Top 50 Microsoft Endpoint Administrator (MD-102) Free Exam Questions 2025

Thinking about earning your Microsoft Endpoint Administrator (MD-102) certification in 2025? You’re in the right place. This updated list of Top 50 free exam questions is built to help you test your readiness and understand what the real exam feels like. Whether you are already managing devices through Microsoft Intune or just starting with modern endpoint management, these questions cover the full range—from deployment and configuration to security and compliance. Use them to spot weak areas, sharpen your preparation, and walk into the exam with confidence.

What is the MD-102 Exam?

The Microsoft Endpoint Administrator (MD-102) exam is a role-based certification exam that assesses your skills in deploying, configuring, securing, managing, and monitoring devices and client-based applications in a Microsoft 365 environment. This exam is designed for IT professionals responsible for managing Microsoft endpoints, including Windows client devices, macOS devices, iOS devices, and Android devices.

The MD-102 exam is both challenging and rewarding. Becoming a Microsoft Endpoint Administrator is a great way to advance your career and demonstrate your expertise in managing Microsoft endpoints. As more and more businesses move to the cloud, the need for skilled Microsoft Endpoint Administrators is growing. Microsoft endpoints are the devices that employees use to access Microsoft 365 services, such as Office 365, Azure Active Directory, and Microsoft Teams. By managing Microsoft endpoints effectively, IT professionals can help to ensure that employees have a secure and productive experience.

Let’s look at the carefully crafted Microsoft Endpoint Administrator (MD-102) Free Questions to help you ace the exam in one go.

Top 50 Microsoft Endpoint Administrator (MD-102) Free Questions     

1. You work as a systems administrator at TPT Ltd., a large company. Managing the endpoint devices in your company is your responsibility. You must meet the following criteria:

• It is necessary to ensure that every device complies with the security policy of the firm.
• Devices that are not compliant must be easy for you to recognize.
• Software must be able to be installed on devices without requiring physical contact with them.
• In order to comply with the standards, you have chosen to use Microsoft Intune.

Which of the following steps in implementing Microsoft Intune for your company is the most crucial?

1. Create a Microsoft Intune tenant.
2. Create a Microsoft Intune policy.       
3. Create a Microsoft Intune group.       
4. Assign a Microsoft Intune policy to a group. 

Answer – A

Explanation: Creating a Microsoft Intune tenant is the most crucial step in implementing Microsoft Intune for your company. A tenant makes sense as a home for any resource you have in Intune. You can build groups, policies, and assign policies to groups after you have formed a tenancy. The logical container for all of your Intune resources is a Microsoft Intune tenant. Prior to creating any other Intune resources, it is crucial to create a tenant.

2. You work as an endpoint administrator for a Microsoft 365-using business – TPT Ltd. It is business policy for all staff to encrypt their hard drives using BitLocker. An employee has reported that they are unable to access their drive, which is encrypted. Which of the following steps should you take to assist the staff member in getting back access to their drive?

1. Reset the employee’s password.      
2. Provide the employee with their BitLocker recovery key.     
3. Disable BitLocker on the employee’s device.
4. Reinstall Windows on the employee’s device.          

Answer – B

Explanation: You can give an employee their BitLocker recovery key to unlock their encrypted drive and retrieve their data if they are unable to access it.

3. You work as an endpoint administrator for a Microsoft 365-using business – TPT Ltd. The company has a number of user groups with various access requirements to its resources. Maintaining user profiles in Microsoft Intune is a requirement of your job to make sure they are applied to user accounts correctly and configured. To complete this work, which of the following actions should you take?

1. Monitor user profile assignment in Microsoft Intune 
2. Troubleshoot user profile issues in Microsoft Intune
3. Update user profiles in Microsoft Intune as needed  
4. All of these

Answer – D

Explanation: You must monitor user profile assignment, resolve user profile difficulties, and update user profiles as necessary in order to manage user profiles in Microsoft Intune properly. You can make sure that profiles are correctly applied to user accounts based on group membership or other criteria by keeping an eye on how user profiles are assigned. You can find and fix any issues that might occur with profile assignment or setting by troubleshooting user profiles. You can modify user profiles to reflect modifications to company requirements or regulations by updating them as appropriate.

4. You work as a systems administrator for TPT Ltd. Managing the endpoint devices in your company is your responsibility. You must meet the following criteria:

• It is imperative to verify that every device complies with the security policy of the firm.
• Devices that are not compliant must be easy for you to recognize.
• Software must be able to be installed on devices without requiring physical contact with them.

You have chosen to utilize Windows 11 Pro in order to fulfill the prerequisites.

Which of the following is NOT a benefit of deploying devices with Windows 11 Pro?

1. It includes a variety of security features that can help to protect devices from malware and other threats.           
2. It can be used to deploy devices to users based on their role in the organization.  
3. It is a supported version of Windows, which means that it will receive security updates and support from Microsoft for a period of time.   
4. It is a cloud-based solution, which means that it can be used to manage devices from anywhere.

Answer – D

Explanation: Numerous security measures in Windows 11 Pro can aid in defending devices against viruses and other dangers. Device deployment to users according to their position within the company is another application for it. It is also a supported version of Windows, which implies that Microsoft will provide security updates and support for a certain duration. It is not, however, a cloud-based solution.

5. You work as an endpoint administrator for a Microsoft 365-using business – TPT Ltd. The company has a number of user groups with various access requirements to its resources. You have to make sure that device profiles in Microsoft Intune are applied and configured correctly as part of your job. To complete this work, which of the following actions should you take?

1. Monitor device profile assignment in Microsoft Intune          
2. Troubleshoot device profile issues in Microsoft Intune         
3. Update device profiles in Microsoft Intune as needed          
4. All of these     

Answer – D

Explanation: To ensure that an application is properly configured and secured on employee devices, you should use the application protection policies feature in Microsoft Intune. This feature allows you to control how data is accessed and shared within the application, and can help prevent data leaks or unauthorized access.

6. You work as an endpoint administrator for a Microsoft 365-using business –  TPT Ltd. Azure Active Directory (Azure AD) is being implemented by the firm to control resource access and user identities. You have a responsibility to make sure user accounts in Azure AD are set up correctly. To complete this work, which of the following actions should you take?

1. Create user accounts in Azure AD    
2. Assign licenses to user accounts      
3. Configure user account settings        
4. All of these     

Answer – D

Explanation: In Azure AD, there are a few steps that must be taken in order to correctly create user accounts: creating user accounts, giving licenses to user accounts, and defining user account settings. In Azure AD, managing user identities and resource access is possible with the creation of user accounts. Users can access Microsoft 365 services and features by assigning licenses to their user accounts. You may manage many features of user accounts, including multi-factor authentication and password policies, by configuring the user account settings.

7. You work as an endpoint administrator for a Microsoft 365-using business – TPT Ltd. The company has a number of user groups with various access requirements to its resources. In order to control resource access based on device compliance, you must set up device authentication in Azure Active Directory (Azure AD). Which Azure AD functionality ought to be used to do this task?

1. Azure AD Connect     
2. Azure AD Application Proxy  
3. Azure AD Identity Protection 
4. Azure AD Conditional Access

Answer – D

Explanation: With Azure AD Conditional Access, you can manage resource access according to device compliance, group membership, location, and other criteria. You can designate the circumstances in which devices are allowed or prohibited from accessing resources by using Conditional Access policies.

8. You work as an endpoint administrator for a Microsoft 365-using business – TPT Ltd. Employees utilize an app from the organization on their endpoint devices to access confidential company information. On staff devices, you must make sure that this program is set up correctly and is safe. Which Microsoft Intune function should you use in order to do this task?

1. Application protection policies           
2. Application update settings    
3. Application assignment settings        
4. Application configuration setting        

Answer – A

Explanation: Use Microsoft Intune’s application protection policies feature to make sure an application is set up and secured appropriately on staff devices. This feature can help stop data breaches or unauthorized access by giving you control over how data is shared and accessed within the application.

9. You work for TPT Ltd. as a systems administrator. It is your duty to install a fresh copy of Windows 10 on every machine in the company. You’ve made the decision to install the new operating system using the Microsoft Deployment Toolkit (MDT). To install the new operating system on the computers in the company, you must produce a bootable image. For this task, which of the following tools would be most helpful?

1. The Windows Assessment and Deployment Kit (ADK)        
2. The Microsoft Deployment Toolkit (MDT)     
3. The System Center Configuration Manager (SCCM)           
4. The Microsoft Endpoint Configuration Manager (MEMCM) 

Answer – B

Explanation: The toolkit for Microsoft deployment (MDT). A set of tools called the MDT can be used to build and distribute unique operating system images. It comes with tools for managing and adjusting deployed images in addition to tools for taking and delivering images.

10. You work for TPT Ltd. as a systems administrator. It is your duty to install a fresh copy of Windows 10 on every machine in the company. To find out if the current environment is prepared for the deployment, you must evaluate it. For this task, which of the following tools would be most helpful?

1. The Windows Assessment and Deployment Kit (ADK)        
2. The Microsoft Deployment Toolkit (MDT)     
3. The System Center Configuration Manager (SCCM)           
4. The Microsoft Endpoint Configuration Manager (MEMCM) 

Answer – A

Explanation: The Deployment and Assessment Kit for Windows (ADK). A set of instruments called the ADK can be used to evaluate and implement Windows operating systems. It has performance benchmarking, software inventory, and hardware detection tools.

Module 1 – How to Prepare infrastructure for devices (25–30%)

1. A company wants to ensure all newly provisioned Windows 11 laptops automatically join Microsoft Entra ID and enroll into Intune during the out-of-box experience (OOBE). What should you configure?

A. Windows Autopilot profile with user-driven mode
B. Group Policy for automatic MDM enrollment
C. Intune device configuration profile
D. Microsoft Entra hybrid join

Answer: A. Windows Autopilot profile with user-driven mode

Explanation: Windows Autopilot’s user-driven mode allows new devices to join Microsoft Entra ID and enroll automatically into Intune during setup. Group Policy is used for hybrid-joined devices, not for brand-new devices that go through OOBE directly to Entra ID join.

2. You manage both on-premises and remote users. Some devices are domain-joined, while others are workgroup computers. You need a unified compliance and Conditional Access model for all. What’s the best approach?

A. Register workgroup devices with Microsoft Entra ID
B. Join all devices to Microsoft Entra ID only
C. Configure hybrid Microsoft Entra join
D. Use Group Policy enrollment for all devices

Answer: C. Configure hybrid Microsoft Entra join

Explanation: Hybrid Microsoft Entra join allows on-prem AD-joined devices to be registered with Microsoft Entra ID, giving them access to Conditional Access, compliance policies, and Intune enrollment while maintaining on-prem AD connectivity.

3. Your organization wants to bulk-enroll 500 corporate-owned Android tablets into Intune. Users shouldn’t sign in during setup. Which enrollment method should you use?

A. Android Enterprise Work Profile
B. Android Device Administrator enrollment
C. Android Dedicated Device enrollment
D. Android Fully Managed enrollment

Answer: C. Android Dedicated Device enrollment

Explanation: Android Dedicated (kiosk) mode supports large-scale, user-less enrollment for corporate-owned devices. Fully managed enrollment requires user sign-in, and work profile is meant for BYOD (Bring Your Own Device).

4. You’ve configured Intune compliance policies requiring devices to have encryption enabled. A user’s device is compliant, but Conditional Access blocks access to resources. What’s the most likely cause?

A. Device hasn’t synced compliance status to Microsoft Entra ID
B. Conditional Access policy uses wrong device group
C. Encryption policy not assigned correctly
D. User not part of device owner group

Answer: A. Device hasn’t synced compliance status to Microsoft Entra ID

Explanation: Compliance status synchronization between Intune and Microsoft Entra ID can lag. Conditional Access depends on Entra ID receiving the updated compliance state. Until sync occurs, devices may appear non-compliant.

5. You need to configure automatic MDM enrollment for Windows devices that are Azure AD joined. Where should you configure this?

A. Microsoft Intune Admin Center → Devices → Enrollment restrictions
B. Microsoft Entra ID → Mobility (MDM and MAM)
C. Windows Autopilot deployment profile
D. Group Policy Management Console

✅ Answer: B. Microsoft Entra ID → Mobility (MDM and MAM)

Explanation: Automatic MDM enrollment for Entra-joined or hybrid-joined Windows devices is set under Microsoft Entra ID → Mobility (MDM and MAM), linking Intune as the MDM authority and enabling automatic enrollment.

6. You’re implementing Microsoft Entra join for Windows devices. Users report that the option “Join this device to Microsoft Entra ID” doesn’t appear during setup. What’s the most probable cause?

A. Microsoft Intune is not configured
B. User accounts lack permissions to join devices
C. Conditional Access policies are blocking device join
D. Device is already domain-joined

Answer: D. Device is already domain-joined

Explanation: Windows doesn’t allow a device that’s already domain-joined to also directly join Entra ID. It must either be converted to a hybrid join or unjoined from the domain before being joined to Entra ID.

7. You need to implement role-based administration in Intune where certain admins can only manage device compliance policies. Which built-in role is appropriate?

A. Help Desk Operator
B. Policy and Profile Manager
C. Endpoint Security Manager
D. Read-Only Operator

Answer: B. Policy and Profile Manager

Explanation: The Policy and Profile Manager role grants rights to create, edit, and assign compliance and configuration profiles, without giving access to the entire Intune management scope.

8. You are deploying Windows Hello for Business (WHfB). The organization requires it to work with both hybrid and Entra-only joined devices. Which deployment method should you select?

A. Certificate trust
B. Key trust
C. On-premises trust
D. Passwordless trust

Answer: B. Key trust

Explanation: Key trust supports hybrid and Entra-only joined devices, providing flexibility for mixed environments. Certificate trust requires on-prem infrastructure (AD FS, CA), and passwordless trust is not a deployment model for WHfB.

9. Your security team wants to ensure that each local administrator password on Windows devices is unique and managed securely in the cloud. Which feature should you enable?

A. Windows Hello for Business
B. Local Group Policy for password rotation
C. Local Administrator Password Solution (LAPS) for Microsoft Entra ID
D. BitLocker recovery keys in Entra ID

Answer: C. Local Administrator Password Solution (LAPS) for Microsoft Entra ID

Explanation: Microsoft Entra ID-integrated LAPS manages and rotates local admin passwords securely in the cloud. It ensures unique, time-limited credentials for each device and integrates with Azure logging for auditing.

10. You are configuring device group membership in Microsoft Entra ID to deploy compliance policies automatically. Which membership rule will dynamically include devices based on ownership type (corporate or personal)?

A. device.deviceOSType -eq "Windows"
B. device.deviceOwnership -eq "Corporate"
C. device.trustType -eq "AzureADJoined"
D. device.managementType -eq "MDM"

Answer: B. device.deviceOwnership -eq "Corporate"

Explanation: Dynamic device groups in Entra ID can use attributes like deviceOwnership to automatically include corporate-owned devices, enabling targeted deployment of compliance or configuration policies.

11. Your organization uses hybrid Microsoft Entra join. Users report their devices are not appearing in the Microsoft Entra portal even after a week. The devices are domain-joined and Group Policy for automatic enrollment is configured. What should you check first?

A. Whether the user has an Intune license
B. Whether the device is synchronized to Entra ID via Azure AD Connect
C. Whether the device has Windows Hello for Business enabled
D. Whether the MDM discovery URL is reachable

Answer: B. Whether the device is synchronized to Entra ID via Azure AD Connect

Explanation: Hybrid Entra join depends on successful synchronization of device objects from on-prem AD to Entra ID. If the device object isn’t synced, Intune enrollment and Entra join registration won’t occur.

12. You want to enroll Android devices that are company-owned but used by multiple users for kiosk-like purposes. They must launch a single app on startup. Which enrollment profile do you use?

A. Android Work Profile
B. Android Fully Managed
C. Android Dedicated
D. Android Corporate-Owned Work Profile

Answer: C. Android Dedicated

Explanation: Android Dedicated enrollment is ideal for shared-use or kiosk devices, locking the interface to a single or limited set of apps, without user personalization.

13. You configure automatic MDM enrollment for hybrid-joined devices via Group Policy, but users report enrollment errors. Logs show: 0x80180026 – Device not found in directory. What’s the issue?

A. The device is missing an Entra ID device object
B. The MDM authority is not set
C. The user doesn’t have permissions to join devices
D. The Windows version doesn’t support MDM auto-enrollment

Answer: A. The device is missing an Entra ID device object

Explanation: Hybrid-joined auto-enrollment requires a matching device object in Microsoft Entra ID. If Azure AD Connect hasn’t synced that object, enrollment fails with error 0x80180026.

14. You’re implementing Microsoft Entra LAPS but notice local administrator passwords are not rotating as expected. What should you verify?

A. LAPS GPO settings are configured
B. The devices are joined to on-prem AD
C. LAPS policy in Intune is assigned to targeted devices
D. BitLocker is enabled on the devices

Answer: C. LAPS policy in Intune is assigned to targeted devices

Explanation: For Entra-integrated LAPS, rotation occurs only if the Intune LAPS policy is deployed to devices. It must specify rotation interval and which local admin account to manage.

15. You want to ensure that all Windows devices are automatically joined to Entra ID and enrolled into Intune without user input during setup. The devices are pre-registered by the vendor. What’s required?

A. Windows Autopilot with pre-provisioning (white glove)
B. Hybrid Entra join with automatic enrollment GPO
C. Intune bulk enrollment token
D. Microsoft Entra ID Join via Settings → Accounts

Answer: A. Windows Autopilot with pre-provisioning (white glove)

Explanation: Autopilot with pre-provisioning allows IT or OEM vendors to pre-register devices to the tenant. Devices automatically join Entra ID and enroll into Intune with minimal user action during OOBE.

Module 2 – How to Manage applications (15–20%)

1. Your organization wants to deploy a Win32 app through Intune. The app requires custom install and uninstall commands. What must you do before deploying it?

A. Upload the .exe directly to Intune
B. Wrap the app using the Intune Win32 Content Prep Tool (IntuneWinAppUtil.exe)
C. Convert it to an MSI and deploy through Company Portal
D. Add it to Microsoft Store for Business

Answer: B. Wrap the app using the Intune Win32 Content Prep Tool

Explanation: Win32 apps need to be packaged into the .intunewin format using the IntuneWinAppUtil.exe tool before deployment. This allows custom install/uninstall commands and dependency handling within Intune.

2. You deployed Microsoft 365 Apps via Intune, but users report the apps didn’t install during Autopilot provisioning. What’s the most likely reason?

A. The Office package was assigned to users instead of devices
B. The deployment used the wrong update channel
C. The Office CDN was blocked by the network
D. Microsoft 365 Apps were not added to the Intune app list

✅ Answer: A. The Office package was assigned to users instead of devices

Explanation: During Autopilot provisioning, the user context isn’t yet available until login, so only device-targeted app assignments will install automatically. User-targeted assignments run post-sign-in.

3. You’re preparing Microsoft 365 Apps for deployment with the Office Customization Tool (OCT). The company wants to exclude Access and Publisher. Where do you configure this?

A. Configuration.xml in the ODT setup
B. Intune app configuration policy
C. Microsoft 365 Apps admin center
D. Endpoint Security → Device Restriction policy

Answer: A. Configuration.xml in the ODT setup

Explanation: When using ODT or OCT, you can customize which Office apps to include or exclude via the Configuration.xml file. This file defines product IDs, excluded apps, channels, and language packs before deployment.

4. You plan to manage Office app settings, like default file save locations and UI updates, across all managed devices. What’s the best approach?

A. Office Deployment Tool configuration file
B. Intune device configuration policy
C. Administrative templates for Microsoft 365 Apps
D. Office Customization Tool

Answer: C. Administrative templates for Microsoft 365 Apps

Explanation: Administrative templates (ADMX-backed) in Intune allow central management of Office app settings like OneDrive save locations, UI options, and update channels across enrolled devices.

5. You need to enforce an app protection policy that prevents users from copying data from Outlook to any non-managed app on their personal device. Which Intune feature enables this?

A. Conditional Access policy
B. Mobile Application Management (MAM) policy
C. Device compliance policy
D. App configuration profile

Answer: B. Mobile Application Management (MAM) policy

Explanation: MAM (App Protection) policies control how corporate data is accessed and shared within managed apps. They can be applied to both managed and unmanaged devices, ensuring data remains within the company’s app ecosystem.

6. Your organization deploys both iOS and Android devices. You want users to access corporate data through managed apps only, and devices shouldn’t need full Intune enrollment. What’s the right combination?

A. App configuration policy + Conditional Access
B. App protection policy + Conditional Access
C. Device compliance policy + MDM enrollment
D. Configuration profiles + Autopilot provisioning

Answer: B. App protection policy + Conditional Access

Explanation: Combining App Protection Policies (APP) with Conditional Access ensures users can only access corporate data via protected apps (e.g., Outlook, Teams) — even without device enrollment (BYOD scenario).

7. You’re deploying a line-of-business (LOB) app to iOS devices using Intune, but installation fails. The Intune logs show an invalid provisioning profile. What should you check first?

A. App package file size
B. The bundle identifier in the .ipa file
C. Apple Developer Enterprise certificate validity
D. Intune MDM authority

Answer: C. Apple Developer Enterprise certificate validity

Explanation: LOB apps for iOS rely on a valid Apple Developer Enterprise certificate and provisioning profile. If expired, Intune cannot push or install the app. Verifying the certificate’s validity is the first troubleshooting step.

8. Your company updates a Win32 line-of-business app every quarter. You want to automate version replacement without user intervention. What should you configure in Intune?

A. Required assignment and version supersedence
B. Available assignment with user reinstall
C. Configuration profile with detection rules
D. Windows Update for Business

Answer: A. Required assignment and version supersedence

Explanation: Supersedence in Intune allows automatic replacement of older app versions with newer ones. When assigned as Required, Intune silently installs the update without user input.

9. You deployed Microsoft 365 Apps from Intune and want to switch update channels from Monthly Enterprise to Current Channel for faster feature delivery. How should you apply this change?

A. Redeploy Microsoft 365 Apps using a new deployment profile
B. Modify the update channel in the Intune app properties
C. Change the update setting through Office Cloud Policy Service
D. Use Office Update Control via Group Policy

Answer: C. Change the update setting through Office Cloud Policy Service

Explanation: The Office Cloud Policy Service (part of Microsoft 365 Apps admin center) allows changing update channels post-deployment. It’s a cloud-based approach, ideal for managing already-installed apps without redeployment.

10. You created an app configuration policy for Outlook that applies only to managed devices. Users on unmanaged Android devices report that the policy isn’t applying. What’s the reason?

A. Device compliance policy is missing
B. The app configuration policy is targeted to “managed devices” instead of “managed apps”
C. App protection policy conflicts with configuration policy
D. Android Enterprise enrollment mode is incorrect

Answer: B. The app configuration policy is targeted to “managed devices” instead of “managed apps”

Explanation: Intune distinguishes between managed device and managed app configurations. For BYOD scenarios (no device enrollment), configuration must target managed apps, not managed devices.

11. You deployed a Win32 app using Intune, but the installation never triggers on user devices. The Intune portal shows “Not applicable.” What’s the likely cause?

A. Detection rule incorrectly configured
B. App was assigned to a user group instead of a device group
C. The app dependencies are missing
D. The app architecture doesn’t match the OS

Answer: D. The app architecture doesn’t match the OS

Explanation: “Not applicable” usually means Intune evaluated the deployment but found the app incompatible — such as assigning a 32-bit app to a 64-bit-only Windows 11 ARM device.

12. Your organization wants to deploy Microsoft 365 Apps to users in regions with bandwidth limitations. You need to minimize download size during setup. What’s the best method?

A. Use Office Deployment Tool and point it to a local content delivery share
B. Deploy Microsoft 365 Apps directly from the Intune app catalog
C. Configure Delivery Optimization for peer-to-peer
D. Deploy the apps from the Microsoft Store

Answer: A. Use Office Deployment Tool and point it to a local content delivery share

Explanation: When bandwidth is constrained, hosting Office installation files on a local network share via the ODT reduces WAN traffic. Intune can reference that path during setup.

13. You configure an App Protection Policy (APP) for Outlook to block data transfer to unmanaged apps. Users complain they can’t open links from emails in Edge Mobile. What’s the cause?

A. Conditional Access blocking Edge
B. Outlook not marked as a managed app
C. Edge not targeted by the same App Protection Policy
D. App configuration policy conflict

Answer: C. Edge not targeted by the same App Protection Policy

Explanation: For APP data sharing to work between managed apps (like Outlook and Edge), both apps must have the same App Protection Policy applied. Otherwise, Outlook blocks the handoff.

4. A company uses Intune to manage Microsoft 365 Apps. They want to apply certain Word and Excel settings only when users are signed in with corporate accounts, not personal ones. How can this be done?

A. Use App configuration policy for managed apps
B. Use Group Policy targeting logged-on users
C. Use device compliance policy
D. Modify XML in Office Deployment Tool

Answer: A. Use App configuration policy for managed apps

Explanation: App configuration policies allow per-account configuration. Targeting managed apps ensures policies apply only to corporate identities, leaving personal accounts unaffected.

15. You deployed an app through Intune as “Available” in the Company Portal, but users say they don’t see it listed. What’s the likely cause?

A. App is targeted to a device group instead of a user group
B. The app is marked as hidden
C. The app failed compliance checks
D. The MDM authority is not configured

Answer: A. App is targeted to a device group instead of a user group

Explanation: Apps marked as “Available” in the Company Portal only appear if they’re assigned to user groups, not device groups. Device group targeting is used for required installs.

Module 3 – How to Protect devices (15–20%)

1. You’ve configured a Microsoft Defender Antivirus policy in Intune. Some Windows 11 devices still show that Defender is turned off and another AV solution is active. What’s the most likely reason?

A. The Intune policy hasn’t synced yet
B. Defender is disabled due to another registered antivirus
C. The Microsoft Defender ATP onboarding is incomplete
D. Cloud-delivered protection is disabled

Answer: B. Defender is disabled due to another registered antivirus

Explanation: Windows Security Center automatically disables Defender if it detects another AV provider. Intune antivirus policies can’t override third-party antivirus registration unless the other AV is uninstalled or deregistered.

2. You’re creating a disk encryption policy in Intune. The organization uses Windows 11 Pro and Enterprise devices. You notice some devices fail to encrypt automatically. What’s the cause?

A. TPM is not available or not initialized on the devices
B. The policy was assigned to users instead of devices
C. BitLocker policy requires Secure Boot
D. The devices are not hybrid joined

Answer: A. TPM is not available or not initialized on the devices

Explanation: BitLocker automatic device encryption depends on TPM (Trusted Platform Module). Devices without an initialized TPM cannot automatically encrypt drives, even if the policy is deployed correctly.

3. A security administrator wants to block users from running unsigned PowerShell scripts while still allowing Windows Update and Defender updates. Which policy type should you configure in Intune?

A. Device Configuration → Administrative Templates
B. Endpoint Security → Attack Surface Reduction
C. Device Compliance → Custom OMA-URI
D. Endpoint Security → Antivirus

Answer: B. Endpoint Security → Attack Surface Reduction

Explanation: Attack Surface Reduction (ASR) rules can prevent the execution of unsigned or untrusted scripts and binaries while allowing legitimate system processes and updates to run.

4. You’re implementing firewall policies using Intune, but users report network disruptions after deployment. You discover multiple conflicting rules. What should you do to troubleshoot?

A. Disable Windows Firewall service
B. Review per-profile rule merging settings in Intune
C. Remove overlapping rules from all GPOs
D. Deploy the firewall policy to user groups instead of device groups

Answer: B. Review per-profile rule merging settings in Intune

Explanation: By default, Intune firewall profiles can merge rules from multiple sources (local, domain, and group policies). If “Rule merging” is disabled, only Intune-defined rules apply — often causing network disruptions.

5. You want to apply Microsoft’s preconfigured security recommendations to all Windows 11 devices in your organization with minimal custom setup. What should you deploy?

A. Security configuration baseline for Windows
B. Attack Surface Reduction policy
C. Device compliance policy
D. Endpoint detection and response policy

Answer: A. Security configuration baseline for Windows

Explanation: Microsoft security baselines are predefined collections of recommended settings covering Defender, BitLocker, and other OS-level protections. They’re ideal for quick, organization-wide hardening with minimal customization.

6. You’ve onboarded devices into Microsoft Defender for Endpoint (MDE) via Intune, but some devices still appear as “Not reporting” in the Defender portal. What’s the most likely issue?

A. Devices have not been assigned an E5 license
B. Network connectivity to Microsoft Defender cloud service is blocked
C. Intune sync frequency is too low
D. Devices are not joined to Entra ID

Answer: B. Network connectivity to Microsoft Defender cloud service is blocked

Explanation: Defender for Endpoint requires outbound connectivity to specific Microsoft cloud endpoints. If these are blocked by firewalls or proxies, the device won’t report sensor data to MDE.

7. You need to ensure Windows 11 updates are deployed in stages across the company—starting with IT, then HR, then all users. What’s the best way to achieve this in Intune?

A. Create multiple update rings with different deployment deadlines
B. Create one update ring and stagger assignment schedules manually
C. Configure one update policy with automatic rollout
D. Use Windows Autopilot deployment profiles

Answer: A. Create multiple update rings with different deployment deadlines

Explanation: Staggered update rollouts are achieved by creating separate update rings with differing deadlines or deferral periods, ensuring IT tests updates before broader deployment.

8. You’re planning update policies for iOS devices enrolled in Intune. The company wants to control when users can install OS updates. What type of policy should you create?

A. iOS configuration profile → Restrictions
B. iOS software update policy
C. Device compliance policy
D. App configuration policy

Answer: B. iOS software update policy

Explanation: Intune’s iOS/iPadOS software update policies allow admins to control update timing, specify minimum OS versions, and defer updates for defined periods before installation.

9. Your Android Enterprise fleet must receive OEM firmware updates without user intervention. Which mechanism supports this?

A. Managed Google Play
B. OEMConfig profile
C. Firmware-over-the-air (FOTA) deployment
D. Custom compliance policy

Answer: C. Firmware-over-the-air (FOTA) deployment

Explanation: FOTA deployments allow IT admins to push OEM firmware updates remotely to Android Enterprise devices. This ensures consistent patching of system-level vulnerabilities across devices.

10. You configured Delivery Optimization for Windows updates in Intune, but users report increased bandwidth usage. You need to reduce internet dependency for branch offices. What should you enable?

A. Delivery Optimization group mode
B. Peer caching via Windows Update for Business
C. BranchCache
D. Offline servicing

Answer: A. Delivery Optimization group mode

Explanation: Delivery Optimization group mode allows devices within the same LAN or AD site to share downloaded content with peers, reducing bandwidth usage by minimizing redundant downloads from the internet.

11. You’ve integrated Intune with Microsoft Defender for Endpoint (MDE). Compliance policies now include “Require the device to be at or under the machine risk score.” Some compliant devices are suddenly marked non-compliant. Why?

A. Defender for Endpoint sensor version outdated
B. Conditional Access policy misconfiguration
C. MDE detected new risks and raised device risk level
D. Intune lost connection with MDE integration

Answer: C. MDE detected new risks and raised device risk level

Explanation: Intune automatically marks devices as non-compliant when MDE flags them with higher risk levels (e.g., malware, exposure, or misconfiguration). This isn’t an error — it’s expected behavior based on live threat evaluation from Defender.

12. You applied Microsoft’s Windows 11 Security Baseline through Intune. Later, a custom BitLocker policy was added to enforce XTS-AES 128-bit encryption. However, many devices didn’t adopt the new setting. What’s the reason?

A. Security baselines have higher priority and override custom policies
B. BitLocker requires manual re-encryption after policy changes
C. The policy is assigned to users, not devices
D. TPM version conflicts prevent encryption algorithm change

Answer: A. Security baselines have higher priority and override custom policies

Explanation: When both a baseline and custom configuration target the same setting, the baseline takes precedence. Intune merges settings hierarchically, and the baseline’s default encryption configuration stays in force unless overridden by an updated baseline version.

13. A user’s Windows 11 device is onboarded to Defender for Endpoint but shows “Limited additional protection” in the MDE portal. The device is also enrolled in Intune. What’s the likely root cause?

A. Windows Defender Antivirus is disabled by another security product
B. Real-time protection is paused by the user
C. MDE sensor isn’t configured for cloud protection
D. Intune and MDE integration are using separate tenants

Answer: D. Intune and MDE integration are using separate tenants

Explanation: If Intune and Defender for Endpoint are connected to different Microsoft 365 tenants, the integration can’t share telemetry or compliance data properly, causing limited protection and visibility in the MDE portal.

14. You want to monitor update compliance for all Windows devices managed by Intune and identify which are missing critical patches. Which tool or report provides this insight?

A. Endpoint analytics – Startup performance
B. Windows Update compliance (Workplace Update Reports)
C. Device compliance report in Microsoft Entra
D. Intune troubleshooting pane

Answer: B. Windows Update compliance (Workplace Update Reports)

Explanation: The Windows Update compliance report in Intune (part of Endpoint analytics) aggregates update status, missing patches, and deployment health across all managed Windows devices. It’s the primary source for patch-level compliance insight.

15. You deploy a Defender Firewall policy through Intune to enforce “block inbound connections” on all profiles. After deployment, VPN connectivity stops working for remote users. How should you fix this without disabling the policy?

A. Enable “Allow edge traversal” for VPN ports
B. Add a custom inbound rule for the VPN application
C. Set firewall profiles to merge with local rules
D. Switch to Microsoft Defender Application Guard

Answer: B. Add a custom inbound rule for the VPN application

Explanation: When you enforce “block all inbound connections,” legitimate inbound VPN traffic gets blocked too. The correct mitigation is to create a specific inbound firewall rule for the VPN client or its ports, maintaining protection while allowing secure connectivity.

Let’s now look at some MD-102 exam resources and materials that can help you grasp concepts easily.

Microsoft MD-102 Exam Resources and Study Guide 2025

The following resources are officially provided to aid in your preparation for the MD-102 exam:

• Microsoft Learn Study Guide: This comprehensive guide offers an extensive overview of the exam’s subject matter. It comprises a series of learning paths that allow you to delve into each topic thoroughly.
• Microsoft Endpoint Manager Documentation: The documentation for Microsoft Endpoint Manager supplies in-depth information on how to utilize Microsoft Intune and other tools for managing endpoints.
• Microsoft Intune Documentation: This documentation provides detailed insights into effectively employing Microsoft Intune for device and application management.
• Microsoft Defender for Endpoint Documentation: You’ll find comprehensive details on using Microsoft Defender for Endpoint to safeguard devices from malware and various threats in this documentation.
• Microsoft 365 Authentication Documentation: Secure access to Microsoft 365 services with detailed information from the Microsoft 365 authentication documentation.
• Microsoft 365 Conditional Access Documentation: Learn how to control access to Microsoft 365 services through the comprehensive guidance provided in the Microsoft 365 conditional access documentation.

In addition to these official resources, several other materials are available to aid in your MD-102 exam preparation. These resources encompass practice exams, study guides, and video tutorials.

Getting Hands-on Experience

To gain practical experience with Microsoft Intune and other endpoint management tools, establishing a controlled lab environment is highly recommended. This controlled setting enables you to experiment with various features and configurations safely. Here are the steps to set up a lab environment tailored for the MD-102 exam:

• Create a Microsoft Azure account
• Create a Microsoft Intune tenant
• Purchase a license for Microsoft Defender for Endpoint
• Download and install the Microsoft Intune Company Portal app on a few devices: Install the Microsoft Intune Company Portal app on multiple devices to enable device management.
• Enroll the devices in Microsoft Intune for effective management.
• Create and deploy device configuration profiles
• Deploy applications to the devices using Microsoft Intune
• Use Microsoft Defender for Endpoint to protect the devices from malware and other threats

Once your lab environment is set up, you can commence your hands-on exploration of Microsoft Intune and other endpoint management tools. To gain practical proficiency, consider the following tasks:

1. Deploy Windows client devices using Windows Autopilot
2. Manage identity and access using Microsoft 365 authentication and conditional access policies
3. Manage and protect devices using Microsoft Intune and Microsoft Defender for Endpoint
4. Manage applications using Microsoft Intune and other mobile device management (MDM) tools

Detailed instructions for these tasks can be found in Microsoft’s official documentation.

If you lack physical devices for your lab, you can leverage Microsoft’s Azure Virtual Machines service to create virtual machines in the cloud suitable for testing and development purposes. Additionally, collaborating with a mentor can provide valuable guidance and support as you navigate these tools in a real-world context, facilitating a deeper understanding of their practical application.

Final Words

The employment prospects for Microsoft Endpoint Administrators are highly favorable, with a projected growth rate exceeding the average. This surge in demand can be attributed to the increasing prevalence of cloud computing and the widespread use of mobile devices. Here are some specific job titles for which you may qualify with an MD-102 certification:

• Microsoft Endpoint Administrator
• Endpoint Management Analyst
• Mobile Device Management (MDM) Administrator
• Microsoft 365 Administrator
• Information Security Analyst
• Systems Administrator
• IT Support Specialist
• Desktop Support Technician
• Help Desk Technician

Opportunities for Microsoft Endpoint Administrators abound across various sectors. Organizations, regardless of their size, seek adept professionals capable of efficiently and securely managing their Microsoft endpoints. This demand reflects the growing importance of effective endpoint management in today’s technology landscape. Hence, clearing the exam will be worth the time and effort.