Audience Profile and Endpoint Admin Mental Model
Key Takeaways
- The MD-102 candidate manages devices and client applications in a Microsoft 365 tenant by using Microsoft Intune.
- The role spans efficient endpoint deployment, management at scale, identity, security, access, policies, updates, and apps.
- Microsoft expects experience with Microsoft Entra ID, Microsoft 365 technologies, Intune, Windows client, and non-Windows devices.
- Strong MD-102 answers usually start by identifying ownership, join state, enrollment path, target group, compliance requirement, and risk level.
- Endpoint administrators collaborate with architects, Microsoft 365 administrators, security administrators, and workload administrators.
Who Microsoft Is Testing
The official audience profile describes a candidate with subject matter expertise managing devices and client applications in a Microsoft 365 tenant by using Microsoft Intune. That language is important. MD-102 is not just a Windows support exam and not just a theory exam about cloud management. It is a role-based exam for administrators who turn business requirements into endpoint policies, deployments, controls, and operations.
Microsoft calls out tools and services that commonly appear together in real environments: Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Microsoft Security Copilot, Microsoft Defender for Endpoint, Microsoft Entra ID, Azure Virtual Desktop, and Windows 365. You do not need to be a deep specialist in every adjacent product, but you must understand why each one appears in endpoint scenarios.
| Exam role phrase | What it means in practice | Scenario clue |
|---|---|---|
| Efficient deployment | Choose the provisioning or enrollment path that fits ownership and location | New remote laptops, kiosk devices, shared devices, bring-your-own devices |
| Management at scale | Use groups, filters, profiles, assignments, and reporting instead of manual device work | Thousands of devices, phased rollout, different platforms |
| Identity and access | Tie device state to Microsoft Entra ID and Conditional Access | Require compliant device, join type, Windows Hello for Business |
| Policies and updates | Configure settings, security baselines, update rings, and platform-specific update policies | Standardize Windows, macOS, iOS, Android, or multi-session devices |
| Apps | Deploy, configure, update, and protect client applications | Microsoft 365 Apps, app stores, app protection, app configuration |
| Security operations | Integrate endpoint security with Defender and respond to risk | Antivirus, encryption, firewall, attack surface reduction, onboarding |
The Endpoint Admin Mental Model
When you read an MD-102 question, first decide what kind of endpoint problem is being described. Most scenarios can be broken into six decisions:
- Identity state: Is the device Microsoft Entra joined, Microsoft Entra registered, hybrid joined, or not yet enrolled?
- Ownership and platform: Is it corporate-owned, personally owned, shared, kiosk, Windows, macOS, iOS/iPadOS, Android, Windows 365, or Azure Virtual Desktop?
- Enrollment and provisioning path: Does the scenario call for Windows Autopilot, automatic enrollment, bulk enrollment, Android Enterprise, Apple enrollment, or provisioning packages?
- Targeting model: Should the policy use users, devices, groups, filters, dynamic membership, or a staged assignment?
- Control objective: Is the requirement about compliance, configuration, app deployment, app protection, endpoint security, updates, or remote action?
- Evidence and remediation: What report, device action, query, or policy status would prove the configuration is working?
This model prevents common exam mistakes. For example, a question about unmanaged personal phones and corporate data is often an app protection problem, not a full device compliance problem. A question about a brand-new remote Windows laptop is often an Autopilot and enrollment decision, not an image deployment decision. A question about requiring compliant devices for access is both an Intune compliance policy and a Microsoft Entra Conditional Access design.
Collaboration Matters
The audience profile also says the endpoint administrator collaborates with architects, Microsoft 365 administrators, security administrators, and other workload administrators. On the exam, that translates into boundary awareness. You may choose or implement endpoint controls, but the scenario may also depend on tenant identity design, security operations, application ownership, network access, or licensing. A good answer fits the endpoint role without pretending Intune alone solves every Microsoft 365 governance problem.
Match each MD-102 scenario clue to the best endpoint administrator concern.
Match each item on the left with the correct item on the right
A scenario says users bring personal iOS and Android devices, but the company does not want to fully enroll those devices. The requirement is to prevent corporate data from being copied to unmanaged apps. Which mental-model decision should come first?