, app protection policies, Microsoft Store
Tip: Intune App Protection Policies (APP) provide data protection for managed apps on both enrolled and unenrolled devices. Key settings: cut/copy/paste restrictions to unmanaged apps, minimum OS version enforcement, and wipe app data on detected jailbreak.
Windows Autopilot requires devices to be pre-registered in Microsoft Entra ID with their hardware hash. Know the registration methods: CSV import from OEM or via the Get-WindowsAutoPilotInfo script.
Intune configuration profile types: device restrictions, administrative templates (ADMX-backed), device features, custom (OMA-URI), and endpoint protection. Use Administrative Templates for Group Policy-equivalent settings; use OMA-URI for settings not in the UI.
Update rings in Microsoft Intune control Windows Update for Business: deferral period for feature updates, deferral for quality updates, active hours, and automatic restart settings. A pilot ring has 0-day deferral; a broad deployment ring typically has 21-day deferral.
Co-management allows Configuration Manager (SCCM) and Intune to manage a device simultaneously. When a workload slider is moved to Intune (e.g. Compliance Policies), Intune takes control; when it stays at Configuration Manager, SCCM controls it.
Microsoft Defender for Endpoint onboarding via Intune uses the Endpoint detection and response configuration profile. Security baselines are the fastest way to apply opinionated Defender for Endpoint settings to a large fleet.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.