What is the MD-102 exam?

Exam MD-102: Endpoint Administrator is the Microsoft role-based exam that earns the Microsoft 365 Certified: Endpoint Administrator Associate credential. It tests your ability to deploy Windows clients, manage identity and compliance with Microsoft Entra and Intune, manage and protect devices with Intune and Microsoft Defender for Endpoint, and manage applications including Win32 apps and MAM-WE app protection policies. MD-102 launched March 28, 2023 and replaced the retired MD-100 + MD-101 pair.

How much does MD-102 cost in 2026?

The MD-102 exam fee is $165 USD in the United States. Fees vary by country (for example, approximately $55 in India and £113 in the UK) due to local currency, tax, and Microsoft regional pricing. Microsoft periodically offers discount vouchers via partner training, Microsoft Learn Challenges, and Microsoft Ignite / Build events.

What is the passing score for MD-102?

MD-102 uses a scaled scoring model from 1 to 1000, and the passing score is 700. Microsoft does not publish per-item weighting; case-study and performance-based lab items generally count for more than simpler multiple-choice items. You receive your pass/fail result and scaled score immediately at the test center or OnVUE session end, with a detailed skills breakdown emailed within 1-3 business days.

What is the difference between MD-102 and MD-100 / MD-101?

MD-100 (Windows Client) and MD-101 (Managing Modern Desktops) were the two-exam pair required for the old Microsoft 365 Certified: Modern Desktop Administrator Associate credential. Both retired on September 30, 2023. MD-102 consolidated the content into a single exam with heavier emphasis on Microsoft Intune, Windows Autopilot, Conditional Access, and Microsoft Defender for Endpoint. Old MD-100/MD-101 holders cannot renew those credentials and must sit MD-102 to earn the current Endpoint Administrator Associate title.

Do I need to know PowerShell for MD-102?

You do not need to write production scripts, but MD-102 can include drag-and-drop cmdlet-ordering items and performance-based labs that use the Intune admin center plus occasional PowerShell (for example, Get-WindowsAutopilotInfo for Autopilot hash collection, or detection/remediation script pairs). Know the basics: Get-WindowsAutopilotInfo, Add-AppxPackage, Get-BitLockerVolume, and detection/remediation script patterns. Candidates who can script common Intune tasks score materially higher.

MD-102 is considered moderately difficult for experienced endpoint administrators and harder for newcomers. Microsoft does not publish pass rates, but community reporting puts first-time pass rates roughly in the 55-65% range. Difficulty comes from the breadth (four domains across Windows deployment, identity, device management, and apps), the case-study format, and the 40-45% weighting on the Manage, Maintain, and Protect Devices domain. Plan 8-12 weeks of ~8-10 hour/week preparation plus hands-on Intune tenant time.

How long is the MD-102 exam?

The MD-102 exam gives candidates 100 minutes of exam time, with roughly 20 additional minutes for instructions, the non-disclosure agreement, and tutorial, for a total seat time of approximately 120 minutes. It contains approximately 40-60 items, including multiple choice, multi-select, drag-and-drop, case studies, and performance-based lab questions. Approved accommodations add extra time when requested through Pearson VUE.

What happens if I fail MD-102?

Microsoft's exam retake policy allows a 24-hour wait after your first failed attempt. For attempts 2, 3, 4, and 5 you must wait 14 days between attempts. You may take MD-102 a maximum of 5 times per 12-month period. Each retake requires paying the full $165 fee. After a failure, review your skill-area breakdown (emailed within 1-3 business days), target the weakest domain (typically the 40-45% Manage, Maintain, and Protect Devices domain), spend at least two weeks in hands-on Intune tenant practice, and do two timed full-length mocks before rebooking.

How long is the Microsoft 365 Endpoint Administrator Associate certification valid?

The Microsoft 365 Certified: Endpoint Administrator Associate certification is valid for one year from the date you pass MD-102. Renewal is FREE through Microsoft Learn via an unproctored online assessment that opens 6 months before expiration. The renewal assessment is shorter than the full exam (typically 25-35 questions) and focuses on what has changed in Intune, Windows, and endpoint security since your initial certification. If a certification lapses, it cannot be renewed and you must retake the full MD-102.

Should I take MD-102 or MS-102 first?

MD-102 covers endpoint-focused administration: Windows deployment, Intune, device compliance, endpoint security, and applications. MS-102 covers tenant-wide Microsoft 365 administration: identity, Defender XDR, and Purview compliance. If your role owns the endpoint layer (desktops, laptops, mobile devices, the Intune tenant), take MD-102 first. If your role owns the broader M365 tenant (Exchange, SharePoint, Teams, identity, compliance), take MS-102 first. Many Modern Workplace teams expect both, and there is meaningful overlap in the Entra identity and Conditional Access content.

What is the salary for an Endpoint Administrator in 2026?

US Endpoint / Intune Administrator total compensation in 2026 typically ranges $80,000-$120,000, with a median near $92K-$98K per Glassdoor, ZipRecruiter, Salary.com, and Robert Half's 2026 Tech Salary Guide. Senior modern workplace engineer roles reach $110K-$140K; Modern Workplace architects $135K-$175K; endpoint security / Intune leads $140K-$185K+. LinkedIn Talent Insights shows 15,000+ open US roles tagged "endpoint administrator" or "Intune administrator" with 10-20% year-over-year growth. MD-102 certification typically adds a 10-15% compensation premium at the same experience level.

What is Windows Autopilot and why does MD-102 test it so heavily?

Windows Autopilot is Microsoft's modern device provisioning service for Windows 11 (and Windows 10). It lets IT drop-ship devices directly from the OEM to end users; the device self-configures during OOBE by pulling its hash from the Autopilot service, joining Microsoft Entra, enrolling in Intune, and applying policies and apps. MD-102 tests Autopilot heavily because it is the recommended modern alternative to traditional imaging: you need to know self-deploying, user-driven, pre-provisioning (white glove), Autopilot for existing devices, and Autopilot Reset - plus hash collection methods, deployment profiles, and the Enrollment Status Page (ESP).

FREE MD-102 Exam Guide 2026: Pass Endpoint Administrator

MD-102 Exam Guide 2026: The Only Walkthrough Built Around the Current Skills Measured Outline

If you manage Windows 11 devices, Microsoft Intune tenants, or Modern Workplace fleets in 2026, the certification that defines your career tier is Exam MD-102: Endpoint Administrator. It is the sole exam standing between you and the Microsoft 365 Certified: Endpoint Administrator Associate credential - a role-based cert that MSPs, regulated industries, and enterprise desktop engineering teams explicitly call out in job descriptions.

Most guides on the internet still reference MD-100 and MD-101, the two-exam predecessor pair Microsoft retired in 2023. If a study plan mentions "sit MD-100 first," it is out of date. This guide is written exclusively for the 2026 exam window: current skills-measured weights, the Intune + Autopilot + Defender for Endpoint stack, the $165 USD Pearson VUE fee, the 700/1000 passing score, and the free Microsoft Learn renewal.

MD-102 At-a-Glance (2026)

Item	Detail (2026)
Full Name	Exam MD-102: Endpoint Administrator
Credential Earned	Microsoft 365 Certified: Endpoint Administrator Associate
Delivery	Pearson VUE (test center or online-proctored OnVUE)
Questions	~40-60 items (multiple choice, multi-select, drag-and-drop, case studies, lab/performance-based)
Time Limit	100 minutes of exam time (~120 minutes total seat time with NDA, instructions, tutorial)
Passing Score	700 out of 1000 (scaled)
Exam Fee	$165 USD (varies by country; India ~$55, UK £113)
Prerequisites	None to sit MD-102; however MD-102 is itself the prerequisite for the Endpoint Administrator Associate credential
Languages	English, Japanese, Chinese (Simplified), German, French, Spanish, Korean, Portuguese (Brazil), Italian
Certification Validity	1 year; renew FREE on Microsoft Learn (6-month window opens before expiration)
Retake Policy	24-hour wait after 1st fail; 14-day wait for attempts 2-5; max 5 attempts per 12 months
Launched	March 28, 2023 (replacing MD-100 + MD-101, both retired September 30, 2023)
Related	MS-102 (Microsoft 365 Administrator), AZ-104 (Azure Administrator), SC-300 (Identity & Access), MS-700 (Teams Administrator)

Source: Microsoft Learn exam page (learn.microsoft.com/credentials/certifications/exams/md-102), Microsoft MD-102 Study Guide, and Pearson VUE scheduling portal.

Start Your FREE MD-102 Prep Today

Start FREE MD-102 practice questions for the Microsoft Endpoint Administrator examPractice questions with detailed explanations

Why MD-102 (and Why It Replaced MD-100 + MD-101)

Before March 28, 2023, to earn the Microsoft 365 Certified: Modern Desktop Administrator Associate title you had to pass two exams:

MD-100: Windows Client - installing, configuring, and maintaining Windows 10/11 on devices.
MD-101: Managing Modern Desktops - deploying, managing, and protecting Windows endpoints with Intune and Configuration Manager.

Both exams retired on September 30, 2023. Microsoft consolidated the content into a single exam - MD-102 - and renamed the credential to Microsoft 365 Certified: Endpoint Administrator Associate (dropping "Modern Desktop" to reflect the expanded scope beyond traditional desktops). The new exam is narrower in scope than MD-100 + MD-101 combined, but tests each domain deeper and with heavier emphasis on Microsoft Intune, Windows Autopilot, Conditional Access, and Microsoft Defender for Endpoint - the four pillars Microsoft has invested most aggressively in since 2023.

If you hold old MD-100 or MD-101 credentials, you can no longer renew them. The only path to the current Endpoint Administrator Associate title is MD-102.

Who Should Sit MD-102

The Microsoft skills outline targets professionals who:

Deploy Windows 11 clients via Autopilot, Configuration Manager, provisioning packages, or WDS/MDT.
Manage Microsoft Intune tenants end-to-end: device enrollment, configuration profiles, compliance policies, scripts, and remediations.
Protect endpoints with BitLocker, Microsoft Defender for Endpoint, Attack Surface Reduction, Edge for Business, and Windows Hello for Business.
Manage applications including Win32 apps, LOB packages, Microsoft Store apps, WinGet deployments, and MAM (app protection) policies for BYOD.
Integrate with Microsoft Entra for Conditional Access, device identity, and hybrid join scenarios.

Candidate Profile	Why MD-102 Fits
Existing desktop admins with MD-100/MD-101	Only current path to Endpoint Administrator Associate; old credentials cannot be renewed
Help desk / IT pros moving into endpoint roles	Validates modern endpoint management competency across Windows, Intune, and security
SCCM / ConfigMgr engineers	Natural bridge to cloud-first Intune management and co-management scenarios
MSPs and Microsoft partners	MD-102 frequently required for Modern Work partner competency designations
M365 admins (MS-102) expanding into endpoint	Deeper dive into device management than the tenant-wide MS-102

If your role is purely identity-focused, sit SC-300 instead. If your role is Microsoft 365 tenant-wide, sit MS-102. MD-102 is the right choice when you own the endpoint layer - Windows clients, mobile devices, and the Intune tenant that manages them.

Build MD-102 Mastery with FREE Practice Questions

Access FREE MD-102 practice questionsPractice questions with detailed explanations

MD-102 Skills Measured (2026 Domain Weights)

The official Microsoft Learn skills outline for MD-102 has been revised multiple times since launch - most recently in early 2026 - reflecting GA features (Windows Autopatch integration, Cloud PC / Windows 365 scope, WinGet package deployments in Intune, expanded macOS / iOS / Android support, and the Microsoft Defender XDR unified portal). Always verify against the current PDF at aka.ms/MD-102-study-guide before test day.

Domain	2026 Weight	What It Covers
1. Deploy Windows client	25-30%	Windows 11 deployment, Autopilot scenarios, Configuration Manager co-management, upgrade/migration, provisioning packages
2. Manage identity and compliance	15-20%	Entra device identity (join/registered/hybrid), Conditional Access + compliance policies, device enrollment restrictions, Autopatch
3. Manage, maintain, and protect devices	40-45%	Intune configuration profiles, update rings, BitLocker, Defender for Endpoint, Edge for Business, scripts + remediations, monitoring
4. Manage applications	10-15%	Win32 apps, LOB / MSI / MSIX, Microsoft Store, WinGet, M365 Apps, app protection policies (MAM-WE), app configuration

Source: Microsoft MD-102 Study Guide, 2026 revision.

Domain 3 (Manage, maintain, and protect devices) is the heaviest single domain at 40-45%. Do not under-study it.

Domain 1: Deploy Windows Client (25-30%)

This is the "get Windows on the metal" domain - deployment methods, Autopilot scenarios, and upgrade paths.

Plan and implement Windows client deployment

Windows 11 edition selection (Pro, Enterprise, Education, LTSC) and licensing (E3/E5, Windows 365).
Activation: MAK, KMS / Active Directory-Based Activation, and Subscription Activation (Windows 11 Enterprise E3/E5 via Entra).
Deployment methods: Windows Autopilot, Configuration Manager OSD task sequences, provisioning packages, Windows Deployment Services (legacy, mostly out of scope), and MDT for hybrid scenarios.

Windows Autopilot scenarios (heavy exam emphasis)

Autopilot self-deploying mode - kiosks, shared devices, zero-touch OOBE (requires TPM 2.0 attestation).
Autopilot user-driven mode - the most common scenario for corporate laptops; user signs in, device provisions.
Autopilot pre-provisioning (white glove) - IT department provisions the device partway, end user finishes sign-in.
Autopilot for existing devices - reimage domain-joined devices into Entra-joined via ConfigMgr task sequence.
Autopilot Reset - wipe a device in place without losing Entra / Intune enrollment.
Hash collection methods (OEM upload, Get-WindowsAutopilotInfo PowerShell, Intune Graph API), Autopilot deployment profiles, enrollment status page (ESP) configuration.

Upgrade and migrate

In-place upgrade from Windows 10 to Windows 11 (hardware requirements: TPM 2.0, Secure Boot, CPU compat list).
PC Health Check and Windows 11 readiness reports in Intune and Configuration Manager.
User state migration (USMT) for re-imaged devices.

Co-management with Configuration Manager

Tenant attach and co-management scenarios; workload sliders (compliance policies, device configuration, endpoint protection, resource access, client apps, Office Click-to-Run, Windows Update).
When to pilot vs full cutover; when Intune should own a workload vs ConfigMgr.

Domain 2: Manage Identity and Compliance (15-20%)

Entra device identity

Entra joined (cloud-only device identity) - the default for Autopilot provisioned devices.
Entra registered (BYOD registration, personal devices).
Hybrid Entra joined (synced from on-prem AD via Entra Connect Sync).
Device registration states in Entra admin center; troubleshooting dsregcmd /status.

Enrollment restrictions

Device platform restrictions (block personally owned Android, allow corporate iOS, etc.).
Device limit restrictions per user.
Corporate device identifiers (serial, IMEI upload) for marking devices as corporate-owned.

Compliance policies

Build compliance policies per platform (Windows, iOS/iPadOS, macOS, Android Enterprise, Linux).
Compliance rules: minimum OS version, BitLocker required, Secure Boot, no jailbreak, Defender threat level, password complexity.
Actions for noncompliance: send email, send notification, mark noncompliant after X days, retire, remove company data.
Compliance status in Conditional Access (one of the grant controls).

Conditional Access integration (testable nuance)

Compliance != Conditional Access. Compliance policies evaluate device state; Conditional Access policies enforce access decisions using compliance as one input.
"Require compliant device" grant control vs "Require Hybrid Entra joined device."
Report-only mode, What-If tool, named locations.
Combining compliance, sign-in risk, and session controls.

Windows Autopatch

Microsoft-managed update service layered on top of Intune.
Device groups: Test, First, Fast, Broad rings.
Prerequisites: Entra joined or hybrid, supported Windows 10/11 editions, Intune MDM authority.
Windows Update for Business (WUfB) policies still in scope for manual control.

Domain 3: Manage, Maintain, and Protect Devices (40-45%)

The largest domain and the one that covers the day-to-day Intune administrator skill set.

Device configuration profiles

Settings catalog (modern, granular, recommended).
Templates (administrative templates, endpoint protection, device restrictions, custom OMA-URI).
Assignment: include/exclude groups, filters (device property, OS version, manufacturer).
Profile conflicts and settings precedence; monitoring assignment status and per-setting reports.

Windows Update for Business + update rings

Update rings: deferral days for quality and feature updates, active hours, pause behavior.
Feature update profiles (pin to a specific Windows 11 version).
Expedited quality updates (zero-day CVE push).
Driver updates and firmware updates via Windows Update for Business.

BitLocker

Silent encryption via Endpoint Security disk encryption policy.
Recovery key escrow to Entra ID.
Pre-boot PIN scenarios, startup authentication, TPM-only vs TPM + PIN.
Recovery key self-service portal.

Microsoft Defender for Endpoint integration

Onboard via Intune endpoint security policy (Defender configuration profile) or via MDE security baseline.
Attack Surface Reduction (ASR) rules - audit mode first, then block; top ASR rules to know (block Office from creating child processes, block credential stealing from LSASS, block Win32 API calls from Office macros).
Tamper protection, controlled folder access, Web content filtering.
Device risk score flow into Conditional Access.

Microsoft Edge for Business

Edge configuration via Intune (settings catalog or ADMX templates).
Enterprise mode site list for IE-dependent legacy apps.
SmartScreen, tracking prevention, startup tabs.
Edge work vs personal profile separation.

Windows Hello for Business

PIN, biometrics, certificate trust vs key trust vs cloud Kerberos trust (the modern default).
Tenant-wide vs per-device-group enablement.

Scripts and remediations (Proactive Remediations)

PowerShell scripts in Intune: run as system/user, run in 64-bit, enforce signature.
Remediations (formerly Proactive Remediations): detection script + remediation script, schedule, run frequency, column-based reporting.
Common remediation patterns: fix registry drift, re-run compliance checks, repair OneDrive client.

Monitoring and reporting

Device, compliance, and configuration profile reports.
Endpoint analytics (startup performance, application reliability, proactive remediations, resource performance).
Intune audit logs and Graph-based custom reports.

Domain 4: Manage Applications (10-15%)

App types supported by Intune

Win32 apps (.intunewin packaged via IntuneWinAppUtil) - the core modern format.
Line-of-Business (LOB) - .msi, .appx/.appxbundle, .msix.
Microsoft 365 Apps (formerly Office 365 ProPlus) - install channel, architecture, languages, update preferences.
Microsoft Store apps via the new Microsoft Store integration (replacing the retired Microsoft Store for Business).
WinGet packages - Windows Package Manager integration for public app deployment.
Web links, built-in iOS/Android managed store apps.

Win32 app deep dive (heavy exam emphasis)

Package .exe/.msi with IntuneWinAppUtil into .intunewin.
Install command, uninstall command, install behavior (user/system), device restart behavior, return codes.
Detection rules (critical): MSI product code, file (exists + version + date), registry (exists + value), or custom PowerShell script. Getting detection rules wrong is a top pitfall.
Requirements (OS, architecture, disk space, custom script requirements).
Dependencies and supersedence (uninstall previous version, install new).
Delivery Optimization and content pre-caching.

App protection policies (MAM-WE)

Mobile Application Management without Enrollment.
Protect corporate data inside managed apps (Outlook, Teams, Office mobile, Edge) on personal BYOD devices without enrolling the device in Intune.
Policies: prevent copy/paste to unmanaged apps, encryption, app PIN, require managed keyboard.
Conditional Launch: require minimum app version, OS version, wipe data after X failed PIN attempts.

App configuration policies

Pre-configure managed apps (Outlook mailbox, Edge bookmarks, per-app VPN).
Target managed devices (enrolled) or managed apps (MAM).

Microsoft Store for Business (retired)

Microsoft retired the Microsoft Store for Business and Microsoft Store for Education in the 2023-2024 window. The replacement is the new Microsoft Store integration in Intune plus WinGet. If a resource still recommends MSfB, it is out of date.

Azure Virtual Desktop / Windows 365 Quick Refresh

MD-102 includes a small but testable slice of cloud PC content:

Windows 365 Cloud PC - per-user Cloud PC SKUs, provisioning policies, user settings (self-service reset, restore), licensing prerequisites.
Azure Virtual Desktop (AVD) - multi-session Windows 11 Enterprise, session host pools, FSLogix profile containers (baseline awareness, not deep AVD exam material).
When to choose Cloud PC (per-user dedicated) vs AVD (multi-session shared) vs physical endpoint.

Cost and Registration (2026)

Item	Cost	Notes
Exam fee (US)	$165	Varies by country
Microsoft 365 Developer Program tenant	$0	Free sandbox with sample users/data (conditions apply)
Intune trial (30-90 days)	$0	Full Intune feature access via M365 E5 or EMS E5 trial
Microsoft Learn training	$0	Free official learning path + sandbox labs
OpenExamPrep practice	$0	Free scenario bank with AI explanations
MeasureUp practice tests	~$129	Closest to the real item style (optional)
Instructor-led bootcamp (Andy Malone, Andrew Taylor, Pluralsight)	$200-$2,000	Optional
Renewal	$0	Free Microsoft Learn assessment yearly
Typical all-in first-time cost	$165-$500	Lower end if self-study only

Register via the MD-102 page on Microsoft Learn - the Schedule Exam button hands off to Pearson VUE. Pick test center or online-proctored (OnVUE). Confirm your Microsoft Learn profile name matches your government-issued ID exactly; mismatches cause same-day cancellations.

Renewal: FREE on Microsoft Learn After 1 Year

Like every Microsoft role-based certification, MD-102 is valid for one year from the date you pass. Renewal is FREE via Microsoft Learn - a browser-based, unproctored assessment opens in your Microsoft Learn profile 6 months before expiration. It is typically 25-35 questions focused on what has changed in Intune, Windows, and endpoint security since your initial pass (new Autopilot scenarios, Windows Autopatch updates, Defender for Endpoint features). You can retake the renewal unlimited times.

If a certification lapses, it cannot be renewed. You would need to re-sit the full MD-102 at $165. Set a calendar reminder 9 months after your pass date.

8-12 Week MD-102 Study Plan

Most candidates come from desktop support, MD-100/MD-101 alumni work, ConfigMgr backgrounds, or hands-on Intune admin roles. This plan assumes ~8-10 hours per week.

Week	Focus	Deliverable
Week 1	Windows 11 deployment fundamentals, editions, activation	Clean-install Windows 11 Pro into a VM; verify Subscription Activation via an Entra account
Week 2	Windows Autopilot - self-deploying, user-driven, pre-provisioning	Register a VM hash to Autopilot; run user-driven OOBE end-to-end
Week 3	Configuration Manager co-management, tenant attach, workload sliders	Lab a co-managed device with ConfigMgr + Intune; shift one workload
Week 4	Entra device identity, enrollment restrictions, compliance policies	Build 3 compliance policies (Windows, iOS, Android) with noncompliance actions
Week 5	Conditional Access + device compliance + Autopatch	3 CA policies: require MFA, require compliant device, block legacy auth; register a device to Autopatch
Week 6	Device configuration profiles (settings catalog), update rings, BitLocker	Deploy BitLocker silent encryption; build 2 settings catalog profiles
Week 7	Defender for Endpoint, ASR rules, Edge for Business, Windows Hello	Onboard device to Defender; deploy 3 ASR rules in block mode; push an Edge settings profile
Week 8	Scripts, remediations, endpoint analytics	Deploy a PowerShell script + a detection/remediation pair; review endpoint analytics
Week 9	Win32 apps, LOB, WinGet, Microsoft Store, detection rules	Package one Win32 app with IntuneWinAppUtil; build MSI, file, and registry detection rules
Week 10	App protection (MAM-WE), app config policies, Windows 365 quick hit	Deploy MAM policy to Outlook/Edge mobile on a BYOD device
Week 11	Full-length timed mock + gap remediation	Target >70%; close weakest 2 sub-domains with Microsoft Learn modules
Week 12	Two timed full-length mocks; rest day before	Score >75% consistently before booking

If you are an experienced Intune admin, compress to 6-8 weeks by skipping Weeks 1-3.

Recommended MD-102 Resources (FREE-First)

Resource	Type	Why It Helps
OpenExamPrep MD-102 Practice (FREE)	Free, unlimited	Scenario items mapped to the 2026 skills outline with AI explanations
Microsoft Learn MD-102 learning path	Free	Official modules across all four domains; includes sandbox labs
Microsoft 365 Developer Program tenant	Free	90-day renewable sandbox tenant with sample users, Teams, SharePoint content
EMS E5 / Intune trial	Free	Full Intune capabilities for 30-90 days
Microsoft MD-102 Study Guide (PDF)	Free	Authoritative skills-measured list; print it and check off weekly
Andy Malone MVP (YouTube)	Free	Gold-standard MD-102 walkthroughs; full exam cram + domain deep dives
Andrew Taylor - Intune Training (blog + YouTube)	Free	The deepest hands-on Intune content on the internet; scripts, Autopilot, and app packaging
Pluralsight MD-102 path	Paid	Structured video course from multiple Microsoft MVPs
MeasureUp MD-102 Practice Tests	Paid ($129)	Closest to the real item style and difficulty
Microsoft Tech Community (Intune, Autopilot, Defender)	Free forum	Real-world troubleshooting and product-team AMAs
r/Intune on Reddit	Free	Daily field reports on what is breaking in production Intune

Hands-On Microsoft 365 Developer Tenant + Intune Trial Strategy

MD-102 is not a memorize-the-facts exam. Case studies embed multiple pages of tenant context and linked questions, and drag-and-drop + performance-based items reward real Intune muscle memory. Without a live tenant and at least one test device, you will run out of the 100 minutes.

Use the Microsoft 365 Developer Program (free, renewable) to provision a trial tenant with:

Up to 25 sample users with pre-populated Exchange, SharePoint, and Teams content.
E5-equivalent capabilities (Intune, Defender for Endpoint, Entra ID P2) for dev/test use.
A sandbox tenant that renews every 90 days while you are actively developing against it.

Layer on a fresh EMS E5 or Microsoft 365 E5 trial for the Intune admin center if your dev tenant runs out of Intune quota. Provision at least one Windows 11 VM (Hyper-V, Parallels, or an Azure VM) so you can live-enroll into Intune and live-run Autopilot.

Build at least these six scenarios end-to-end:

Autopilot user-driven deployment - hash the VM, assign to a deployment profile, run OOBE, confirm Entra join + Intune enroll.
Compliance + Conditional Access - require BitLocker on Windows, block sign-in from noncompliant devices.
BitLocker silent encryption - deploy via endpoint security disk encryption, confirm recovery key in Entra.
Defender for Endpoint + ASR - onboard, deploy three ASR rules (audit then block), verify in Defender portal.
Win32 app end-to-end - package Notepad++ or 7-Zip with IntuneWinAppUtil, build correct MSI/file/registry detection rule, deploy as required, verify install + uninstall.
MAM-WE app protection - deploy an app protection policy to Outlook mobile on a personal iOS/Android phone without enrolling the device.

If you have built all six, you will recognize every scenario on the exam.

Test-Day Strategy: The Case-Study Format

MD-102 uses case studies, standalone items, and performance-based labs the same way other Microsoft Associate-tier exams do. The case-study format is where most first-time failures happen.

Before you sit:

Confirm your Microsoft Learn profile name matches your government ID exactly.
If online-proctored, run the Pearson VUE OnVUE system check 24 hours in advance.
Clear your desk; the proctor will ask for a 360-degree room scan.

During the exam:

Case studies appear as standalone timed sections (typically 1-2 cases). Once you submit a section you cannot return to it - but within a section you can flag, move back and forth, and review.
Read the question first, then skim the case study for the specific detail. Do not read all 4 pages twice.
Budget ~4-5 minutes per case-study item and ~1.5-2 minutes per standalone item.
On any ambiguous item, pick the option that is most aligned with Microsoft's current recommended best practice (Autopilot user-driven over imaging, settings catalog over templates, MAM-WE for BYOD, cloud Kerberos trust for Windows Hello).
Flag anything under 90% confidence; Microsoft gives you the full section time to revisit flagged items.

After the exam:

Immediate pass/fail with scaled score (0-1000, pass = 700).
A skills-measured breakdown is emailed within 1-3 business days.
If you fail, wait 24 hours for retake #1, 14 days for retakes 2-5.

Common Pitfalls That Sink First-Time Scores

Confusing Conditional Access with device compliance. Compliance policies evaluate device state (BitLocker on, Defender healthy, OS up to date). Conditional Access enforces access decisions using compliance as a signal. The exam uses subtle wording to separate them - pay attention to whether the question is about evaluating a device (compliance) or granting/blocking access (Conditional Access).
Getting Win32 app detection rules wrong. The #1 support case in real-world Intune. A detection rule that does not uniquely identify the installed app will cause Intune to reinstall every check-in or report failure. Know MSI product code, file (exists + version + date), registry, and custom PowerShell detection - and when each is appropriate.
Studying MD-100 / MD-101 content. Legacy Windows Server deployment, SCCM-first imaging, and retired MSfB workflows are out of scope. If a resource still teaches those as primary, it is out of date.
Confusing Autopilot modes. Self-deploying (no user interaction, needs TPM attestation, for kiosks) vs user-driven (standard laptop onboarding) vs pre-provisioning (IT stages the device, user completes). Case studies frequently test which mode fits a scenario.
Under-studying compliance policy action timing. "Mark noncompliant after 1 day" vs "immediately" vs "retire device after 30 days" - the exam rewards knowing the actions-for-noncompliance schedule cold.
Forgetting MAM-WE is for unenrolled devices. App protection policies without enrollment protect corporate data on BYOD without the device joining Intune. If the question is "protect BYOD without MDM enrollment," the answer is MAM-WE.
Ignoring Windows Autopatch prerequisites. Autopatch requires Entra joined or hybrid, supported editions, and Intune MDM authority. Unsupported prerequisites are a case-study trap.
Skipping scripts + remediations. Detection script + remediation script pair is tested as the modern replacement for GPO one-shot fixes.
No timed full-length practice. 100 minutes with case studies + performance-based labs + standalone items is tight. Two timed mocks minimum before test day.

Career Value and Salary (Endpoint Administrator / Modern Workplace Admin, 2026)

Endpoint administrator roles remain one of the most durable IT operations career tracks. Every enterprise that runs Windows fleets, Microsoft Intune, or Modern Workplace tooling needs people who can deploy devices, enforce security, and manage applications. MD-102 is explicitly referenced in many MSP and Modern Work job descriptions.

Source (2026)	Endpoint / Modern Workplace Admin Pay
Glassdoor (US, "Endpoint Administrator")	Median total comp ~$95,000/yr; range $80K-$120K
ZipRecruiter (Intune Administrator, US)	Average $92,000/yr; range $72K-$118K
Salary.com (Desktop/Endpoint Administrator II)	Median $98,000/yr; range $82K-$118K
Robert Half Tech Salary Guide 2026	Desktop / endpoint engineer range $80K-$120K with cert premium
LinkedIn Talent Insights	15,000+ US roles tagged "endpoint administrator" or "Intune administrator"; 10-20% YoY growth

Endpoint Admin Career Ladder

Role	Typical 2026 US Pay	Next Step
Help desk / Tier 1 support	$45K-$65K	Earn MS-900 then MD-102
Endpoint / Intune Administrator (mid)	$80K-$120K	MD-102 + MS-102 or SC-300
Senior Endpoint / Modern Workplace Engineer	$110K-$140K	MD-102 + MS-102 + SC-300 + team lead scope
Modern Workplace Architect	$135K-$175K	MD-102 + MS-102 + AZ-104 + architectural ownership
Endpoint Security / Intune Lead	$140K-$185K+	MD-102 + SC-200 + SC-300 + enterprise scope

The MD-102 + MS-102 pair is the single highest-ROI certification combination for endpoint admins in 2026, unlocking both the Endpoint Administrator Associate title and the M365 Administrator Expert title.

How MD-102 Fits into the Broader Microsoft Certification Path

Exam	Role	When to Sit
MS-900 Microsoft 365 Fundamentals	Entry	Optional warmup if you are new to M365
MD-102 Endpoint Administrator	Endpoint Associate	This exam
MS-102 Microsoft 365 Administrator	Admin Expert	Natural next step after MD-102
SC-300 Identity & Access Administrator	Identity	Deeper Entra / Conditional Access focus
SC-200 Security Operations Analyst	Security ops	Deeper Defender for Endpoint + XDR focus
AZ-104 Azure Administrator	Azure ops	Complementary Azure admin scope
SC-100 Cybersecurity Architect	Architect	Senior/architect-tier capstone

MD-102 + MS-102 + SC-300 is the "Modern Work + Security" trio many enterprises expect.

Keep Training with FREE MD-102 Practice

Practice MD-102 scenario questionsPractice questions with detailed explanations

Frequently Missed 2026 Details (Competitor Guides Get These Wrong)

MD-100 and MD-101 are gone. If a guide recommends taking them first "for background," it is out of date - they retired September 30, 2023.
Microsoft Store for Business is retired. Its replacement is the new Microsoft Store integration in Intune plus WinGet.
Windows Autopatch is tested. The Microsoft-managed update service layered on top of Intune is explicitly in the 2026 outline.
Cloud Kerberos trust is the modern Windows Hello default. Certificate trust and key trust still exist, but Microsoft recommends cloud Kerberos trust for new deployments.
Settings catalog beats templates. For most new configuration profiles, the settings catalog is the modern, granular, and Microsoft-preferred path.
MAM-WE is the BYOD answer. App protection policies without enrollment secure corporate data on personal devices without MDM.
Endpoint DLP overlap: MD-102 focuses on endpoint protection; deep Purview endpoint DLP lives in MS-102 / SC-400. Know the boundary.
Renewal is free and unproctored - and opens 6 months before expiration, not after.

Official Sources Used

Microsoft Learn - Exam MD-102: Endpoint Administrator (skills outline, 2026 revision)
Microsoft Learn - MD-102 Study Guide (aka.ms/MD-102-study-guide)
Microsoft 365 Certified: Endpoint Administrator Associate credential page
Microsoft Intune documentation (learn.microsoft.com/mem/intune)
Microsoft Windows Autopilot documentation
Microsoft Defender for Endpoint documentation (security.microsoft.com)
Microsoft Entra ID / Conditional Access documentation
Pearson VUE Microsoft exam scheduling portal (fee and retake policy)
Microsoft Learn credential renewal policy (6-month renewal window, free online assessment)
Glassdoor / ZipRecruiter / Salary.com / Robert Half - 2026 salary references
LinkedIn Talent Insights - endpoint admin job demand signals

Certification details, fees, and skills measured may be revised by Microsoft. Always confirm current requirements directly on learn.microsoft.com before scheduling.

FREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)

✓Key Facts