Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
Cheat sheet

Azure MD-102 Cheat Sheet

Practice QuestionsStudy Guide

Prepare Infrastructure

25-30%of exam

Device IdentityEnrollmentComplianceConditional AccessIdentity Picker

Manage Devices

30-35%of exam

AutopilotConfigurationIntune SuiteRemote ActionsDeployment Picker

Manage Applications

15-20%of exam

App TypesMicrosoft 365 AppsApp ProtectionApp ConfigurationApp Picker

Protect Devices

15-20%of exam

Endpoint SecurityDefenderUpdatesBaselinesSecurity Picker

Quick Facts

Exam
MD-102
Credential
Endpoint Administrator Associate
Time
100 min
Pass
700 scaled
Provider
Pearson VUE
Platform
Microsoft Intune
Renewal
Annual
Blueprint
Apr 28 2026

ICE Access

Identify, check, enforce access.

IdentityComplianceEnforcement

Joined vs Registered

Joined

  • Corporate ownership
  • Work sign-in
  • Full management

Registered

  • Personal ownership
  • Workplace access
  • Light identity

Own vs access

Identity Picker

  1. Cloud corporate WindowsEntra joined
  2. Personal work accessEntra registered
  3. Legacy AD neededHybrid joined
  4. Need Intune enrollmentMDM scope
  5. Require healthy deviceCompliance policy
  6. Block resource accessConditional Access

Device Identity

Entra joined
Cloud corporate Windows
Entra registered
BYOD workplace identity
Hybrid joined
AD plus Entra
Workgroup
No cloud identity
Dynamic device
Attribute membership
Security group
Management targeting
MDM scope
Auto enrollment gate
Primary user
User device affinity

Compliance vs Conditional Access

Compliance

  • Evaluate device
  • Reports health
  • Marks status

Conditional Access

  • Enforces access
  • Grant controls
  • Blocks resources

Measure vs enforce

Enrollment

Automatic enrollment
Windows MDM join
Device limit
Per-user cap
Platform restriction
Block platform ownership
Enrollment profile
Platform setup
Android fully managed
Corporate user device
Android dedicated
Kiosk shared device
Work profile
BYOD Android container
Apple bulk
Automated enrollment

Identity + Compliance

Compliance policy
Health evaluation
Grace period
Delayed noncompliance
CA policy
Access enforcement
Require compliant
Grant control
WHfB
Passwordless sign-in
Windows LAPS
Local admin rotation
Intune RBAC
Admin permissions
Local groups
Windows membership

UPS Autopilot

User, pre-stage, self-deploy.

User-drivenPre-provisionedSelf-deploying

Autopilot vs Provisioning Package

Autopilot

  • Cloud OOBE
  • Profile assigned
  • Internet required

Package

  • Offline capable
  • Technician applies
  • Staged settings

Cloud vs staged

Deployment Picker

  1. User receives laptopUser-driven Autopilot
  2. Kiosk no userSelf-deploying Autopilot
  3. Technician stages appsPre-provisioned Autopilot
  4. Limited internet setupProvisioning package
  5. Persistent contractor desktopWindows 365
  6. Shared cloud sessionsAzure Virtual Desktop

Autopilot

User-driven
User receives device
Self-deploying
Kiosk no user
Pre-provisioned
Technician stages first
Existing devices
Convert during deploy
Hardware hash
Manual device import
ESP
Block until ready
Name template
Automated device names
Provisioning package
Offline staged setup

User-Driven vs Self-Deploying

User-driven

  • User signs in
  • Primary user
  • Personal laptop

Self-deploying

  • No user affinity
  • Kiosk devices
  • Shared endpoints

Person vs kiosk

Configuration

Settings catalog
Granular settings
Templates
Scenario profiles
ADMX import
Custom Windows settings
Filters
Assignment narrowing
Windows multi-session
AVD session hosts
Configuration profile
Device settings
Policy set
Grouped assignments
Assignment status
Deployment evidence

Intune Suite

EPM
Privilege elevation
Enterprise App Catalog
Packaged apps
Advanced Analytics
Endpoint insights
Remote Help
Assisted support
Cloud PKI
Cloud certificates
Tunnel MAM
App-level VPN
Device query
KQL inventory
Bulk action
Many devices

Remote Actions

Sync
Force check-in
Restart
Reboot device
Retire
Remove corporate data
Wipe
Factory reset
Fresh Start
Clean Windows
Autopilot Reset
Keep Entra identity
Rotate key
BitLocker recovery change
Update intelligence
Defender signatures

Cloud Desktops

Windows 365
Managed Cloud PC
AVD
Azure VDI platform
Cloud PC policy
Provisioning rules
Multi-session
Shared Windows host
Resize
Change Cloud PC
Reprovision
Recreate Cloud PC
Restore
Rollback Cloud PC
Region
Cloud PC location

MAM Boundary

Manage app data, not device.

Managed appsDLPSelective wipe

App Protection vs Compliance

App protection

  • App data
  • No enrollment possible
  • Selective wipe

Compliance

  • Device health
  • Enrollment required
  • Access signal

App vs device

App Picker

  1. Force app installRequired assignment
  2. Let users installAvailable assignment
  3. Protect BYOD dataApp protection
  4. Configure app settingsApp configuration
  5. Package Windows installerWin32 app
  6. Deploy Office suiteMicrosoft 365 Apps

App Types

Win32 app
IntuneWin package
LOB app
Custom installer
Store app
Platform marketplace
Web link
URL shortcut
Required
Forced install
Available
Company Portal
Uninstall
Remove app
Detection rule
Install proof

Microsoft 365 Apps

ODT
XML deployment tool
OCT
Config designer
Apps admin center
Office servicing
Office policy
App settings
Autopilot apps
Install during ESP
Update channel
Office cadence
Shared activation
Multi-user Office
Assignment intent
Install behavior

App Protection

MAM
App management
MAM-WE
Without enrollment
Managed app
Policy-capable app
DLP
Data movement rules
Selective wipe
Remove corporate data
Conditional launch
App health gate
App PIN
Managed access
Managed browser
Protected web access

App Configuration

Managed devices
MDM app config
Managed apps
MAM app config
IntuneMAMUPN
iOS user hint
IntuneMAMOID
iOS object hint
IntuneMAMDeviceID
iOS device hint
Configuration designer
Key-value UI
App filter
MAM targeting
Policy delivery
App sign-in dependent

SAFE Protection

Secure, assess, fix, enforce.

Security policyDefender riskRemediationCA

Configuration vs Endpoint Security

Configuration

  • General settings
  • Platform profiles
  • ADMX import

Endpoint security

  • Security workload
  • Firewall encryption
  • ASR antivirus

Settings vs protection

Security Picker

  1. Need recommended defaultsSecurity baseline
  2. Configure BitLockerDisk encryption
  3. Block attack techniquesASR policy
  4. Use threat riskDefender connector
  5. Set patch cadenceUpdate rings
  6. Pin Windows releaseFeature updates

Endpoint Security

Antivirus
Malware protection
Disk encryption
BitLocker policy
Firewall
Network protection
ASR
Attack reduction
EDR
Endpoint detection
Account protection
Identity hardening
Security baseline
Recommended settings
Security task
Defender remediation

Update Rings vs Feature Updates

Update rings

  • Deferrals
  • Deadlines
  • Restart behavior

Feature updates

  • Target release
  • Version hold
  • Windows level

Timing vs version

Defender

Connector
Intune MDE link
Onboarding
Enroll into Defender
Device risk
Threat signal
Risk compliance
Access condition
Security intelligence
AV definitions
Tamper protection
Security setting lock
Endpoint detection
EDR telemetry
Remediation task
Fix request

Updates

Update rings
Cadence restart rules
Feature updates
Target Windows release
Quality updates
Monthly patches
Expedited updates
Urgent security patches
Driver updates
Hardware drivers
Delivery Optimization
Bandwidth sharing
Apple updates
iOS macOS policy
FOTA
Android firmware updates

Common Traps

Registration Is Not Join

Entra registered Entra joined

Compliance Is Not Enforcement

Compliance policy Conditional Access policy

BYOD Data Is App

App protection Full enrollment

Kiosk Avoids User Affinity

Self-deploying mode User-driven mode

Retire Is Not Wipe

Corporate data removal Factory reset

Rings Are Not Versions

Update timing Feature target

Assignment Is Not Success

Assigned policy Device applied

Last Minute

  1. 1.Prepare plus Manage dominate weight
  2. 2.Entra join before Intune policy
  3. 3.Compliance evaluates, CA enforces
  4. 4.Filters narrow assignments dynamically
  5. 5.Autopilot needs device registration
  6. 6.ESP blocks until required setup
  7. 7.MAM protects unenrolled BYOD apps
  8. 8.Required installs; Available offers
  9. 9.Baselines are recommended defaults
  10. 10.Defender risk can drive compliance
  11. 11.Rings schedule; feature pins version
  12. 12.Retire removes company data

Azure MD-102

Practice QuestionsStudy GuideCheat Sheet
1 video1 blog

Exam Ref MD-102 Microsoft Endpoint Administrator

$39.16 · Buy on Amazon

Take courses on UdemyLearning path on Pluralsight
Same family resources

Explore More Microsoft Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Microsoft Power BI Data Analyst

Cheat SheetPractice QuestionsStudy GuideFlashcards
1 video3 blogs

Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900)

Cheat SheetPractice QuestionsStudy Guide
2 blogs

Azure MS-102

Cheat SheetPractice Questions
1 video3 blogs

Microsoft Power Platform Functional Consultant

Practice Questions
2 blogs

Microsoft Certified: Identity and Access Administrator Associate (SC-300)

Practice Questions
1 blog

Microsoft Certified: Information Security Administrator Associate (SC-401)

Practice Questions
1 blog

More From This Family

Videos and articles for deeper review.

VideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)This examVideoPL-300 Power BI Data Analyst Exam Guide 2026 (FREE)ArticleFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)24 min readArticleFREE DP-600 Exam Guide 2026: Pass Microsoft Fabric Analytics Engineer (Direct Lake, DAX, Semantic Models)27 min readArticleFREE MS-102 Exam Guide 2026: Pass Microsoft 365 Administrator (Entra, Defender XDR, Purview)24 min readArticleFREE PL-400 Power Platform Developer Exam Guide 2026: Pass First Try16 min read