Microsoft MD-102 Endpoint Administrator Practice Test

MD-102 is a Microsoft 365 route for administrators deploying, securing, and managing endpoints with Microsoft Intune and related services.

IT Mastery coverage for MD-102 is under review. Use this page to try 12 original sample questions, review the route fit, likely assessed areas, and related live practice pages.

Route snapshot

• Issuer: Microsoft
• Family: Microsoft 365
• Exam code: MD-102
• Route name: Endpoint Administrator
• Current IT Mastery status: Sample questions

What to review first

Related live or adjacent routes

Practice options

• IT Mastery coverage for this exam: under review
• Best use right now: try the 12 sample questions, confirm that MD-102 is your target exam, then use the closest live Azure, Microsoft, security, data, DevOps, or IT fundamentals pages while coverage expands
• Update form: use the Notify me form near the top of this page if MD-102 is your actual target exam
• Quick review: open the MD-102 cheat sheet if you need a compact Intune, endpoint security, and device-lifecycle checklist before the sample questions.

Sample Exam Questions

Try these 12 original sample questions for Microsoft MD-102. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: endpoint enrollment

A company wants Windows devices automatically enrolled and managed when users sign in. What should the admin plan?

• A. Windows enrollment with Microsoft Entra ID, Intune, and deployment profile settings.
• B. Manual screenshots of every device.
• C. A public file share.
• D. No identity integration.

Best answer: A

Explanation: MD-102 focuses on endpoint deployment and management. Enrollment strategy drives device control.

What this tests: Planning endpoint enrollment.

Question 2

Topic: compliance policy

Corporate apps should be available only on encrypted and healthy devices. What should be configured?

• A. No compliance checks.
• B. Device compliance policies and Conditional Access that uses compliance state.
• C. A Teams meeting policy only.
• D. A DNS zone.

Best answer: B

Explanation: Intune compliance can feed Conditional Access so only compliant devices can access protected resources.

What this tests: Using device compliance for access control.

Question 3

Topic: configuration profiles

A setting must disable removable storage on managed Windows devices. What should the admin use?

• A. A manual email to users only.
• B. A public anonymous group.
• C. An Intune configuration profile or security baseline setting that enforces the policy.
• D. A mailbox retention label.

Best answer: C

Explanation: Configuration profiles and baselines enforce endpoint settings consistently.

What this tests: Applying endpoint configuration policies.

Question 4

Topic: application deployment

A required security agent must install on all corporate laptops. What should be configured?

• A. Optional install with no targeting.
• B. A shared password note.
• C. A random SharePoint folder.
• D. A required app deployment targeted to the correct device or user group.

Best answer: D

Explanation: Endpoint administrators deploy apps through managed assignment, detection, and reporting.

What this tests: Managing app deployment.

Question 5

Topic: update rings

Devices need Windows updates without disrupting all users on the same day. What should be designed?

• A. Update rings or staged deployment groups with monitoring and rollback planning.
• B. Install updates randomly with no pilot group.
• C. Disable updates permanently.
• D. Ask users to self-report patch status only.

Best answer: A

Explanation: Update rings help stage rollout and reduce deployment risk.

What this tests: Managing Windows update strategy.

Question 6

Topic: Autopilot

New laptops should ship directly to users and configure themselves during first sign-in. Which capability fits?

• A. Manual imaging in every user’s home.
• B. Windows Autopilot with Intune enrollment and deployment profiles.
• C. No enrollment process.
• D. A spreadsheet of serial numbers only.

Best answer: B

Explanation: Autopilot supports modern deployment without traditional reimaging for many scenarios.

What this tests: Using Windows Autopilot.

Question 7

Topic: endpoint security

A baseline should configure firewall, antivirus, and attack-surface reduction settings. What should be used?

• A. A local sticky note.
• B. No security profile.
• C. Endpoint security policies or security baselines in Intune.
• D. A public Wi-Fi password.

Best answer: C

Explanation: Intune endpoint security policies centralize security settings for managed devices.

What this tests: Applying endpoint security baselines.

Question 8

Topic: device troubleshooting

A device does not receive a policy. What should the admin inspect first?

• A. The user’s monitor size.
• B. The office printer model.
• C. The tenant marketing name.
• D. Assignment targeting, enrollment state, sync status, filters, and device diagnostics.

Best answer: D

Explanation: Policy delivery issues usually involve targeting, enrollment, sync, filters, or conflicts.

What this tests: Troubleshooting Intune policy deployment.

Question 9

Topic: BYOD protection

Users access email from personal phones. The company wants to protect app data without full device management. What should be considered?

• A. App protection policies for managed apps.
• B. Full local administrator rights on personal phones.
• C. No controls because devices are personal.
• D. A Windows-only update ring.

Best answer: A

Explanation: App protection policies can protect corporate data inside managed apps without full device enrollment.

What this tests: Managing BYOD app protection.

Question 10

Topic: device retirement

An employee leaves and returns a corporate laptop. What should the endpoint admin do?

• A. Leave all data and access untouched.
• B. Retire, wipe, or reset the device according to ownership, data, and reuse requirements.
• C. Share the user’s password with the next employee.
• D. Delete audit records.

Best answer: B

Explanation: Offboarding devices requires the right action based on corporate ownership and data risk.

What this tests: Handling endpoint lifecycle actions.

Question 11

Topic: local admin

Users have local admin rights and install unmanaged software. What should be reviewed?

• A. Permanent local admin for everyone.
• B. No inventory.
• C. Endpoint privilege management, app control, and least-privilege device settings.
• D. Disabling security logs.

Best answer: C

Explanation: Endpoint administrators should reduce unnecessary local privilege and control software risk.

What this tests: Reducing endpoint privilege risk.

Question 12

Topic: route fit

A candidate manages Windows endpoints, Intune, compliance, apps, and device security. Which route is closest?

• A. MS-900 only.
• B. SC-100 only.
• C. DP-750 only.
• D. MD-102.

Best answer: D

Explanation: MD-102 is the Endpoint Administrator route for Microsoft 365 endpoint management.

What this tests: Choosing the endpoint administrator route.

MD-102 endpoint administration map

Use this map to connect the sample questions to the Microsoft 365 administration decisions this route usually tests.

    flowchart LR
	  S1["Device enrollment"] --> S2
	  S2["Configuration policy"] --> S3
	  S3["Application deployment"] --> S4
	  S4["Security baseline"] --> S5
	  S5["Compliance evaluation"] --> S6
	  S6["Monitor and remediate"]

Quick Cheat Sheet

Mini Glossary

• Compliance policy: Rule set that evaluates whether a device meets organization requirements.
• Configuration profile: Intune policy object that applies settings to devices or users.
• Endpoint security baseline: Recommended security configuration set for managed devices.
• Intune: Microsoft endpoint management service.
• Windows Autopilot: Cloud-driven Windows device provisioning and enrollment approach.

Microsoft MD-102 practice update

Use this page to review MD-102 sample questions and use the Notify me form for updates. The related pages below help you compare adjacent IT Mastery Microsoft 365 practice options before choosing what to study next.

What to open next

• Microsoft Certification Practice Hub for the full Microsoft taxonomy
• Microsoft 365 Certification Practice Hub for related Microsoft 365 routes
• IT Exams for current live IT Mastery practice pages

In this section

• Microsoft MD-102 Cheat Sheet: Endpoint Administrator
  Review the Microsoft Endpoint Administrator (MD-102) scope, Microsoft Intune, enrollment, compliance, Autopilot, app deployment, endpoint security, updates, and troubleshooting traps before practicing.