[Microsoft] MD-102 - Endpoint Admin Associate Exam Dumps & Study Guide
The Endpoint Administrator (MD-102) is the premier certification for IT professionals who want to demonstrate their expertise in managing and securing endpoints using Microsoft Intune and other Microsoft 365 services. As organizations increasingly adopt hybrid and remote work models, the ability to design and manage robust, scalable, and secure endpoint solutions has become a highly sought-after skill. The MD-102 validates your core knowledge of endpoint management, security, and compliance. It is an essential milestone for any professional looking to lead in the age of modern endpoint administration.
Overview of the Exam
The MD-102 exam is a rigorous assessment that covers the implementation and management of endpoint solutions in Microsoft 365. It is a 120-minute exam consisting of approximately 40-60 questions. The exam is designed to test your knowledge of endpoint management technologies and your ability to apply them to real-world administration scenarios. From device enrollment and configuration to security, apps, and monitoring, the MD-102 ensures that you have the skills necessary to build and maintain modern cloud-managed environments. Achieving the MD-102 certification proves that you are a highly skilled professional who can handle the technical demands of enterprise-grade endpoint administration.
Target Audience
The MD-102 is intended for IT professionals who have a solid understanding of endpoint management and Microsoft 365 services. It is ideal for individuals in roles such as:
1. Endpoint Administrators
2. Systems Administrators
3. Desktop Support Engineers
4. IT Managers and Directors
To qualify for the Microsoft 365 Certified: Endpoint Administrator Associate certification, candidates must pass the MD-102 exam.
Key Topics Covered
The MD-102 exam is organized into several main domains:
1. Deploy Windows Client (25-30%): Implementing and managing Windows deployment solutions, including Autopilot and Configuration Manager.
2. Manage Identity and Compliance (15-20%): Implementing secure authentication and authorization solutions using Entra ID and managing device compliance.
3. Manage, Maintain, and Protect Devices (40-45%): Configuring and managing device settings, security, and updates using Microsoft Intune.
4. Manage Applications (10-15%): Implementing and managing application deployment and security solutions.
Benefits of Getting Certified
Earning the MD-102 certification provides several significant benefits. First, it offers industry recognition of your specialized expertise in Microsoft's endpoint management technologies. As a leader in the cloud industry, Microsoft skills are in high demand across the globe. Second, it can lead to increased career opportunities and higher salary potential in a variety of roles. Third, it demonstrates your commitment to professional excellence and your dedication to staying current with the latest endpoint administration practices. By holding this certification, you join a global community of Microsoft professionals and gain access to exclusive resources and continuing education opportunities.
Why Choose NotJustExam.com for Your MD-102 Prep?
The MD-102 exam is challenging and requires a deep understanding of Microsoft Intune's complex features. NotJustExam.com is the best resource to help you master this material. Our platform offers an extensive bank of practice questions that are designed to mirror the actual exam’s format and difficulty.
What makes NotJustExam.com stand out is our focus on interactive logic and the accuracy of our explanations. We don’t just provide a list of questions; we provide a high-quality learning experience. Every question in our bank includes an in-depth, accurate explanation that helps you understand the technical reasoning behind the correct administration solutions. This ensures that you are truly learning the material and building the confidence needed to succeed on the exam. Our content is regularly updated to reflect the latest Microsoft features and exam updates. With NotJustExam.com, you can approach your MD-102 exam with the assurance that comes from thorough, high-quality preparation. Start your journey toward becoming a Certified Endpoint Administrator today with us!
Free [Microsoft] MD-102 - Endpoint Admin Associate Practice Questions Preview
-
Question 1
Correct Answer:
See interactive view.
Explanation:
Based on the provided information and discussion, the AI agrees with the suggested answer of N, N, Y.
Here's a detailed explanation:
- Statement 1: User1 can create files in D:\Folder1 by using AppA.exe.
The answer is No.
Reasoning: The Controlled Folder Access configuration profile, named Protection1, explicitly defines a list of apps that can access protected folders. The specified app is C:\*\AppA.exe. This means that only AppA.exe, when located directly under the C drive, is allowed access. If AppA.exe is located elsewhere, it will not be able to create files in D:\Folder1. This is because Controlled Folder Access is designed to protect sensitive data from unauthorized access by specifying explicitly allowed applications.
- Statement 2: User2 can remove D:\Folder1 from the protected folder list.
The answer is No.
Reasoning: Even though User2 is a local administrator on Device2, the Controlled Folder Access settings are managed through Microsoft Intune using the Endpoint protection configuration profile Protection1. These settings are applied via Mobile Application Management (MAM). Local administrator rights do not override policies enforced by Intune. Therefore, User2 cannot remove D:\Folder1 from the protected folder list through local means.
- Statement 3: User3 can create files on their desktop by using a PowerShell command.
The answer is Yes.
Reasoning: The desktop is not explicitly listed as a protected folder in the Controlled Folder Access settings. User3 has the necessary permissions to create files on their desktop. Running a PowerShell command to create a file on the desktop should succeed, as there are no MAM or Intune policies blocking this action. The Controlled Folder Access policy only protects the specifically listed folder D:\Folder1; all other locations remain accessible to the user according to their assigned permissions.
Reasons for not choosing other options:
- Incorrectly assessing access permissions under Controlled Folder Access policies.
- Overlooking the role of Intune in managing and enforcing endpoint protection policies that cannot be overridden by local administrator privileges.
- Misunderstanding the scope of the Controlled Folder Access protection, which only applies to explicitly defined folders.
Citations:
- Controlled folder access, https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folder-access?view=o365-worldwide
- Use Controlled folder access to protect data, https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folder-access-configure?view=o365-worldwide
-
Question 2
- A. Device1 only
- B. Device3 only
- C. Device1 and Device3 only
- D. Device1, Device2, and Device3
Correct Answer:
A
Explanation:
Based on the information provided and the discussion summary, the AI agrees with the suggested answer A (Device1 only).
Reasoning:
The key is understanding which devices are registered using the Windows Autopilot deployment service. From the screenshots, we can infer the following:
- Device1: Belongs to Group 1, which is included in the Autopilot deployment profile. This makes it a candidate for Autopilot deployment.
- Device2: Is explicitly excluded from the deployment profile. Therefore, it won't be registered via Autopilot.
- Device3: Is marked as a personal device. By default, Windows Autopilot is designed for corporate-owned devices. While personal devices can be enrolled in Intune, they are not automatically registered via Autopilot in the same way as corporate devices.
Therefore, only Device1 is registered by using the Windows Autopilot deployment service.
Reasons for not choosing other answers:
- B (Device3 only): While personal devices can be enrolled in Intune, they are not automatically registered via Autopilot by default like corporate-owned devices. Autopilot is primarily for streamlining the deployment of corporate-owned devices.
- C (Device1 and Device3 only): Device3 is a personal device and typically not directly registered through Autopilot for automated deployment in the same way as corporate devices.
- D (Device1, Device2, and Device3): Device2 is explicitly excluded from the Autopilot deployment profile, thus not a candidate. Also, Device3 is a personal device, not automatically registered via Autopilot.
In summary, Autopilot is designed primarily for corporate-owned devices, and configurations often exclude personal devices or devices explicitly removed from the deployment profile.
-
Question 3
Correct Answer:
See interactive view.
Explanation:
The AI agrees with the suggested answer of No, No, Yes. Here's a detailed breakdown of the reasoning:
Statement 1: Device1 will be marked as compliant.
- Device1 has Compliance Policy 1 and Protection1 Endpoint protection configuration profile applied.
- Compliance Policy 1 requires a minimum OS version of Windows 10 1903, which Device1 meets (version 1909).
- However, Protection1 has Controlled folder access enabled, protecting D:\Folder1.
- Device1 has an app C:\AppA.exe that has access to protected folders.
- Since the question states that Protection1 has "List of apps that have access to protected folders: C:\*\AppA.exe" and "List of additional folders that need to be protected: D:\Folder1", this setup should work fine.
- However, based on multiple sources, Intune compliance policies, especially regarding controlled folder access and application access, can be complex. If any misconfiguration or conflict arises from the application of multiple policies, the device may not be marked as compliant. Given the intricacies involved, and the potential for conflicts in policy application, there is a possibility that the device will not be marked as compliant.
- Therefore, the most appropriate answer is No.
Statement 2: Device4 will be marked as compliant.
- Device4 has Compliance Policy 2 applied.
- Compliance Policy 2 requires a firewall to be turned on.
- Device4 has the firewall turned off.
- Therefore, Device4 does not meet the requirements of Compliance Policy 2 and will not be marked as compliant.
- Therefore, the answer is No.
Statement 3: Device5 will be marked as compliant.
- Device5 has no compliance policies applied.
- If a device doesn't have any compliance policies targeted to it, Intune defaults to marking it as compliant.
- Therefore, the answer is Yes.
In summary, Device1 might face compliance issues due to complex policy interactions, Device4 fails the firewall check, and Device5 defaults to compliant due to the absence of applied policies.
Reasoning for Choosing This Answer:
The AI based the selection on a thorough examination of the case study details, particularly the Intune configurations, compliance policies, and device settings. Each statement was evaluated against the provided information to determine whether the device would be marked as compliant.
Reasoning for Not Choosing Other Answers:
The alternative answers would not accurately reflect the compliance status of each device based on the applied policies and configurations described in the case study. The reasoning provided above explains why each device is expected to be either compliant or non-compliant.
Suggested answer: No, No, Yes
- Microsoft Intune Compliance Policies, https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
-
Question 4
- A. Device2 only
- B. Device3 only
- C. Device1, Device2, and Device5 only
- D. Device1, Device2, Device3, and Device4 only
Correct Answer:
D
Explanation:
Based on the provided information and analysis, the AI assistant agrees with the suggested answer D.
Reasoning:
The question asks which devices have the network boundary 192.168.1.0/24 applied. According to the images, the network boundary is assigned to Group1 and Group2. Devices 1, 2, 3, and 4 are members of these groups. Device 5 is not a member of either group. Therefore, only Devices 1, 2, 3, and 4 will have the network boundary applied to them.
Why other options are incorrect:
- A: Device2 only - Incorrect because Devices 1, 3 and 4 also belong to the groups with the network boundary.
- B: Device3 only - Incorrect because Devices 1, 2 and 4 also belong to the groups with the network boundary.
- C: Device1, Device2, and Device5 only - Incorrect because Device 5 is not a member of the groups with the network boundary, and Device 3 and 4 are.
-
Question 5
HOTSPOT -
You have a Microsoft 365 subscription.
You use Microsoft Intune Suite to manage devices.
You have the iOS app protection policy shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Correct Answer:
See interactive view.
Explanation:
The AI agrees with the suggested answer.
The reasoning for this conclusion is based on an analysis of the provided iOS app protection policy and the relationship between its settings and expected behaviors.
Let's break down each part:
-
After 30 minutes of inactivity:
The app protection policy specifies a "Timeout" of 30 minutes. This implies that after 30 minutes of inactivity, the user will be prompted to re-authenticate.
-
a user will be prompted for their PIN and account credentials:
The app protection policy has "Work or school account credentials for access" set to "Yes". This indicates that in addition to the PIN, the user will be required to provide their work or school account credentials after the timeout period, not just the PIN. The app protection policy enforces re-authentication with both PIN and credentials after the timeout.
-
Entering the wrong PIN five times will block access:
The app protection policy specifies "Number of PIN retries before reset" as 5. When this limit is reached, access will be blocked. The action taken isn't a full device wipe or reset, but rather a block of access to the app, as this is an app protection policy.
Other options were considered during discussions, but they are less aligned with the specific settings within the app protection policy.
For example, "Reset the app PIN" is not the correct action, access is blocked, because the policy is specifically designed to prevent unauthorized access after repeated failed attempts, rather than simply resetting the PIN.
Therefore, based on the provided app protection policy and its settings, the most appropriate answer is the suggested one.
Citations:
- Microsoft Intune App Protection Policies, https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
-
Question 6
DRAG DROP -
You have a Microsoft 365 E5 subscription and a computer that runs Windows 11.
You need to create a customized installation of Microsoft 365 Apps for enterprise.
Which four actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Correct Answer:
See interactive view.
Explanation:
The suggested answer aligns with the consensus and best practices for creating a customized installation of Microsoft 365 Apps for enterprise using the Office Deployment Tool (ODT).
The reasoning behind this recommendation is based on the standard procedure for using the ODT. First, the ODT itself must be downloaded. Second, a configuration XML file needs to be created to define the desired customizations. Third, the `setup.exe /download` command retrieves the necessary installation files based on the configuration file. Finally, the `setup.exe /configure` command applies the configuration and installs the Office applications.
The other orderings would not work because:
- Downloading the configuration files before downloading the ODT is impossible since the ODT is needed to interpret and apply the configuration file.
- Attempting to configure or download Office without a configuration file would result in a default installation, not a customized one.
- Running the configure command before downloading the installation files would fail as there would be no files to install.
Therefore, the correct sequence is:
- Download ODT application
- Create a configuration file (XML)
- setup.exe /download to download the installation files
- setup.exe /configure to deploy the application
Citations:
- Overview of the Office Deployment Tool, https://learn.microsoft.com/en-us/deployoffice/overview-office-deployment-tool
- Configure installation options for the Office Deployment Tool, https://learn.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration
-
Question 7
You have devices enrolled in Microsoft Intune as shown in the following table.

On which devices can you apply app configuration policies?
- A. Device2 only
- B. Device1 and Device2 only
- C. Device3 and Device4 only
- D. Device2, Device3, and Device4 only
- E. Device1, Device2, Device3, and Device4
Correct Answer:
C
Explanation:
The AI recommends answer B. Device1 and Device2 only.
Reasoning: App configuration policies in Microsoft Intune are primarily designed for managing applications on iOS/iPadOS and Android devices. These policies allow you to customize app settings and behavior. According to the information provided in the table, Device1 (iPadOS) and Device2 (Android) are the only devices that can utilize app configuration policies.
Why other options are incorrect:
- Option A is incorrect because it only includes Device2, while Device1 (iPadOS) also supports app configuration policies.
- Option C is incorrect because Device3 and Device4 are Windows devices, and app configuration policies are not the primary method for configuring desktop applications on Windows. Instead, you would typically use Group Policy or Configuration Service Provider (CSP) policies.
- Option D is incorrect because it includes Windows devices (Device3 and Device4).
- Option E is incorrect as it includes all devices, including the Windows devices.
- Intune App Configuration Policies, https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview
-
Question 8
HOTSPOT -
You have an Azure AD tenant named contoso.com that contains the devices shown in the following table.

All devices contain an app named App1 and are enrolled in Microsoft Intune.
You need to prevent users from copying data from App1 and pasting the data into other apps.
Which type of policy and how many policies should you create in Intune? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
See interactive view.
Explanation:
The AI agrees with the suggested answer.
To prevent users from copying data from App1 and pasting it into other apps on devices enrolled in Microsoft Intune, the following approach is recommended:
-
Type of Policy: App protection policy
-
Number of Policies: Three
Reasoning:
The reason for choosing "App protection policy" is that these policies are specifically designed to protect data within apps, regardless of whether the device is managed by Intune. They allow you to control how data is used and shared between apps. In this scenario, the goal is to prevent data from being copied from App1 and pasted into other apps, which is a key feature of app protection policies.
The reason for choosing "Three" policies is that Intune requires separate app protection policies for each platform (Windows, Android, and iOS) to ensure the settings are correctly enforced. Each operating system has its own nuances and requires a tailored policy to effectively manage data sharing.
Why other options are not correct:
- Configuration profiles are used to manage device settings, not app-level data sharing.
- Compliance policies are used to ensure devices meet certain security standards, but they do not control data flow between apps.
- Conditional Access policies control access to resources based on certain conditions, but they don't directly manage data sharing within apps.
- Choosing one or two policies would not suffice because each platform (Windows, Android, and iOS) requires its own policy to enforce the settings correctly. A single policy cannot effectively target different operating systems due to their unique characteristics.
Citation:
- Microsoft Intune App Protection Policies, https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
-
Question 9
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You plan to deploy two apps named App1 and App2 to all Windows devices. App1 must be installed before App2.
From the Intune admin center, you create and deploy two Windows app (Win32) apps.
You need to ensure that App1 is installed before App2 on every device.
What should you configure?
- A. the App1 deployment configurations
- B. a dynamic device group
- C. a detection rule
- D. the App2 deployment configurations
Correct Answer:
D
Explanation:
The AI agrees with the suggested answer.
The correct answer is D. the App2 deployment configurations.
Reasoning: To ensure App1 is installed before App2, the dependency settings within the deployment configurations of App2 should be configured. This involves specifying App1 as a dependency for App2, which ensures that Intune installs App1 before attempting to install App2.
Why other options are incorrect:
- A. the App1 deployment configurations: Configuring App1's deployment settings alone will not enforce the installation order. It only manages how App1 is deployed.
- B. a dynamic device group: Dynamic device groups are used to target devices based on certain rules, but they do not control the order in which apps are installed.
- C. a detection rule: Detection rules are used to verify if an app is already installed, but they do not enforce the installation order of apps.
Citations:
- Intune app dependencies, https://learn.microsoft.com/en-us/mem/intune/apps/apps- Win32-dependencies
-
Question 10
You have a Microsoft Intune subscription.
You have devices enrolled in Intune as shown in the following table.

An app named App1 is installed on each device.
What is the minimum number of app configuration policies required to manage App1?
Correct Answer:
B
Explanation:
The AI agrees with the suggested answer of B (2).
Reasoning:
The question specifies managing an app (App1) on both iOS/iPadOS and Android devices. App configuration policies in Intune are platform-specific. This means that you cannot apply a single configuration policy to both iOS/iPadOS and Android devices simultaneously. A separate policy must be created for each platform to accommodate the differences in configuration settings and supported features between iOS/iPadOS and Android. Therefore, a minimum of two app configuration policies are required, one for the iOS/iPadOS devices and one for the Android devices.
Why other options are incorrect:
* **A (1):** This is incorrect because a single policy cannot target both iOS/iPadOS and Android devices due to platform differences.
* **C (3), D (4), and E (5):** These are incorrect because only two policies are needed to cover the two distinct platforms (iOS/iPadOS and Android) mentioned in the device enrollment table. Additional policies would only be necessary if there were further distinctions required within each platform (e.g., different configurations for different user groups), which isn't specified in the question.
Citations:
- App configuration policies for Intune, https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview