Microsoft 365 Certified: Endpoint Administrator Associate

To earn the Microsoft 365 Certified: Endpoint Administrator Associate credential, you must pass Exam MD-102: Endpoint Administrator. This exam measures your ability to deploy, configure, protect, manage, and monitor devices and client applications in a Microsoft 365 environment.

+1

Below is a highly detailed exam content outline based on the core syllabus and domain measurements.

Exam Overview

Exam Code: MD-102

Duration: 120 Minutes

Question Count: 40–60 questions (Multiple choice, case studies, drag-and-drop, and performance-based scenarios)

Passing Score: 700 / 1000

Detailed Exam Domains & Skills Measured

1. Prepare Infrastructure for Devices (25–30%)

This domain focuses on setting up the underlying environment—identities, network requirements, and enrollment mechanisms—necessary to manage endpoints via the cloud.

Key Sub-domains & Technical Tasks:

Add devices to Microsoft Entra ID:

Choose appropriate device join types based on organizational needs (Microsoft Entra join, Microsoft Entra hybrid join, or Microsoft Entra registered).

Configure settings to join or register devices to Microsoft Entra ID.

Plan and implement dynamic or static groups for devices in Microsoft Entra ID.

Enroll devices into Microsoft Intune:

Configure general enrollment restrictions and device platform restrictions.

Set up automatic enrollment for Windows devices (MDM user scope).

Configure bulk enrollment methods for Windows, iOS/iPadOS, and Android.

Configure specialized Android enrollment profiles (Fully Managed, Dedicated, Corporate-Owned with Work Profile, and Personally-Owned Work Profile).

Implement identity and compliance infrastructure:

Configure Role-Based Access Control (RBAC) and delegate administrative roles in Intune.

Implement and manage compliance policies across all supported platforms (Windows, iOS, macOS, Android).

Configure tenant-wide conditional access policies integrated with device compliance status.

2. Manage and Maintain Devices (30–35%)

This domain covers the day-to-day lifecycle management of endpoints, provisioning strategies, and modern cloud-based capabilities.

Key Sub-domains & Technical Tasks:

Deploy and upgrade Windows clients using cloud tools:

Evaluate options between Windows Autopilot and provisioning packages (via Windows Configuration Designer).

Configure Windows Autopilot deployment modes (User-driven, Self-deploying, and Pre-provisioned/White Glove deployment).

Establish device name templates and assign deployment profiles.

Manage Windows 10/11 upgrade paths and enablement packages.

Plan and implement device configuration profiles:

Create and assign device configuration profiles for Windows, macOS, Android, and iOS/iPadOS.

Import and implement ADMX backing/Custom Administrative Templates for Windows configuration.

Configure Windows 11 Enterprise multi-session devices (such as Azure Virtual Desktop or Windows 365).

Target profiles precisely using Intune Filters and assignment groups.

Implement Intune Suite add-on capabilities:

Configure Endpoint Privilege Management (EPM) to manage standard vs. admin privilege workflows.

Deploy apps seamlessly via the Enterprise App Catalog.

Implement and interpret Microsoft Intune Advanced Analytics for proactive endpoint monitoring.

Configure and use Remote Help for secure helpdesk remediation.

Understand use cases for Microsoft Cloud PKI and Microsoft Tunnel for Mobile Application Management (MAM).

Perform remote actions on devices:

Execute administrative commands: Sync, Restart, Remote Lock, Retire, or Wipe.

Manage bulk remote actions for scale infrastructure.

Perform specialized security actions like forcing BitLocker recovery key rotation or triggering Microsoft Defender Antivirus intelligence updates.

Run live device telemetry queries using Kusto Query Language (KQL via device query).

3. Manage Applications (15–20%)

Endpoint administrators are responsible for ensuring users have secure, managed access to required applications across both corporate and personal devices.

Key Sub-domains & Technical Tasks:

Deploy and update applications:

Prepare and wrap custom applications for deployment (e.g., using the Microsoft Win32 Content Prep Tool to create .intunewin files).

Deploy diverse application types: Store apps, Web apps, Line-of-Business (LOB) apps, and Win32 apps.

Configure and deploy Microsoft 365 Apps (formerly Office 365 ProPlus) utilizing the Office Customization Tool.

Configure specialized policies for Office apps, including cloud policy services.

Plan and implement App Protection Policies (APP/MAM):

Design and deploy App Protection Policies to protect corporate data within applications without requiring full device enrollment (MAM-WE).

Configure data transfer restrictions (e.g., block cut/copy/paste between managed and unmanaged apps).

Implement Microsoft Entra Conditional Access targeting specific app protection layers.

4. Protect Devices (15–20%)

This domain covers securing endpoints against external threats, malware, data leaks, and unauthorized access using built-in security features.

Key Sub-domains & Technical Tasks:

Configure endpoint security policies:

Deploy Antivirus policies (Microsoft Defender Antivirus settings).

Deploy Disk Encryption policies (BitLocker for Windows, FileVault for macOS).

Create and manage host-based Firewall policies.

Configure Attack Surface Reduction (ASR) rules to reduce vulnerability vectors.

Deploy and maintain industry standard Security Baselines via Intune.

Integrate and manage Microsoft Defender for Endpoint (MDE):

Establish the tenant-to-tenant connection between Microsoft Intune and Microsoft Defender for Endpoint.

Onboard endpoint client devices into MDE using configuration profiles.

Review and remediate vulnerabilities reported within the endpoint dashboard.

Manage device updates using Intune:

Create and manage Windows update rings (controlling quality updates, feature updates, and driver updates).

Configure update policies for non-Windows operating systems, including iOS/iPadOS and macOS updates.

Manage Android firmware updates using configuration profiles or Firmware-Over-The-Air (FOTA) deployment policies.

Recommended Prerequisites & Lab Practice

To pass this exam with confidence, you should couple theoretical study with hands-on practice in a trial environment:

Set up a Microsoft 365 Sandbox: Utilize a free Microsoft 365 Developer Tenant to gain full access to Microsoft Intune and Entra ID P2 features.

Practice App Wrapping: Take an open-source .exe or .msi, convert it using the Win32 Content Prep Tool, and successfully deploy it to a virtual machine.

Test Autopilot: Configure a virtual machine hardware hash, import it into your lab, and simulate a user-driven Autopilot deployment.