MD-102: Endpoint Administrator Associate Exam Practice Test
The MD-102: Endpoint Administrator Associate certification exam is designed for IT professionals who want to demonstrate their skills in managing modern endpoints and devices within a Microsoft 365 environment. As organizations increasingly adopt cloud-first strategies, the ability to efficiently deploy, configure, secure, and monitor devices is critical to maintaining a robust IT infrastructure.
What Is the MD-102 Certification Exam?
This certification validates your expertise in managing devices running Windows 10 and Windows 11, leveraging Microsoft Intune, Windows Autopilot, and Endpoint Manager. It covers essential skills such as enrolling devices, implementing policies, managing apps, and securing data. Passing the MD-102 exam proves you have the practical knowledge needed to support end-users, maintain device compliance, and optimize endpoint configurations in a real-world business setting.
What Will You Learn?
By preparing for the MD-102 exam, you’ll gain comprehensive knowledge of:
Windows Enrollment and Deployment: Learn how to deploy Windows devices using modern methods like Windows Autopilot and manage hybrid Azure AD join scenarios.
Device and Profile Management: Understand how to configure device profiles, restrictions, and compliance policies to ensure organizational security requirements are met.
Application Management: Master deploying, updating, and managing apps across devices using Microsoft Intune and the Microsoft Store for Business.
Endpoint Security: Explore techniques to protect devices with BitLocker encryption, Windows Defender, and Application Control policies.
Monitoring and Troubleshooting: Develop skills to monitor device health, deploy update rings, and troubleshoot common issues affecting endpoint performance.
Key Topics Covered
The MD-102 exam covers a broad range of topics critical for Endpoint Administrators, including:
Windows Autopilot deployment and configuration
Device enrollment options (Azure AD Join, Hybrid Join)
Intune device configuration profiles and compliance policies
Application lifecycle management with Intune
Endpoint security management (BitLocker, Windows Defender, WDAC)
Windows Update management and update rings
Conditional Access and device compliance integration with Azure AD
Device and user monitoring with Microsoft Endpoint Manager
Troubleshooting device and enrollment issues
Why Use ExamSage.com for Your MD-102 Exam Preparation?
ExamSage.com is your trusted partner for exam success. Our MD-102 practice tests are carefully crafted by experts who understand the exam objectives and current industry practices. Each question is designed to mirror the real exam format, complete with detailed explanations that help you understand the reasoning behind each answer.
Preparing with ExamSage means:
Access to high-quality, realistic practice questions
Comprehensive answer explanations for deeper understanding
Regular updates aligned with Microsoft exam changes
A focused approach to mastering key concepts without distractions
Start Your Journey to Becoming a Certified Endpoint Administrator
Whether you’re new to endpoint management or looking to validate your skills, the MD-102 certification opens doors to career growth in IT administration and device management roles. With ExamSage.com’s expert practice tests, you can approach your exam confidently, knowing you’ve thoroughly prepared.
Sample Questions and Answers
1. What is the primary function of Microsoft Endpoint Manager?
A) Manage Azure Active Directory user accounts
B) Manage devices and applications across an organization
C) Create virtual machines in Azure
D) Manage Office 365 licenses
Answer: B) Manage devices and applications across an organization
Explanation: Microsoft Endpoint Manager is a unified platform that combines Configuration Manager and Intune to manage devices (PCs, mobile, etc.) and applications across an enterprise.
2. Which protocol does Windows Autopilot primarily use to provision new devices?
A) DHCP
B) PXE Boot
C) HTTPS
D) SMB
Answer: C) HTTPS
Explanation: Windows Autopilot uses HTTPS to securely communicate with Microsoft services during device provisioning and configuration.
3. Which of the following is NOT a feature of Microsoft Intune?
A) Mobile device management
B) Application deployment
C) Antivirus management
D) Conditional access policies
Answer: C) Antivirus management
Explanation: While Intune can integrate with antivirus solutions, it does not manage antivirus directly; endpoint protection is handled separately via Windows Defender or third-party tools.
4. What is the default device enrollment type in Microsoft Intune for Windows 10/11 devices?
A) Apple DEP
B) Windows Autopilot
C) Windows Enrollment (Automatic Enrollment)
D) Bulk enrollment with CSV file
Answer: C) Windows Enrollment (Automatic Enrollment)
Explanation: For devices joined to Azure AD, automatic enrollment is the default method for Intune management.
5. In Endpoint Manager, what is the primary purpose of Compliance Policies?
A) To ensure devices have necessary applications installed
B) To enforce security settings and ensure devices meet organizational standards
C) To configure VPN profiles
D) To manage user licenses
Answer: B) To enforce security settings and ensure devices meet organizational standards
Explanation: Compliance policies define rules and settings that devices must meet to be considered compliant.
6. What is the function of a Configuration Profile in Microsoft Intune?
A) Assign licenses to users
B) Deploy applications
C) Configure device settings such as Wi-Fi, VPN, or restrictions
D) Monitor network traffic
Answer: C) Configure device settings such as Wi-Fi, VPN, or restrictions
Explanation: Configuration profiles are used to configure and enforce device-specific settings.
7. What kind of management is available for non-Windows devices in Microsoft Endpoint Manager?
A) Only mobile device management (MDM)
B) Only mobile application management (MAM) without device enrollment
C) Both MDM and MAM
D) None of the above
Answer: C) Both MDM and MAM
Explanation: Intune supports both full device management (MDM) and app-level management (MAM) for iOS, Android, and macOS devices.
8. Which Azure AD join option supports users signing in with their Azure AD credentials and automatic device enrollment to Intune?
A) Hybrid Azure AD join
B) Azure AD join
C) Workgroup join
D) Local domain join
Answer: B) Azure AD join
Explanation: Azure AD join allows users to sign in with Azure AD credentials and supports automatic device enrollment in Intune.
9. What is the benefit of co-management in Microsoft Endpoint Manager?
A) It allows simultaneous management of devices by Configuration Manager and Intune
B) It supports only cloud-based management
C) It is required for macOS management
D) It disables Configuration Manager when enabled
Answer: A) It allows simultaneous management of devices by Configuration Manager and Intune
Explanation: Co-management lets you manage Windows 10/11 devices with both Configuration Manager and Intune.
10. What is a Win32 app in Microsoft Intune?
A) A type of mobile application only
B) Traditional desktop applications packaged for deployment in Intune
C) An app available only in the Microsoft Store
D) An app that runs exclusively on Windows Server
Answer: B) Traditional desktop applications packaged for deployment in Intune
Explanation: Win32 apps are classic desktop applications that are wrapped and deployed via Intune.
11. Which Windows feature can be used to restrict users from installing apps outside of the Microsoft Store?
A) AppLocker
B) Device Guard
C) Windows Defender
D) Windows Information Protection
Answer: A) AppLocker
Explanation: AppLocker allows administrators to create policies restricting which apps and files users can run.
12. In Intune, what is the purpose of Conditional Access policies?
A) To assign device licenses
B) To control access to cloud apps based on device compliance and user location
C) To install software updates automatically
D) To monitor device health status
Answer: B) To control access to cloud apps based on device compliance and user location
Explanation: Conditional Access policies enforce controls like requiring compliant devices or MFA before access is granted.
13. What method can be used to remotely wipe a lost or stolen Windows device managed by Intune?
A) Use the Azure portal to trigger a selective wipe or full wipe
B) Only a full system reinstall works
C) Remote desktop into the device and delete files manually
D) Wait for the device to expire automatically
Answer: A) Use the Azure portal to trigger a selective wipe or full wipe
Explanation: Intune allows admins to remotely wipe devices or selectively wipe corporate data.
14. Which of the following is a primary benefit of Windows Autopilot?
A) Automatically creates Active Directory user accounts
B) Automates the initial device setup and configuration with minimal IT intervention
C) Provides antivirus protection for new devices
D) Automatically updates Microsoft Office apps
Answer: B) Automates the initial device setup and configuration with minimal IT intervention
Explanation: Windows Autopilot enables IT to ship devices directly to users pre-configured via cloud profiles.
15. How does Intune deliver software updates to managed Windows devices?
A) Via Windows Update for Business policies
B) By manually pushing updates through Configuration Manager only
C) Using Azure AD group policies
D) Through VPN connections only
Answer: A) Via Windows Update for Business policies
Explanation: Intune leverages Windows Update for Business to manage feature and quality updates.
16. What does Azure AD Hybrid Join mean for devices?
A) Devices are joined only to local AD with no cloud connection
B) Devices are joined to both on-premises AD and registered with Azure AD
C) Devices are only joined to Azure AD
D) Devices are managed only by Intune
Answer: B) Devices are joined to both on-premises AD and registered with Azure AD
Explanation: Hybrid Azure AD join allows devices to be recognized in both environments.
17. Which of the following is a requirement for enrolling iOS devices in Intune?
A) Devices must be jailbroken
B) Devices must have Apple Push Notification service (APNs) configured
C) Devices must be connected via USB to a Windows PC
D) Devices need to be enrolled manually with no cloud connection
Answer: B) Devices must have Apple Push Notification service (APNs) configured
Explanation: APNs is necessary for Intune to manage and communicate with iOS devices.
18. What does Endpoint Security in Microsoft Endpoint Manager help manage?
A) Device inventory
B) Security baselines, antivirus, firewall, disk encryption, and attack surface reduction
C) User license assignments
D) Office 365 subscriptions
Answer: B) Security baselines, antivirus, firewall, disk encryption, and attack surface reduction
Explanation: Endpoint Security focuses on enforcing and monitoring security policies on devices.
19. Which Intune feature allows deploying apps only to corporate-owned devices?
A) Device enrollment restrictions
B) Device compliance policies
C) App protection policies with enrollment restrictions
D) Conditional Access policies
Answer: C) App protection policies with enrollment restrictions
Explanation: App protection policies can target apps on devices with specific enrollment and ownership types.
20. How do you assign an app deployment to users or devices in Intune?
A) Use Azure AD security groups or device groups
B) Assign to all devices only
C) Assign apps via Windows Update policies
D) Assign apps manually on each device
Answer: A) Use Azure AD security groups or device groups
Explanation: Intune uses groups for targeted deployment of apps and policies.
21. Which tool is used to collect diagnostic logs from managed devices for troubleshooting in Intune?
A) Event Viewer
B) Microsoft Endpoint Manager admin center
C) Intune Diagnostic Logs (via Company Portal or remote actions)
D) Azure Monitor
Answer: C) Intune Diagnostic Logs (via Company Portal or remote actions)
Explanation: Admins can request logs remotely from devices to diagnose issues.
22. What is the maximum number of apps that can be assigned per device in Intune?
A) 100
B) 500
C) There is no hard limit documented by Microsoft
D) 50
Answer: C) There is no hard limit documented by Microsoft
Explanation: Microsoft does not specify a hard limit but recommends managing app assignments carefully.
23. How can you ensure a Windows device complies with password requirements using Intune?
A) By configuring device compliance policies with password rules
B) By installing third-party software
C) By manually instructing users to set passwords
D) Password rules cannot be enforced via Intune
Answer: A) By configuring device compliance policies with password rules
Explanation: Compliance policies can enforce password complexity, length, and expiration.
24. What is the purpose of a security baseline in Microsoft Endpoint Manager?
A) To configure user licenses automatically
B) To provide recommended security settings for devices to meet best practices
C) To restrict internet access
D) To install antivirus software
Answer: B) To provide recommended security settings for devices to meet best practices
Explanation: Security baselines are predefined groups of settings recommended by Microsoft.
25. Which Windows feature helps prevent untrusted applications from running, and can be configured via Intune?
A) BitLocker
B) Windows Defender Application Control (WDAC)
C) Windows Hello
D) Device Guard
Answer: B) Windows Defender Application Control (WDAC)
Explanation: WDAC restricts which code can run on a device to reduce malware risk.
26. What does the term ‘Selective Wipe’ mean in Intune?
A) Wiping only personal data on a device
B) Wiping only corporate data while leaving personal data intact
C) Wiping the entire device
D) Wiping the device after 30 days of inactivity
Answer: B) Wiping only corporate data while leaving personal data intact
Explanation: Selective wipe removes only corporate apps and data from personal or BYOD devices.
27. How does Intune handle app updates for Win32 apps?
A) Automatically updates without admin intervention
B) Requires manual update package deployment through Intune
C) Updates only through Microsoft Store
D) Intune does not support Win32 app updates
Answer: B) Requires manual update package deployment through Intune
Explanation: Win32 apps require admins to upload and deploy updated packages.
28. What is the primary benefit of using Dynamic Groups in Azure AD for Intune management?
A) Groups never change membership
B) Users or devices are automatically added based on criteria, simplifying management
C) Groups can only contain users, not devices
D) Groups require manual updates
Answer: B) Users or devices are automatically added based on criteria, simplifying management
Explanation: Dynamic groups help automate assignments and policy targeting.
29. Which setting controls whether users can enroll their personal devices in Intune?
A) Enrollment restrictions
B) Compliance policies
C) Device configuration profiles
D) Conditional Access policies
Answer: A) Enrollment restrictions
Explanation: Enrollment restrictions define who can enroll devices and what device types are allowed.
30. What role does Azure AD Conditional Access play in device compliance enforcement?
A) It blocks access if a device is non-compliant
B) It installs antivirus on devices
C) It monitors network bandwidth usage
D) It updates Windows Defender automatically
Answer: A) It blocks access if a device is non-compliant
Explanation: Conditional Access can enforce access controls based on device compliance status.
31. Which Microsoft Intune feature allows administrators to deploy settings only when devices meet specific network location criteria?
A) Compliance policies
B) Conditional Access named locations
C) Device configuration profiles
D) Windows Autopilot
Answer: B) Conditional Access named locations
Explanation: Named locations can be used in Conditional Access policies to apply controls based on IP ranges or network locations.
32. What is the function of Microsoft Defender for Endpoint integration with Intune?
A) To monitor device inventory
B) To provide endpoint detection and response capabilities within Intune
C) To deploy software updates only
D) To manage user passwords
Answer: B) To provide endpoint detection and response capabilities within Intune
Explanation: Defender for Endpoint integrates with Intune to provide advanced threat detection and response capabilities.
33. Which type of device enrollment is specifically designed for bulk provisioning of Windows devices?
A) Windows Autopilot User-driven mode
B) Windows Autopilot Self-deploying mode
C) Manual enrollment
D) Apple Automated Device Enrollment
Answer: B) Windows Autopilot Self-deploying mode
Explanation: Self-deploying mode is designed for scenarios like kiosks or shared devices and does not require user interaction.
34. What is the recommended way to apply Wi-Fi profiles to devices in Intune?
A) Create a device configuration profile with Wi-Fi settings and assign it to user or device groups
B) Deploy a Win32 app that configures Wi-Fi
C) Use PowerShell scripts only
D) Ask users to configure manually
Answer: A) Create a device configuration profile with Wi-Fi settings and assign it to user or device groups
Explanation: Intune device profiles enable centralized deployment of Wi-Fi configurations.
35. What is the primary purpose of Endpoint Analytics in Microsoft Endpoint Manager?
A) To deploy software updates
B) To provide insights and data on device health, startup performance, and user experience
C) To manage user licenses
D) To track app usage
Answer: B) To provide insights and data on device health, startup performance, and user experience
Explanation: Endpoint Analytics helps improve user productivity by identifying performance and reliability issues.
36. When configuring BitLocker via Intune, which of the following settings must be enabled to allow recovery keys to be stored in Azure AD?
A) Enable BitLocker without TPM
B) Require TPM and secure boot
C) Enable BitLocker recovery key backup to Azure AD
D) Disable encryption notifications
Answer: C) Enable BitLocker recovery key backup to Azure AD
Explanation: This setting ensures recovery keys are backed up securely to Azure AD for recovery purposes.
37. Which Windows feature can be managed via Intune to help reduce the attack surface of a device?
A) Windows Defender Antivirus only
B) Attack Surface Reduction (ASR) rules
C) Windows Update for Business only
D) Remote Desktop
Answer: B) Attack Surface Reduction (ASR) rules
Explanation: ASR rules help block potentially harmful behaviors and are configurable via Intune Endpoint Security policies.
38. In Intune, what type of profile would you create to configure VPN settings on a device?
A) Device compliance policy
B) Device configuration profile (VPN profile)
C) Application protection policy
D) Conditional Access policy
Answer: B) Device configuration profile (VPN profile)
Explanation: VPN settings are deployed using device configuration profiles designed for VPN connectivity.
39. How do you limit the installation of apps from untrusted sources on Android devices managed by Intune?
A) Configure compliance policies
B) Deploy app protection policies
C) Use Android Enterprise device restrictions profile to block unknown sources
D) Use Conditional Access policies
Answer: C) Use Android Enterprise device restrictions profile to block unknown sources
Explanation: Device restriction profiles allow admins to block installation from unknown sources.
40. What is the primary difference between “device-based” and “user-based” licensing in Microsoft Endpoint Manager?
A) Device-based licenses allow multiple users per device; user-based licenses apply to a single user on multiple devices
B) Device-based licenses are cheaper
C) User-based licenses are assigned only to devices
D) There is no difference
Answer: A) Device-based licenses allow multiple users per device; user-based licenses apply to a single user on multiple devices
Explanation: Device licenses cover devices regardless of users; user licenses cover individual users regardless of device.
41. Which Intune report provides information about device compliance status?
A) Device Health report
B) Compliance report
C) App inventory report
D) Endpoint Analytics report
Answer: B) Compliance report
Explanation: The compliance report shows the compliance status of all enrolled devices against defined policies.
42. How can admins manage Windows Update rings for devices via Intune?
A) By configuring Windows Update for Business policies
B) Through Azure AD Conditional Access
C) By deploying Win32 apps
D) Via Microsoft Defender policies
Answer: A) By configuring Windows Update for Business policies
Explanation: Update rings control when and how devices receive Windows updates.
43. What is the default scope for device management in Microsoft Endpoint Manager?
A) Single device only
B) Device groups or user groups in Azure AD
C) Entire organization by default
D) Only devices in a workgroup
Answer: B) Device groups or user groups in Azure AD
Explanation: Management assignments are typically targeted to groups for scalability.
44. What must be configured before enrolling Apple devices into Intune?
A) Apple Business Manager or Apple School Manager integration with Intune
B) VPN profile
C) Windows Autopilot profile
D) Azure AD Hybrid join
Answer: A) Apple Business Manager or Apple School Manager integration with Intune
Explanation: Apple device enrollment requires integration with Apple’s deployment programs.
45. Which Microsoft tool helps admins create custom configuration profiles with advanced settings for Windows devices?
A) Group Policy Management Console
B) Windows Configuration Designer (WCD)
C) Microsoft Endpoint Manager admin center
D) PowerShell scripts
Answer: B) Windows Configuration Designer (WCD)
Explanation: WCD helps create provisioning packages and custom profiles for Windows devices.
46. Which Intune feature supports the deployment of Microsoft Office apps to managed devices?
A) Configuration profiles
B) App deployment (Office 365 Suite app deployment)
C) Compliance policies
D) Conditional Access
Answer: B) App deployment (Office 365 Suite app deployment)
Explanation: Intune can deploy Office apps as part of application management.
47. Which of the following is NOT an enrollment restriction type in Microsoft Intune?
A) Device limit restrictions
B) Platform restrictions (iOS, Android, Windows)
C) Device compliance restrictions
D) User group restrictions
Answer: C) Device compliance restrictions
Explanation: Enrollment restrictions control which devices can enroll, not their compliance status.
48. What is the purpose of the Microsoft Endpoint Manager admin center?
A) To manage Azure subscriptions
B) To provide a centralized console to manage devices, users, apps, and policies
C) To create Windows virtual machines
D) To monitor Office 365 licenses
Answer: B) To provide a centralized console to manage devices, users, apps, and policies
Explanation: The admin center is the primary interface for Endpoint Manager management tasks.
49. What happens if a device is marked as non-compliant in Intune?
A) Device access to resources can be blocked via Conditional Access
B) Device is automatically wiped
C) Device receives an automatic update
D) Device is unenrolled automatically
Answer: A) Device access to resources can be blocked via Conditional Access
Explanation: Conditional Access can restrict access based on compliance status.
50. How does Intune manage updates for Microsoft Defender Antivirus on Windows devices?
A) Through configuration policies that specify update settings and schedules
B) Intune does not manage antivirus updates
C) Through manual installation only
D) Through Office 365 update policies
Answer: A) Through configuration policies that specify update settings and schedules
Explanation: Intune can manage Defender update schedules and behavior via Endpoint Security policies.
51. Which enrollment type is ideal for organizations that want to manage personally-owned devices while protecting corporate data?
A) Device enrollment
B) App protection policies (MAM without enrollment)
C) Hybrid Azure AD join
D) Windows Autopilot
Answer: B) App protection policies (MAM without enrollment)
Explanation: MAM policies protect corporate data on personal devices without full device management.
52. How do administrators revoke access to corporate resources for a lost or stolen device?
A) Wipe the device remotely
B) Disable the user’s Azure AD account
C) Remove device from Azure AD and revoke refresh tokens
D) Reset the device password
Answer: C) Remove device from Azure AD and revoke refresh tokens
Explanation: This action revokes tokens and device registration to block access.
53. What is the role of “Device Compliance Policies” in managing devices?
A) Configure device Wi-Fi settings
B) Define rules that devices must meet to be compliant and granted access to corporate resources
C) Deploy applications
D) Manage user groups
Answer: B) Define rules that devices must meet to be compliant and granted access to corporate resources
Explanation: Compliance policies enforce security standards on devices.
54. What tool allows you to collect logs and troubleshoot Windows Autopilot deployment issues?
A) Event Viewer
B) Microsoft Endpoint Manager admin center diagnostics
C) Windows Autopilot Diagnostics page (available online)
D) PowerShell
Answer: C) Windows Autopilot Diagnostics page (available online)
Explanation: Microsoft provides a diagnostics tool to troubleshoot Autopilot-related issues.
55. Which platform does NOT support device enrollment in Microsoft Intune?
A) Windows 10/11
B) Android
C) iOS/iPadOS
D) Linux
Answer: D) Linux
Explanation: Intune does not support native Linux device management enrollment.
56. What is the purpose of the Company Portal app in Intune-managed devices?
A) To provide users with access to corporate apps and resources and allow self-service actions like device enrollment and wipe
B) To install antivirus software
C) To configure VPN settings only
D) To monitor network traffic
Answer: A) To provide users with access to corporate apps and resources and allow self-service actions like device enrollment and wipe
Explanation: The Company Portal app is the user-facing portal for managing device access and apps.
57. How can administrators restrict the use of USB storage devices on Windows machines managed by Intune?
A) Via device compliance policies
B) Using device configuration profiles with Endpoint Protection settings
C) Deploying VPN profiles
D) Assigning app protection policies
Answer: B) Using device configuration profiles with Endpoint Protection settings
Explanation: Endpoint Protection policies can block USB storage usage.
58. Which authentication method does Windows Hello for Business use?
A) Password only
B) Multi-factor authentication only
C) Certificate-based or key-based authentication replacing passwords
D) Biometric only
Answer: C) Certificate-based or key-based authentication replacing passwords
Explanation: Windows Hello for Business uses strong key-based or certificate authentication to replace passwords.
59. What feature of Intune allows for automated app deployment when a user signs into a device?
A) Azure AD dynamic groups
B) Required app assignments in Intune
C) Device compliance policies
D) Conditional Access policies
Answer: B) Required app assignments in Intune
Explanation: Apps assigned as Required are automatically installed when a user logs in.
60. How can administrators ensure that a Windows 11 device is automatically enrolled in Intune when joining Azure AD?
A) Configure automatic enrollment in Azure AD MDM settings
B) Manually enroll devices one by one
C) Use Group Policy only
D) Use Microsoft Defender policies
Answer: A) Configure automatic enrollment in Azure AD MDM settings
Explanation: Auto-enrollment can be enabled in Azure AD for automatic Intune management on join.