Microsoft March 30, 2026 18 min read

MD-102 Endpoint Administrator: The Complete 2026 Guide (Exam Domains, Salary, Career Path)

Reviewed by certified IT professionals • About our team

Everything you need to know about MD-102 in 2026: exam domains with % weightings, a 6-week study plan, salary data, and real career paths for endpoint administrators.

Microsoft MD-102 Endpoint Administrator certification guide 2026 — Intune, Windows devices, cloud management

Table of Contents

What Is the MD-102 and Why Does It Exist

If you manage Windows devices for a living and you don't have the MD-102 yet, you're leaving money on the table.

Microsoft's MD-102 — officially the Microsoft 365 Certified: Endpoint Administrator Associate — is the certification that replaced the old MD-100 and MD-101 exams in 2023. It consolidated everything into a single, more relevant credential that reflects how endpoint management actually works in 2026: cloud-connected, policy-driven, identity-aware.

In 2023, Microsoft retired two separate exams — MD-100 (Windows 10 client administration) and MD-101 (Modern Desktop management) — and replaced them with a single, unified certification: MD-102. The reason is practical. The old split made sense in a world where "desktop admin" and "cloud management" were separate disciplines. That world doesn't exist anymore. Every enterprise endpoint admin is expected to handle Windows deployment and Intune policies and Azure AD identity and Defender security. MD-102 tests all of it under one credential.

The certification validates your ability to:

  • Deploy and manage Windows 10 and Windows 11 devices at scale
  • Use Microsoft Intune for cloud-based device policy and compliance
  • Integrate devices with Azure Active Directory (now Microsoft Entra ID)
  • Secure endpoints using Microsoft Defender and security baselines
  • Deploy and manage applications across device fleets
  • Support users and troubleshoot endpoint issues in hybrid environments

It's a role-based certification — built around what you actually do on the job, not around memorizing product specs.

Exam Format: Questions, Time, Passing Score

Before you study, know what you're walking into.

40–60
Questions
120
Minutes
700
Passing Score
$165
USD Exam Fee
DetailInfo
Exam codeMD-102
Questions40–60 (varies per session)
Time limit120 minutes
Passing score700 out of 1000
Question typesMultiple choice, drag-and-drop, scenario-based, case studies
Price$165 USD (varies by country)
LanguagesEnglish, Japanese, Chinese (Simplified/Traditional), Korean, German, French, Spanish, Portuguese
DeliveryPearson VUE (in-person or online proctored)
RenewalAnnual — free online assessment via Microsoft Learn

2026 Update: Microsoft confirmed the English version of MD-102 is updating on April 28, 2026. If you're reading this close to that date, check the official study guide for what changed. The core domains won't shift dramatically, but expect more weight on Entra ID features and Windows 11 management.

The exam uses scenario-based questions heavily. You're given a business situation and asked to choose the best technical solution. This isn't a trivia test — it requires you to understand why each technology exists, not just what it does.

Exam Domains: Full Breakdown with % Weightings

MD-102 is divided into four domains. Here's exactly what each one covers and how much it weighs:

Domain 1: Deploy Windows Client25–30%

This domain tests deployment knowledge across both modern and traditional methods. Covers Windows Autopilot (self-deploying, user-driven, and pre-provisioned modes), provisioning packages via Windows Configuration Designer, Windows Deployment Services and traditional imaging, Windows 10/11 upgrade paths and feature updates, and network configuration during deployment.

Domain 2: Manage Identity and Compliance15–20%

The smallest domain by percentage, but conceptually dense. Covers Azure Active Directory (Entra ID) device registration and join types, Conditional Access policies, MFA enforcement via Intune and Entra ID, device compliance policies, Windows Hello for Business configuration, and Microsoft Entra ID roles relevant to endpoint administration.

Domain 3: Manage, Maintain, and Protect Devices40–45%

This is the biggest domain and where the exam lives or dies. Covers Microsoft Intune device configuration profiles, endpoint security policies (Defender Antivirus, Firewall, BitLocker), security baselines, Windows Update for Business, Endpoint Analytics, remote actions in Intune, Windows 365 basics, and Microsoft Defender for Endpoint integration.

Domain 4: Manage Applications10–15%

Covers Microsoft 365 Apps deployment via Intune, Win32 app deployment (detection rules, dependencies, supersedence), Microsoft Store apps and WinGet integration, app protection policies for BYOD scenarios (MAM without enrollment), app configuration policies, and troubleshooting failed app deployments.

Domain 1 Deep Dive: Deploy Windows Client (25–30%)

The trap most people fall into: they study Autopilot but ignore Windows Deployment Services (WDS) and provisioning packages. Microsoft still tests legacy methods because enterprises still use them. Don't skip it.

What this looks like on the job: A new employee in a remote office needs a laptop configured without IT physically touching it. You set up Autopilot, the user unboxes the laptop, signs in with their Azure AD credentials, and the device automatically joins the domain, installs required apps, and applies company policies.

Domain 2 Deep Dive: Manage Identity and Compliance (15–20%)

The trap here: understanding the difference between Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Each has different management capabilities and different Conditional Access behavior. This trips up a lot of candidates.

What this looks like on the job: A user's device fails compliance because they haven't updated Windows in 30 days. Conditional Access blocks their access to SharePoint. You get the alert in Intune, identify the issue, push an update, and their access is restored.

Domain 3 Deep Dive: Manage, Maintain, and Protect Devices (40–45%)

People underestimate update management. Windows Update for Business has nuances — the difference between quality updates (security patches) and feature updates (major OS versions), how deployment rings work, and how to handle devices that miss update windows. Spend time here.

What this looks like on the job: A security team identifies a critical vulnerability. You push an emergency update to 3,000 devices across 15 countries, monitor rollout via Endpoint Analytics, and identify 47 devices that failed — then remote-trigger a sync.

Domain 4 Deep Dive: Manage Applications (10–15%)

App protection policies (MAM) vs device enrollment (MDM) is heavily tested. On a personal device, you can protect corporate data inside apps without enrolling the device. Understanding when to use MAM vs MDM, and how to configure both, is critical.

What this looks like on the job: A contractor needs access to corporate email on their personal iPhone. You configure an app protection policy that wraps Outlook in a corporate container — their personal apps are untouched; corporate data is encrypted and can be wiped without touching personal content.

Who Should Take MD-102

Best fit:

  • IT support technicians with 1–3 years of Windows administration experience
  • Helpdesk analysts moving into systems administration
  • IT administrators managing hybrid (on-premises + cloud) environments
  • System administrators looking to validate Microsoft 365 skills
  • Anyone managing devices via Group Policy who wants to learn Intune

Prerequisites (unofficial but realistic):

  • Hands-on experience with Windows 10/11 administration
  • Basic understanding of Azure AD and Microsoft 365
  • Familiarity with Intune or willingness to spin up a trial tenant

Not the right cert if:

  • You're a complete beginner to IT (start with AZ-900 or MS-900 first)
  • You work exclusively in Linux/macOS environments
  • You're senior-level looking for expert certs (look at MS-102 or SC-300 instead)

Recommended path before MD-102: If you're new to Microsoft 365, consider MS-900 (Microsoft 365 Fundamentals) first. It gives you the conceptual foundation that makes MD-102 content click faster.

Week-by-Week Study Plan (6 Weeks)

WeekFocusKey Activities
Week 1Windows Deployment (Domain 1)Set up free Azure + Intune trial tenant. Lab: Configure Windows Autopilot. Study: Provisioning packages, WDS. Practice: 20–30 deployment questions.
Week 2Identity & Compliance (Domain 2)Lab: Conditional Access — block non-compliant devices. Study: Azure AD join types, Windows Hello. Lab: BitLocker compliance policy. Practice: 20 identity/compliance questions.
Week 3Device Config & Security Baselines (Domain 3 Part 1)Lab: Create/assign configuration profiles. Study: Security baselines — review Microsoft's actual baseline templates. Lab: Deploy Defender Antivirus policy. Practice: 30 questions.
Week 4Update Management & Monitoring (Domain 3 Part 2)Study: Windows Update for Business rings, deferral settings. Lab: Create three update rings (pilot, broad, critical). Study: Endpoint Analytics health scores. Practice: 30 questions.
Week 5Application Management (Domain 4)Lab: Deploy a Win32 app via Intune using Win32 Content Prep Tool. Study: App protection policies for iOS/Android. Lab: Deploy Microsoft 365 Apps via Intune. Practice: 25 app questions.
Week 6Full Practice Exams + Weak Area ReviewTake 2 full-length timed practice exams. Identify weakest domain — review 2 days. Final day: flashcards + 30 random questions. Use ExamCert MD-102 practice tests throughout.

Lab environment tip: A free Microsoft 365 Developer Program tenant gives you 25 E5 licenses for 90 days — everything you need to practice Intune, Autopilot, and Conditional Access at no cost. Add a free Azure trial for $200 in credits to cover Autopilot VM testing.

Real-World Applications: What the Job Actually Looks Like

The MD-102 isn't just an exam credential — it maps directly to what endpoint administrators do every day.

Scenario 1: New Employee Onboarding at Scale

HR notifies IT that 50 new engineers are starting Monday across 3 cities. You pre-register their laptops in Autopilot, assign them to a deployment profile, and ship the devices directly from the vendor to employees' homes. Each employee unboxes their laptop, signs in with their Azure AD credentials, and within 45 minutes has a fully configured, policy-compliant device with all required apps installed. Zero IT desk time.

Scenario 2: Security Incident Response

Your Defender for Endpoint alerts fire at 2 AM — a device in the Singapore office has suspicious PowerShell activity. You remote-collect diagnostics via Intune, isolate the device from the network with a single click, review the telemetry, and confirm it's a false positive from a legitimate IT tool. Device is back online in 20 minutes. No travel, no hands-on.

Scenario 3: Compliance Audit

Your company's compliance officer needs proof that all devices are encrypted and have current security patches. You pull an Endpoint Analytics compliance report, export it, and have the data in 10 minutes. Devices that failed compliance are flagged and the non-compliance workflow automatically emailed their managers.

Scenario 4: BYOD Policy Rollout

The company shifts to BYOD for contractors. You configure app protection policies for Outlook, Teams, and SharePoint — corporate data is encrypted within those apps, can be remotely wiped if a contractor leaves, and can't be copied to personal apps. The contractor's personal photos and messages are never touched.

Career Paths and Salary After MD-102

Immediate Job Roles

RoleAvg Salary (US)MD-102 Relevance
Endpoint Administrator$72,000–$95,000Direct match
IT Support Specialist (L2/L3)$55,000–$75,000Strong boost
System Administrator$70,000–$100,000Strong fit
Desktop Support Engineer$55,000–$80,000Direct match
Microsoft 365 Specialist$80,000–$110,000Excellent fit
Cloud Administrator$85,000–$120,000Good stepping stone
Security Analyst$80,000–$115,000Partial fit

PayScale puts the MD-102 average at ~$80K. Senior roles with 5+ years and additional certs (MD-102 + MS-102 + SC-300) regularly hit $130K–$160K. Top hiring companies: Microsoft, IBM, Cisco, Deloitte, General Dynamics IT, Accenture, and most large enterprises running Microsoft 365.

Certification Path: Where to Go Next

After MD-102, the natural progression is:

  1. MS-102 (Microsoft 365 Administrator) — Broader M365 admin skills: identity, compliance, security for the entire tenant. Pairs perfectly with MD-102.
  2. SC-300 (Identity and Access Administrator) — Goes deep on Entra ID, conditional access, privileged identity management. Salary bump is significant.
  3. SC-200 (Security Operations Analyst) — If you want to move into security. Your Defender for Endpoint knowledge from MD-102 carries directly over.
  4. AZ-104 (Azure Administrator) — If you want to expand into full Azure infrastructure.
  5. Microsoft 365 Certified: Enterprise Administrator Expert — The expert-level cert. Requires MD-102 + MS-102 or equivalent. Top of the M365 certification stack.

Cost, Renewal, and Maintenance

ItemDetail
Exam cost$165 USD (check regional pricing — AU, UK, EU often differ)
1st retakeNo waiting period required after failing
2nd+ retakes14-day wait between each
Certification validity1 year from passing date
RenewalFree — complete renewal assessment on Microsoft Learn before expiry
Renewal time30–40 questions, ~60–90 minutes, no exam center required
Total first-year cost~$165 exam + study materials (ExamCert: $4.99, Microsoft Learn: free)
Ongoing annual cost$0 (just your time for renewal assessment)

Unlike CISSP: No annual maintenance fees, no CPE credits required. Microsoft's renewal model is genuinely simple — complete a free online assessment once a year and you're done.

Study Resources That Actually Work

Free Resources

  • Microsoft Learn MD-102 learning path — Official, covers all domains, has labs built in. Use this as your primary reference.
  • Microsoft's official study guide — Lists every topic the exam can test. Download it and use it as a checklist.
  • John Savill's YouTube — Azure/M365 content, excellent for Intune deep dives and visual learners.
  • Microsoft 365 Developer Tenant — Free 90-day M365 E5 license for learning purposes. Mandatory, not optional.

Paid Resources

  • ExamCert MD-102 practice questions — $4.99 lifetime access, 30,000+ questions across Microsoft certs. By far the cheapest option and the most valuable for exam simulation.
  • Pluralsight or LinkedIn Learning — Video courses (~$30/month). Helpful for visual learners as a supplement.
  • MeasureUp official practice tests — ~$99 for 90-day access. Official, but pricey.

Honest Resource Ranking

  1. Microsoft Learn (free, authoritative, covers every exam objective)
  2. ExamCert practice questions (cheapest, great volume for exam simulation)
  3. Hands-on labs in a real Intune tenant (irreplaceable — no amount of reading replaces clicking through an Autopilot deployment)
  4. Video courses (helpful for visual learners, but supplement — don't replace — the above)

Start Practicing for Free

Try ExamCert's MD-102 practice questions — scenario-based, just like the real exam. $4.99 lifetime access or start free today.

Get Free MD-102 Practice Questions

Final Take

The MD-102 is a solid mid-tier investment. It's not the hardest cert in the Microsoft ecosystem, but it's not a rubber-stamp either. The Domain 3 scenarios — especially update rings, security baselines, and compliance policy enforcement — will test you.

Study timeline: 6 weeks if you already have Windows admin experience. 10–12 weeks if you're new to Intune and Azure AD.

ROI: Strong. Endpoint management isn't going anywhere. Every company running Windows + Microsoft 365 needs someone who can do this well. The $165 exam fee against a $72K–$100K salary target is an easy math problem.

Start with the free MD-102 practice test on ExamCert to gauge where you are. If you're scoring 60%+, you're closer than you think. If you're under 50%, you've got your study plan above.

Get certified. The endpoints won't manage themselves.

ExamCert

ExamCert Team

Certified IT professionals creating comprehensive exam guides and practice questions. Our team holds AWS, Azure, Microsoft, and other industry certifications.