MICROSOFT CERTIFICATION
MD-102 Endpoint Administrator Associate Practice Exam
Exam Number: 3135 | Last updated 16-Apr-26 | 806+ questions across 4 vendor-aligned objectives
The MD-102 Endpoint Administrator Associate certification validates the skills of administrators who deploy, configure, and manage Windows client devices and applications in enterprise environments using Microsoft Intune. This exam measures your ability to work with Microsoft Intune, Windows Autopilot, Configuration Manager, Microsoft Entra ID, Windows Update for Business, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Deploy Windows Client (25–30%), Manage, Maintain, and Protect Devices (25–30%), and Manage Identity and Compliance (15–20%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Additional domains tested include Manage Applications (10–15%), and Plan and Implement Endpoint Protection (10–15%). Together, these areas round out the full exam blueprint and ensure candidates possess well-rounded expertise across the certification scope.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
758
practice exam users
92.9%
satisfied users
88.7%
passed the exam
5/5
quality rating
Test your MD-102 Endpoint Administrator Associate knowledge
10 of 806+ questions
Question #1 - Deploy Windows Client
A company purchases 500 new laptops for remote workers. They need Windows deployed with corporate apps, policies, and settings applied automatically when users first sign in, with zero IT touch.
Which deployment method should the administrator use?
A) Manual Windows installation on each laptop
B) Deploy via SCCM with PXE boot in the office
C) Create a custom Windows image and ship USB drives
D) Windows Autopilot with user-driven deployment and Enrollment Status Page
Show solution
Correct answers: A – Explanation:
Windows Autopilot configures devices over the internet during OOBE, applying Intune policies, apps, and settings when users sign in — no IT hands-on required. Manual installation is impractical for 500 devices. USB imaging requires physical access. PXE boot requires on-premises network. Source: Check Source
Question #2 - Deploy Windows Client
A company purchases 500 laptops for remote workers. Windows must deploy with corporate apps, policies, and settings automatically on first sign-in.
Which deployment method should the administrator use?
A) Manual Windows installation performed individually on each of the 500 laptop devices
B) Deploy using SCCM with PXE boot requiring each laptop to connect to the corporate network
C) Create a custom Windows image and ship physical USB drives to each remote worker location
D) Windows Autopilot with user-driven deployment configuring devices over the internet at OOBE
Show solution
Correct answers: D – Explanation:
Autopilot configures devices over the internet during the out-of-box experience, applying Intune policies, apps, and settings when users first sign in — requiring no IT physical access. Manual installation of 500 devices is impractical for the volume and remote worker distribution. USB imaging requires physical distribution logistics and local IT support at each location. PXE boot requires on-premises network connectivity that remote workers may not have access to. Source: Check Source
Question #3 - Deploy Windows Client
A school deploys standardized educational apps to 2,000 student devices — both existing PCs and new purchases.
Which approach deploys apps to all devices?
A) Install applications manually on each of the 2,000 devices by visiting every student workstation
B) Intune app deployment policies targeting a device group containing all enrolled student devices
C) Deploy via Group Policy applying only to Active Directory domain-joined on-premises devices
D) Email download links to students and trust them to install the correct applications themselves
Show solution
Correct answers: B – Explanation:
Intune app policies deploy to any enrolled device in the target group regardless of when it was enrolled, covering both existing and newly purchased devices uniformly. Manual installation across 2,000 devices does not scale and requires physical access to each workstation. Email download links lack enforcement and version control over what students actually install. GPO only reaches domain-joined on-premises devices and misses cloud-managed or Azure AD-joined student machines. Source: Check Source
Question #4 - Deploy Windows Client
During Autopilot, users are stuck at a spinning screen for 45 minutes. The admin needs progress visibility and blocking until critical apps install.
Which Autopilot feature should be configured?
A) Configure the Enrollment Status Page showing progress and blocking sign-in until apps complete
B) Let users skip all setup steps entirely and install required applications later at their leisure
C) Disable all progress indicators for faster deployment without any user-facing status feedback
D) Deploy every application as optional allowing users to choose which ones they want installed
Show solution
Correct answers: A – Explanation:
The Enrollment Status Page shows real-time progress of policy and app installation, blocking sign-in until required applications complete, replacing the unexplained spinning screen. Disabling indicators leaves users with no explanation for the wait and no completion confirmation. Skipping setup risks users beginning work without security policies and required applications applied. Optional-only deployment may result in critical business applications never being installed by users. Source: Check Source
Question #5 - Manage Identity and Compliance
Devices accessing corporate email must have PIN, encryption, and up-to-date antivirus. Non-compliant devices should be blocked.
Which features should be configured together?
A) Intune compliance policies defining requirements with Conditional Access blocking non-compliant
B) Block all mobile device types entirely from accessing corporate email regardless of compliance
C) A warning email sent to non-compliant users reminding them to update their device settings
D) Allow all devices access to email and audit compliance status on a monthly review schedule
Show solution
Correct answers: A – Explanation:
Compliance policies evaluate device configuration state, and Conditional Access enforces that only devices meeting all requirements can access corporate resources like email. Warning emails inform but have no technical enforcement preventing non-compliant access. Monthly audits are too infrequent and allow non-compliant devices extended access between review cycles. Blocking all mobile devices prevents legitimate BYOD and corporate mobile access entirely. Source: Check Source
Question #6 - Manage Identity and Compliance
Employees use personal phones for work email and Teams. The company needs to protect corporate data without managing the entire device.
Which Intune management approach should be used?
A) Full device enrollment with complete MDM control over every personal device setting and content
B) Mobile Application Management without enrollment using App Protection Policies for BYOD
C) No device management applied at all trusting users to protect corporate data independently
D) Require all employees to use company-owned devices only and prohibit personal device usage
Show solution
Correct answers: B – Explanation:
MAM without enrollment applies App Protection Policies to corporate apps on personal devices, protecting organizational data while respecting personal privacy boundaries. Full MDM on personal devices manages the entire phone which employees may resist on their own hardware. Company-only device policies are impractical for organizations where BYOD is established or expected. No management leaves corporate data exposed to any app or action on unprotected personal devices. Source: Check Source
Question #7 - Manage, Maintain, and Protect Devices
An IT team manages 3,000 Windows devices needing feature updates within 30 days of release with a 7-day testing deferral.
Which update management approach should be configured?
A) Download each update manually and deploy it via USB drive to every device in the organization
B) Windows Update for Business policies in Intune with 7-day deferral and 30-day compliance deadline
C) Disable all Windows updates permanently across all devices to prevent disruption to operations
D) Let each of the 3,000 devices update independently through Windows Update without any controls
Show solution
Correct answers: B – Explanation:
WUfB policies in Intune configure deferral periods allowing testing before broader rollout and deadlines ensuring compliance within the 30-day window across all managed devices. Independent updates without controls cause inconsistent version states across the fleet. Disabling updates permanently creates escalating security vulnerabilities from unpatched systems. USB deployment to 3,000 devices does not scale and requires physical access to each machine. Source: Check Source
Question #8 - Manage, Maintain, and Protect Devices
A stolen laptop contains sensitive company data. IT needs to immediately remove all corporate data remotely.
Which Intune action should the administrator take?
A) Call the police to report the theft without taking any immediate technical data protection action
B) Wait for the device to come online and change the user password hoping to prevent access
C) Issue a remote Wipe or Retire command to remove all data or corporate data from the device
D) Disable only the user email account leaving locally cached files and data fully accessible
Show solution
Correct answers: C – Explanation:
Remote Wipe factory-resets the device removing all data, or Retire removes corporate data and profiles while preserving personal content. Both execute when the device connects to the network. Password changes do not remove already-cached local data on the stolen device. Police reporting is appropriate but does not protect data from immediate unauthorized access. Email disabling prevents new email access but leaves all previously cached files and data fully accessible. Source: Check Source
Question #9 - Manage Applications
A design firm needs Adobe Creative Cloud (10 GB) installed on creative team devices as soon as they enroll.
Which Intune app deployment type should be used?
A) Win32 app deployment with the Adobe installer packaged as an .intunewin file assigned as Required
B) A web link pointing to the Adobe download page requiring users to complete installation manually
C) Microsoft Store app deployment which may not include Adobe Creative Cloud enterprise packages
D) Line-of-business MSI format deployment which may not support Adobe’s complex installer requirements
Show solution
Correct answers: A – Explanation:
Win32 app deployment handles large, complex installers with detection rules, dependencies, and requirement rules for enterprise software like Adobe CC. Web links require user action and lack enforcement, progress tracking, and compliance reporting. Adobe CC is not typically available as a Microsoft Store app for enterprise deployment. The Adobe installer complexity may exceed the capabilities of the simpler LOB MSI deployment format. Source: Check Source
Question #10 - Plan and Implement Endpoint Protection
A healthcare company needs ransomware protection with automated investigation and remediation across all endpoints.
Which Microsoft security solution should be deployed?
A) Windows Defender Firewall rules only controlling network traffic without threat investigation
B) A third-party antivirus product without cloud integration or automated response capabilities
C) Microsoft Defender for Endpoint with automated investigation and response capabilities enabled
D) Network-level intrusion detection system only monitoring traffic without endpoint protection
Show solution
Correct answers: C – Explanation:
Defender for Endpoint provides next-gen protection, endpoint detection and response, and automated investigation that remediates threats across managed endpoints comprehensively. Firewall rules control network traffic flow but do not investigate detected threats or automate response. Third-party AV without cloud integration lacks the automated investigation and remediation pipeline. Network IDS monitors traffic patterns but does not protect individual endpoints or automate threat response. Source: Check Source
Get 806+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the MD-102 Endpoint Administrator Associate exam measures
- Deploy Windows Client (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Manage Identity and Compliance (15–20%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Manage, Maintain, and Protect Devices (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Manage Applications (10–15%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Plan and Implement Endpoint Protection (10–15%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Endpoint Administrator: $90,000–$125,000 per year (based on Glassdoor and ZipRecruiter data)
- Desktop Support Engineer: $75,000–$105,000 per year (based on Glassdoor and ZipRecruiter data)
- Modern Workplace Administrator: $95,000–$130,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the MD-102 Endpoint Administrator Associate exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.