Microsoft MD-102 Exam: Mastering the Endpoint Administrator Role 

The Microsoft MD-102 certification exam is designed for professionals aiming to validate their skills in managing and securing endpoints within a modern enterprise environment. As organizations shift toward hybrid work models, the role of an Endpoint Administrator has expanded in scope and complexity. This certification focuses on equipping IT professionals with the ability to deploy, manage, and protect Windows clients across various platforms and networks.

The Role of a Microsoft Endpoint Administrator

Modern Endpoint Administrators operate at the intersection of user productivity, system security, and device lifecycle management. Their responsibilities are no longer confined to physical device configuration. Instead, they must address software provisioning, policy enforcement, identity compliance, and remote access—all through centralized management tools. The MD-102 exam is specifically designed to test a candidate’s ability to navigate these responsibilities using Microsoft’s modern endpoint solutions, including cloud-native services and co-management techniques.

Endpoint Administrators typically work in collaboration with other IT roles such as identity administrators, network engineers, and security analysts. Their role is critical in ensuring that devices are compliant, up to date, and aligned with enterprise security policies. As such, the exam assesses both theoretical knowledge and hands-on skills required for success in a modern digital workplace.

Understanding the Exam Blueprint

The MD-102 exam focuses on four domains that collectively encompass the complete endpoint lifecycle. These are:

1. Deploy Windows client (20–25%)
   
   
2. Manage identity and compliance (15–20%)
   
   
3. Manage, maintain, and protect devices (40–45%)
   
   
4. Manage applications (15–20%)
   
   

Each domain is essential, and together they reflect the real-world responsibilities of an endpoint administrator. A thorough understanding of each area is critical for passing the exam and performing well in a professional capacity.

Let’s briefly examine the relevance of each domain.

Deploy Windows Client
This area covers methods to plan and implement Windows client deployment using automated and scalable approaches. Candidates should be familiar with deployment tools such as Windows Autopilot, provisioning packages, and imaging technologies. It’s not just about deploying systems—it’s about doing so in a way that reduces administrative overhead and increases consistency.

Manage Identity and Compliance
This domain addresses integration with identity platforms, device registration, and compliance configuration. Candidates should understand how to use conditional access, compliance policies, and configuration profiles. These components play a vital role in enforcing security while maintaining user productivity.

Manage, Maintain, and Protect Devices
This is the most heavily weighted domain in the exam, reflecting its importance in the real world. Topics include updating systems, securing endpoints, troubleshooting, and configuring endpoint protection. Microsoft Intune and Microsoft Defender for Endpoint are crucial tools in this section, as are reporting and monitoring features for ongoing device health and performance.

Manage Applications
Endpoint Administrators are often responsible for application lifecycle management. This includes deploying, updating, and uninstalling apps, as well as configuring Microsoft Store and Win32 apps. Application delivery must be timely, secure, and compatible with enterprise requirements.

Planning for Exam Success: Essential Skills

Passing the MD-102 exam requires more than memorization. It demands practical understanding, scenario-based thinking, and a solid grasp of core Microsoft endpoint management tools. Below are some skill areas that are frequently encountered on the exam and in real-world endpoint roles.

Windows Autopilot Deployment Models
Autopilot is a key technology for deploying Windows 11 and 10 devices with minimal touch. It supports scenarios such as user-driven deployment, pre-provisioned deployment, and self-deploying mode. Understanding how to configure Autopilot profiles, assign them to devices, and troubleshoot deployment failures is critical.

Azure Active Directory and Hybrid Identity
Many enterprise environments use a hybrid identity model. Candidates must know how devices register with Azure AD, what the difference is between Azure AD join and Hybrid Azure AD join, and how group membership affects policy enforcement. The ability to troubleshoot sign-in issues and understand token lifetimes is also valuable.

Microsoft Intune Configuration Profiles
Configuration profiles are used to enforce device settings at scale. Candidates should understand how to configure settings catalog profiles, custom profiles using OMA-URI, and administrative templates. Real-world use cases include configuring BitLocker, setting password requirements, or restricting browser behavior.

Compliance Policies and Conditional Access
Compliance policies define the rules a device must meet to be considered compliant. These might include OS version, disk encryption, or antivirus status. Conditional access then uses this compliance information to control access to enterprise resources. This relationship is fundamental to protecting sensitive data in cloud environments.

Patch Management and Update Rings
System updates are essential to security and performance. Candidates must know how to configure update rings in Intune, defer or pause updates, and monitor update status. This includes handling feature updates and quality updates across diverse device fleets.

Endpoint Security with Microsoft Defender
Understanding how Microsoft Defender integrates with endpoint management is critical. This includes configuring antivirus policies, firewall settings, and attack surface reduction rules. The ability to read alerts and take automated action is a mark of proficiency.

Common Challenges and Practical Realities

While the exam is highly technical, it reflects practical realities encountered by Endpoint Administrators. Below are some of the common challenges professionals face and how the skills tested in the MD-102 exam prepare them to respond effectively.

Managing Remote Devices at Scale
With remote work being the norm for many organizations, managing devices outside the corporate network is now a basic requirement. The skills tested in MD-102—including cloud-based management and remote policy enforcement—are essential for keeping systems secure regardless of location.

Device Lifecycle Complexity
From provisioning new devices to retiring old ones, the lifecycle must be efficient and secure. The exam emphasizes automated deployment, secure decommissioning, and effective policy transition, which are key to streamlining the device lifecycle.

Balancing Security with Usability
Security is critical, but overly strict configurations can hinder user productivity. The MD-102 exam covers techniques to implement security features like BitLocker or Defender Application Control while still ensuring a smooth user experience.

Monitoring and Reporting
Visibility into device health, compliance status, and policy application is crucial for making informed decisions. The MD-102 certification emphasizes using the Intune console, reports, and logs to proactively manage devices and troubleshoot issues.

Why the MD-102 Certification Matters

Earning the Microsoft Endpoint Administrator Associate certification through the MD-102 exam is more than just an achievement—it is a demonstration of professional maturity and relevance. Organizations are increasingly relying on certified professionals to lead endpoint management initiatives. As a result, this certification can significantly boost your credibility, employability, and salary prospects.

Beyond the resume value, preparing for this exam sharpens your understanding of modern device management techniques. You learn to automate workflows, reduce operational costs, and align IT strategies with business needs. Whether you are new to the field or transitioning from a legacy system administration role, this certification serves as a structured pathway to mastering endpoint management in cloud-first environments.

Building the Right Foundation

The MD-102 exam isn’t designed for guesswork. It rewards hands-on experience and contextual understanding. Therefore, your preparation should include:

• Setting up a test environment to deploy Windows using Autopilot
  
  
• Practicing Intune policy creation and assignment
  
  
• Simulating compliance violations and configuring conditional access
  
  
• Deploying and updating apps across different scenarios
  
  
• Reviewing logs and analyzing device behavior during policy application
  
  

These practical exercises not only prepare you for the test but also give you tools you’ll use in your day-to-day work.

The Strategic Importance of Windows Deployment

Deploying Windows clients at scale is not just a technical task—it is a business-critical operation. Efficient deployment minimizes downtime, ensures compliance, and accelerates user onboarding. It also serves as the first touchpoint for enforcing configuration standards and security baselines. An Endpoint Administrator must not only deploy devices but also ensure that each device aligns with the organization’s identity, security, and compliance strategies from day one.

Gone are the days when IT teams manually installed operating systems from physical media. Today’s enterprises demand cloud-first, policy-driven deployment processes that are consistent, secure, and scalable. This is where tools like Windows Autopilot and provisioning packages come into play.

Windows Autopilot: The Centerpiece of Modern Deployment

Autopilot is Microsoft’s answer to zero-touch deployment. It is a collection of technologies that allows new devices to be shipped directly to the end user, where the setup experience is automated and customized based on the organization’s requirements.

Autopilot Deployment Profiles

Autopilot uses deployment profiles to control the out-of-box experience for the user. Key configuration settings in a deployment profile include:

• Skipping privacy settings
  
  
• Automatically joining the device to Azure AD
  
  
• Assigning the device to a specific user or group
  
  
• Enabling self-deploying or pre-provisioned modes
  
  

Profiles are assigned via Intune or through group tags, and they ensure the right settings are applied during initial device setup.

Autopilot Deployment Scenarios

There are three main deployment modes:

1. User-driven mode: Ideal for organizations where users receive their own devices. It provides a personalized setup experience.
   
   
2. Self-deploying mode: Requires no user interaction. Best for kiosk, digital signage, or shared devices.
   
   
3. Pre-provisioned deployment: Also known as white-glove deployment. IT sets up the device before it reaches the user, reducing time-to-productivity on day one.
   
   

Device Registration for Autopilot

Devices must be registered with Autopilot before profiles can be applied. This involves uploading hardware hashes or automating registration via OEM partners. Each device is identified through unique hardware IDs, which are linked to the Autopilot service.

Benefits of Autopilot

• No need to reimage devices
  
  
• Full control over user experience
  
  
• Integration with Azure AD and Intune
  
  
• Seamless compliance with policy-based settings
  
  

For the MD-102 exam, it is essential to understand how to create, assign, and troubleshoot Autopilot profiles, as well as recognize which deployment mode fits which scenario.

Provisioning Packages with Windows Configuration Designer

For organizations that need offline deployment solutions or want to provide quick configuration in branch offices without internet connectivity, provisioning packages offer a reliable alternative.

What is a Provisioning Package?

A provisioning package is a small file created using the Windows Configuration Designer that applies specific configurations to a Windows device. These configurations can include:

• Account setup
  
  
• Network settings
  
  
• Application installation
  
  
• Device naming
  
  

Provisioning packages are especially useful for configuring devices during the initial boot or adding new configurations after deployment.

When to Use Provisioning Packages

• Devices are not connected to the internet
  
  
• A custom setup is needed before connecting to Azure AD or Intune
  
  
• There’s a need to standardize configurations quickly in a disconnected environment
  
  

Deploying Provisioning Packages

Provisioning packages can be installed during the initial setup phase or after the device has been configured. They are typically delivered via USB, SD card, or over a network share.

Provisioning Package Limitations

Although flexible, provisioning packages lack the full integration and scalability of Autopilot. They are best used as a complement to Autopilot or in specialized use cases where network connectivity is a challenge.

Traditional Deployment Tools: MDT and SCCM

While the MD-102 focuses heavily on modern cloud-based methods, understanding traditional deployment tools remains important. Some environments still rely on:

• Microsoft Deployment Toolkit (MDT): A free solution for deploying Windows images via Lite Touch or Zero Touch installation.
  
  
• System Center Configuration Manager (SCCM): A powerful platform for deploying operating systems, managing updates, and enforcing compliance in on-premises environments.
  
  

Image-based Deployment

Using MDT or SCCM, administrators create custom Windows images that contain pre-installed applications and settings. These images are then deployed across the network using PXE boot or USB media.

Pros and Cons of Image-based Deployment

• Offers granular control over the image
  
  
• Supports complex applications and custom scripts
  
  
• However, it is time-consuming to maintain and lacks cloud-based scalability
  
  

The MD-102 exam may include questions requiring candidates to differentiate between these methods and modern deployment approaches like Autopilot.

Hybrid Deployment: Bridging Cloud and On-premises

Many organizations are in transition, retaining on-premises infrastructure while adopting cloud-based management. Hybrid deployment models are common and tested on the MD-102 exam.

Hybrid Azure AD Join

In this model, devices are joined to both Active Directory and Azure Active Directory. This allows organizations to:

• Use Group Policy and on-premises authentication
  
  
• Leverage cloud services and conditional access
  
  
• Co-manage devices using SCCM and Intune
  
  

Co-management

With co-management, devices are managed by both SCCM and Intune. Workloads such as compliance, device configuration, and app management can be gradually shifted from SCCM to Intune. This provides a controlled migration path toward modern management.

Challenges with Hybrid Models

• Complexity of setup
  
  
• Network dependencies
  
  
• Certificate and firewall configurations
  
  

Candidates must understand the trade-offs and design considerations when implementing hybrid environments, particularly in larger or more security-sensitive organizations.

Troubleshooting Deployment Issues

Even the best-designed deployment strategies can encounter problems. The MD-102 exam places emphasis on the candidate’s ability to identify, analyze, and resolve common deployment issues.

Common Autopilot Issues

• Device not receiving profile: Check if the device is registered and assigned correctly
  
  
• Enrollment failure: Review logs in Event Viewer and Intune troubleshooting portal
  
  
• Incorrect deployment mode: Validate profile settings and group assignments
  
  

Provisioning Package Troubleshooting

• Package not applied: Verify file integrity and whether the package was signed properly
  
  
• Settings not configured: Confirm that the configuration designer version matches the OS build
  
  

Logs and Diagnostics

Key tools for diagnosing issues include:

• Event Viewer: Check logs under Windows logs and Applications and Services
  
  
• Intune Troubleshooting Portal: Provides per-user and per-device insights
  
  
• MDM Diagnostic Logs: Generated using built-in Windows utilities
  
  
• Enrollment Status Page: Offers real-time feedback during Autopilot provisioning
  
  

A good Endpoint Administrator not only deploys effectively but also recovers from failure efficiently. For this reason, the exam includes scenarios where you must select the best course of action during deployment failures.

Security and Compliance During Deployment

Security must be built into the deployment process from the beginning. The MD-102 exam emphasizes secure provisioning, data protection, and policy enforcement during the setup phase.

Windows Hello for Business

Organizations can configure password-less authentication methods as part of deployment. This increases security while improving the user experience.

BitLocker Encryption

Device encryption can be enforced during Autopilot provisioning using Intune policies. Candidates should understand how to validate encryption status and handle recovery key storage.

Trusted Boot and Secure Boot

Modern Windows devices use secure boot processes to protect against firmware attacks. Knowing how to configure and verify secure boot settings is important for exam readiness.

Preparing for This Domain of the Exam

To master the deployment domain of the MD-102 exam, candidates should:

• Set up a test environment with a virtual lab or physical device
  
  
• Register a device with Autopilot and assign profiles using Intune
  
  
• Build and apply provisioning packages using Windows Configuration Designer
  
  
• Simulate hybrid join scenarios with test accounts
  
  
• Practice diagnosing and resolving deployment issues using logs
  
  

Beyond theory, hands-on practice is critical to retain knowledge and build confidence. Simulation tools and trial environments offered by Microsoft can be invaluable for this phase of preparation.

Why Identity Management and Compliance Matter

Endpoints are the front line of enterprise security. As organizations adopt remote work, cloud apps, and bring-your-own-device models, ensuring that only verified users can access corporate resources on compliant devices becomes crucial. Identity is the new perimeter. Rather than securing only the network, modern strategies protect the user, device, and data regardless of location.

Identity management and compliance policies ensure that every access request is authenticated, every device is verified, and every operation meets the company’s standards. This dynamic enforcement is a cornerstone of modern endpoint management, and it is at the heart of what candidates are tested on in this portion of the MD-102 exam.

Azure Active Directory Integration

At the center of Microsoft’s identity ecosystem is Azure Active Directory. Understanding how devices and users interact with Azure AD is essential.

Azure AD Join vs. Hybrid Azure AD Join

There are three types of device joins in Azure AD:

1. Azure AD Join: Devices are joined directly to Azure AD, suitable for cloud-first organizations.
   
   
2. Hybrid Azure AD Join: Devices are joined to on-prem Active Directory and registered with Azure AD.
   
   
3. Azure AD Registration: Devices are not domain-joined but are registered with Azure AD, often in BYOD scenarios.
   
   

Each has different implications for access control, policy application, and device visibility. The exam requires clear understanding of which method fits which environment, including their setup and limitations.

Device Registration Process

When a device is enrolled via Intune or joined to Azure AD, it goes through registration, where a unique device ID is created. This allows the device to be managed, authenticated, and governed through policies.

Candidates should understand how to:

• Enable device registration in Azure AD settings
  
  
• Use Intune and Autopilot to auto-enroll devices
  
  
• Monitor the registration status using the Azure portal and Intune admin center
  
  

Conditional Access

Conditional Access is one of the most powerful tools for enforcing identity-driven security. It evaluates real-time conditions before granting access to resources.

Core Components of Conditional Access

• User or group assignment: Who the policy applies to
  
  
• Cloud apps or actions: What resource is being accessed
  
  
• Conditions: Risk level, location, device platform, etc.
  
  
• Controls: Require MFA, block access, enforce compliance
  
  

For example, a policy might require multi-factor authentication when accessing email from an unmanaged device or block access entirely from high-risk countries.

Device-Based Conditional Access

Device compliance plays a critical role in conditional access. A policy can be created to only allow access from devices marked as compliant in Intune. This links the identity and device management systems.

Policy Testing and Troubleshooting

• Policies can be tested using What If tools in Azure AD
  
  
• Failures can be diagnosed using Sign-in logs under Azure AD
  
  
• Understanding how policies are prioritized and merged is essential for resolving conflicts
  
  

Expect scenario-based questions on the MD-102 exam that require analyzing conditional access outcomes based on specific user behaviors and device statuses.

Device Compliance Policies

Compliance policies are the rulebook for acceptable device configurations. Devices that do not meet compliance are either restricted or remediated.

Creating Compliance Policies in Intune

A compliance policy defines the settings that a device must meet. These settings might include:

• Minimum OS version
  
  
• BitLocker encryption
  
  
• Password complexity
  
  
• Jailbreak/root detection for mobile platforms
  
  

Compliance policies can vary by platform—Windows, Android, iOS, and macOS all support different settings.

Actions for Non-Compliance

You can configure actions like:

• Mark the device as non-compliant
  
  
• Send email to the user or IT
  
  
• Lock device access after a grace period
  
  

These automated responses help reduce manual overhead and provide clear feedback loops for users and administrators.

Monitoring Compliance

The Intune admin center provides detailed reports:

• Compliant devices by user or group
  
  
• Devices in grace period
  
  
• Policies with the highest failure rate
  
  

This reporting is crucial for auditing and ensuring consistent policy application across the enterprise.

Compliance and Conditional Access

To enforce a policy like “only allow access from compliant devices,” you must create both a compliance policy and a conditional access policy. The MD-102 exam often tests this interaction.

Configuration Profiles and Policy Assignment

Beyond just checking compliance, endpoint administrators configure devices using profiles and policies. Configuration profiles are used to deploy settings, certificates, restrictions, and security baselines.

Types of Configuration Profiles

1. Settings Catalog Profiles: Allow granular control using the most recent Intune features
   
   
2. Templates: Predefined profile templates such as VPN, Wi-Fi, email
   
   
3. Custom Profiles: Used for deploying settings not available in the UI, often via OMA-URI
   
   

Creating and Assigning Profiles

• Profiles are created in the Intune admin center
  
  
• Assignments are made to users or device groups
  
  
• Filters and exclusions allow targeting specific devices (e.g., Windows 11 only)
  
  

Policy Conflict Resolution

When multiple policies are applied, conflicts may arise. Intune uses the “most restrictive” setting in case of conflicts, unless explicitly overridden. Understanding how to structure and order your policies to avoid conflicts is part of the MD-102 learning path.

Identity Protection with Microsoft Defender

Modern endpoint management includes proactive protection against identity-based threats. Defender for Endpoint integrates with identity signals to identify compromised users and devices.

Risk-Based Conditional Access

If Identity Protection detects high user risk (e.g., based on impossible travel, multiple failed sign-ins), access can be blocked or require password change.

Device Risk Integration

Endpoint protection tools can assign a risk level to a device. Conditional access can then block risky devices or require remediation. This real-time risk analysis is critical to stopping breaches before they escalate.

Security Baselines

Microsoft provides pre-configured security baselines for Windows, Edge, and Defender. These include recommended policies aligned with security best practices. Administrators can deploy these baselines as part of their policy stack.

Expect the exam to include questions on configuring baselines, evaluating device risk levels, and remediating threats using Defender-integrated signals.

Multifactor Authentication (MFA)

MFA is a key pillar of identity security. Candidates must understand:

• How to enforce MFA via Conditional Access
  
  
• Methods of authentication (authenticator app, SMS, Windows Hello)
  
  
• Troubleshooting MFA failures using Azure logs
  
  

MFA can be user-assigned or enforced through policies. It plays a major role in preventing identity-based attacks.

Managing Roles and Access Permissions

Controlling who can perform what actions is vital for maintaining security. The MD-102 exam covers role-based access control (RBAC) within Intune and Azure.

Role-Based Access in Intune

Intune provides built-in roles like:

• Read Only Operator
  
  
• Policy and Profile Manager
  
  
• Help Desk Operator
  
  

Custom roles can also be created and assigned to specific scopes, limiting what an administrator can view or change.

Azure Role-Based Access Control

Azure AD roles such as Global Administrator, Intune Administrator, or Conditional Access Administrator determine access to identity and device controls.

Principle of Least Privilege

A common theme in the exam is the principle of least privilege—granting users only the permissions they need. Candidates must recognize which role assignment best suits a scenario.

Auditing and Reporting

Visibility into actions, compliance status, and policy impact is critical for operational awareness and auditing.

Key Audit Tools

• Audit Logs: Show changes made to policies and configurations
  
  
• Sign-in Logs: Detail how users access services, including conditional access outcomes
  
  
• Device Reports: Track compliance, encryption, and configuration status
  
  

Regular reviews of these logs help identify misconfigurations, security risks, and policy drift.

Automated Reporting

Reports can be scheduled and delivered to security teams or compliance officers, providing ongoing oversight. The exam may include questions on selecting the correct log or report to troubleshoot specific scenarios.

Common Troubleshooting Scenarios

The MD-102 exam does not just test knowledge of configuration—it expects you to troubleshoot misbehavior.

Some common scenarios include:

• User can’t enroll device: Verify device limit, user permissions, and Azure AD configuration
  
  
• Conditional Access failure: Check policy evaluation logs and whether the device is compliant
  
  
• Policy not applying: Review assignment scope, group membership, and conflict resolution
  
  
• Compliance status unknown: Ensure the device syncs with Intune and that the platform supports the required settings
  
  

Candidates should practice interpreting logs and diagnosing why a user or device may not be behaving as expected.

The Role of Application Management in Endpoint Administration

Applications are the heart of user productivity. If devices are well-configured but fail to provide the required apps or if those apps are outdated or insecure, user satisfaction and security both suffer. Application management involves planning, deploying, updating, monitoring, and retiring applications on corporate and personal devices. Administrators must balance flexibility with control—allowing access to needed tools without compromising organizational policies.

The MD-102 exam tests not only your ability to deploy applications but also your understanding of when to use different app types, how to manage app lifecycles, and how to troubleshoot failures in app deployment.

Understanding Application Types in Intune

Different platforms support various app formats. A strong grasp of these formats is essential when managing diverse environments.

Application Types

1. Line-of-business (LOB) apps
   Custom internal applications typically delivered as .msi or .appx for Windows, .apk for Android, or .ipa for iOS.
   
   
2. Microsoft Store apps (Win32)
   Store-delivered apps often used in educational and enterprise settings. New Windows Package Manager (WinGet) support allows simplified store integration in Intune.
   
   
3. Win32 apps
   Classic desktop applications packaged and deployed via Intune using .intunewin format. They offer full control, including detection rules, dependencies, and return codes.
   
   
4. Web links and progressive web apps (PWA)
   Deployed as shortcuts or browser-based apps, suitable for lightweight applications or SaaS platforms.
   
   
5. Managed Google Play and Apple VPP apps
   Integrations with platform-specific stores to deliver public and private apps to Android and iOS endpoints.
   
   

Each app type requires different preparation and configuration steps. The MD-102 exam will test your ability to select the right type for each scenario and troubleshoot deployment issues.

Deploying Applications with Intune

To deliver applications via Intune, you follow a consistent lifecycle: prepare, upload, configure, assign, monitor, and update.

Preparing Applications

For Win32 apps, preparation involves packaging the app using the IntuneWinAppUtil tool. This process wraps the installer and supporting files into a .intunewin package. You must also define:

• Install commands
  
  
• Uninstall commands
  
  
• Detection rules to determine if the app is already installed
  
  
• Dependencies (other apps that must be installed first)
  
  
• Supersedence (to replace an older app version)
  
  

For store apps or web apps, much of this metadata is automatically pulled from the store or entered manually.

Assigning Applications

Apps are assigned to:

• Device groups for mandatory deployment
  
  
• User groups for optional or required deployment
  
  
• Uninstall groups to remove apps from specific targets
  
  

You can also use filters to narrow the scope of app delivery. For example, deploy only to devices with a specific OS version or manufacturer.

Intune supports three intent types:

1. Required – Automatically installed on targeted devices
   
   
2. Available – End-users can install from the Company Portal
   
   
3. Uninstall – Removes the app from targeted devices
   
   

The exam tests your understanding of these assignment models and when each should be used.

Monitoring Application Deployment

Effective deployment doesn’t stop at assigning the app. You must monitor its success and take action when issues arise.

Key Monitoring Tools

• Installation status: Shows succeeded, failed, pending, or not applicable
  
  
• Error codes: Helps diagnose installation failures
  
  
• Per-device and per-user logs: Useful for troubleshooting issues with specific endpoints
  
  
• Company Portal app: Users can report issues or retry installations
  
  

Troubleshooting skills are often assessed on the exam. Candidates must be able to identify failed deployments, interpret logs, and correct packaging or assignment errors.

Updating and Maintaining Applications

Once apps are installed, keeping them up to date is vital for functionality, security, and compliance.

Managing Updates

• Win32 apps can be updated by uploading a new version and configuring supersedence rules
  
  
• Microsoft Store apps are updated automatically via the store unless blocked by policy
  
  
• LOB apps must be manually updated with a new package version
  
  
• Android and iOS apps are updated through Google Play and Apple Store settings
  
  

Supersedence Configuration

Supersedence allows you to define that one app version replaces another. This ensures smooth upgrades and supports rollback strategies.

Important exam concept: understanding how supersedence and dependencies interact. A misconfigured chain can cause failed installations or upgrade loops.

Windows Update Management with Intune

Keeping Windows updated is crucial for both security and stability. Intune offers extensive control over Windows Update for Business.

Update Ring Policies

Update rings define how and when updates are delivered. Key settings include:

• Deployment schedule: Defer feature or quality updates
  
  
• Restart behavior: Control reboots, deadlines, and grace periods
  
  
• User experience: Configure update notifications and UI options
  
  

Rings are assigned to devices and can be staggered to create pilot, broad, and critical device groups.

Feature and Quality Updates

• Feature updates upgrade Windows to a new version (e.g., 21H2 to 22H2)
  
  
• Quality updates deliver security patches and bug fixes monthly
  
  

Intune allows administrators to pause or delay these updates based on device readiness and business priorities.

Monitoring Update Compliance

Intune integrates with Update Compliance and Windows Health Monitoring to provide:

• Device-level update status
  
  
• Update installation failures
  
  
• Patch gaps and deferred installs
  
  

Understanding how to read these reports and adjust update policies accordingly is critical for passing the MD-102.

Managing Endpoint Security Updates

While system updates are handled via Windows Update policies, security baselines and Defender policies control antivirus, firewall, and exploit protection settings.

Defender Antivirus Configuration

You can use Endpoint Security profiles in Intune to configure:

• Real-time protection
  
  
• Scheduled scans
  
  
• Exclusion paths
  
  
• Cloud-delivered protection
  
  

These profiles ensure consistent security posture across all devices.

Automating Remediation and Notifications

Administrators often face recurring issues—like missing registry keys, services failing, or specific apps not running. Intune’s remediations feature allows you to automate detection and correction.

Remediations Scripts

• Written in PowerShell
  
  
• Include detection logic and remediation logic
  
  
• Run on a schedule or upon specific triggers
  
  

Common use cases:

• Re-enable Windows Update service if disabled
  
  
• Install missing certificates
  
  
• Enforce compliance-related configurations
  
  

Remediations not only improve operational efficiency but are also a new area of emphasis in the MD-102 exam.

Controlling the End-User Experience

Managing endpoints is not just about enforcing policy; it’s about optimizing the user experience while maintaining control.

Configuring the Company Portal

The Company Portal is the interface users interact with for:

• Installing available apps
  
  
• Viewing compliance status
  
  
• Resetting devices
  
  
• Accessing support contacts
  
  

Customizing the Company Portal with branding, messages, and support information improves adoption and reduces helpdesk calls.

Kiosk Mode and Assigned Access

Certain business scenarios, like retail or education, require dedicated-use devices. Intune allows configuration of:

• Kiosk mode for single-app or multi-app lockdown
  
  
• Assigned access to restrict user access to specific apps or settings
  
  

Understanding when and how to configure these experiences is essential, especially in exam case studies.

Device Retirement and Wipe Options

Eventually, devices are repurposed, lost, or leave the organization. Endpoint administrators must know how to decommission them securely.

Retirement and Wipe Actions

1. Retire – Removes Intune data but leaves user data intact
   
   
2. Wipe – Restores device to factory settings
   
   
3. Delete – Removes the record from Intune but doesn’t impact the device
   
   
4. Fresh Start – Reinstalls Windows while keeping user data
   
   

Each method is suitable for different scenarios. For example, a stolen device should be wiped, while a repurposed device may just be retired. These distinctions appear frequently in exam questions.

Final Tips for the MD-102 Exam

Success on the MD-102 requires not just technical knowledge but an ability to think like an endpoint administrator. The following strategies will help you prepare for the application and update management sections:

• Practice app deployments using each method—especially Win32 apps and Microsoft Store integrations
  
  
• Understand failure logs and simulate troubleshooting scenarios
  
  
• Use Intune’s test environments or trial tenants to explore update ring behaviors and supersedence rules
  
  
• Create and monitor remediation scripts to fix common configuration issues
  
  
• Build a logical flow between identity, compliance, app management, and update control—this integration is key to real-world success
  
  

Conclusion: 

Application and update management is the final domain in the MD-102 journey, but it is by no means the least significant. In many ways, it’s the most visible—users interact daily with apps and expect them to work, update smoothly, and respond quickly when issues arise. As an endpoint administrator, your job is to make all of that happen behind the scenes with precision, automation, and reliability.

Together with identity, compliance, and configuration, application and update management forms the complete endpoint management lifecycle. Passing the MD-102 certification confirms that you understand this full picture and can implement modern device strategies that empower users while protecting organizational assets.

Armed with the knowledge from all four parts of this series, you’re now better prepared to not only pass the MD-102 but also to lead effective endpoint administration in the real world.