MD-102: Endpoint Administrator Exam Resource Guide (Beta)

The MD-102 exam has just been announced, and even though it won’t be available until May, that doesn’t mean we can’t take a closer look at what it covers, and how it differs from its predecessors, MD-100 and MD-101. Perhaps the most important thing to start with is that this exam replaces both of the previous MD exams, so does this mean that it covers everything that they cover, or has it cherrypicked objectives from the others?

Comparing the objectives between the three exams, it’s very clear that MD-102 is mostly based on MD-101, but there are still some MD-100 objectives in there, as well as a few new items that are reflective of changes that have occurred in Intune over the last few years.

Comparing MD-101 to MD-102 is most easily done by discussing things that don’t seem to have moved to the new exam. It’s important to note that just because something isn’t explicitly listed in an exam description doesn’t mean that it won’t be expected knowledge. The way I like to position this is that the baseline skills for exams evolve over time, and something that is directly mentioned early in a technology’s lifecycle as it may need to be called out, but years later it’s just “stuff you should know”. For this reason, it’s worth keeping a copy of latest MD-100 and MD-101 exam descriptions just in case there are things listed that you may still need to know.

Where this can be seen is where most of the MD-101 objectives didn’t carry over to the new exam – many of the Azure AD related items. Things like user and group management and the basics of Conditional Access policies. These are examples of things that may not have been viewed as assumed knowledge when MD-101 was first introduced, whereas now it really is assumed knowledge in many cases. I’ll cover the specifics about Conditional Access later, as they have been finetuned, rather than removed from the exam.

The domain objective that has been streamlined is for Microsoft Deployment Toolkit. Even though about half of the items aren’t included in the new exam description, those that are missing are still mostly covered by the ones that did move over, An example here is the new exam description doesn’t include “Create and use a task sequence”, but it still includes “Create, manage and deploy images”, which would expect you to know how to create and use task sequences. For those of you who don’t have much MDT exposure, the MD-101 MDT section is definitely worth using as part of your preparation.

As you can see from the previous paragraphs, there’s really not much that didn’t make it’s way from MD-101 into MD-102 in some form. MD-100 is the opposite, and it will be easier to discuss what did make it instead what didn’t make its way into MD-102. These are Select the appropriate Windows edition, remote management (excluding Remote Assist and Quick Assist), and not much more. Once again though, remember that some of the non-included MD-100 objectives really do fall into the things that a Desktop Administrator should be familiar with, so it wouldn’t be surprising to at least see some inclusion of them in MD-102 scenarios.

Where does that leave us in terms of new topics that have been added? Here’s a list of the new additions, as well as some of the reworded for clarity items. It’s not a big list, which is great news for those of you considering waiting for MD-102. If there’s anything major I’ve missed let me know in the comments.

• Remote Help
• Role Based Access Control (RBAC) for Intune
• Intune Connector for Active Directory
• Local Administrative Passwords Solution (LAPS) for Azure AD
• Conditional Access policies with compliance status
• Conditional Access policies with app protection policies
• Microsoft Tunnel for Intune
• Adoption Score
• Android profiles

Something I’ve discussed with others about these exam changes is that there will no longer be a traditional/classic/legacy Windows desktop exam once these changes take effect. Something that I hadn’t really thought about with MD-100 was that it mostly focused on non-cloud capabilities of Windows 10/11, which means that it wasn’t really aligned with most other Microsoft exams which are cloud focused. So while we may have better alignment moving forward, there is a gap being created for someone who is looking for something that focused on core Windows functionality and troubleshooting.

Deploy Windows client (25–30%)

Prepare for a Windows client deployment

• Select a deployment tool based on requirements
  • New computer deployment
• Choose between migrate and rebuild
  • Windows upgrade and migration considerations
• Choose an imaging and/or provisioning strategy
  • Deployment categories
• Select a Windows edition based on requirements
  • Compare Windows 10 business editions
  • Compare Windows 10 Home and Pro
• Implement subscription-based activation
  • Windows 10/11 Subscription Activation

Plan and implement a Windows client deployment by using Windows Autopilot

• Configure device registration for Autopilot
  • Adding devices
  • Windows Autopilot Deployment Program
• Create, validate, and assign deployment profiles
  • Configure Autopilot profiles
• Set up the Enrollment Status Page (ESP)
  • Enrollment Status Page
• Deploy Windows devices by using Autopilot
  • Windows Autopilot Scenarios and capabilities
  • Demonstrate Autopilot deployment on a VM
• Troubleshoot an Autopilot deployment
  • Windows Autopilot Troubleshooting Overview

Plan and implement a Windows client deployment by using the Microsoft Deployment Toolkit (MDT)

• Plan and implement an MDT deployment infrastructure
  • Prepare for deployment with MDT
• Create, manage, and deploy images
  • Create a Windows reference image
  • Configure MDT settings
  • Deploy a Windows 10 image using MDT
  • Configure Windows Deployment Services (WDS) in a remote site
  • Task sequences
  • Applications
  • Driver repository
  • Configure the MDT deployment share rules
  • MDT Rules
  • Verify database access in the MDT simulation environment
• Monitor and troubleshoot a deployment
  • Monitoring MDT
• Plan and configure user state migration
  • User State Migration Tool (USMT) Technical Reference

Configure remote management

• Configure Remote Help in Intune
  • Use Remote Help
• Configure Remote Desktop on a Windows client
  • Grant Remote Desktop access to your PC
• Configure the Windows Admin Center
  • Install Windows Admin Center
  • Get started with Windows Admin Center
• Configure PowerShell remoting and Windows Remote Management (WinRM)
  • Installation and Configuration for Windows Remote Management
  • Enable-PSRemoting

Manage identity and compliance (15–20%)

Manage identity

• Implement user authentication on Windows devices, including Windows Hello for Business, passwordless, and tokens
  • Windows Hello for Business
• Manage role-based access control (RBAC) for Intune
  • Role-based access control
• Register devices in and join devices to Azure AD
  • Azure AD joined devices
  • Azure AD registered devices
  • Hybrid Azure AD joined devices
  • Plan your Azure AD device deployment
• Implement the Intune Connector for Active Directory
  • Deploy hybrid Azure AD-joined devices
• Manage the membership of local groups on Windows devices
  • Assign local admins to Azure AD joined devices
• Implement and manage Local Administrative Passwords Solution (LAPS) for Azure AD
  • Windows LAPS and Azure Active Directory

Implement compliance policies for all supported device platforms by using Intune

• Specify compliance policies to meet requirements
  • Get started with device compliance policies in Intune
• Implement compliance policies
  • Create a device compliance policy
• Implement Conditional Access policies that require a compliance status
  • Device-based Conditional Access policy
• Manage notifications for compliance policies
  • Actions for noncompliance
• Monitor device compliance
  • Monitor device compliance
• Troubleshoot compliance policies
  • Troubleshoot policies and profiles

Manage, maintain, and protect devices (40–45%)

Manage the device lifecycle in Intune

• Configure enrollment settings
  • Enrollment options
  • Enroll devices
  • Android device enrollment guide for Microsoft Intune
  • Connect your Intune account to your Managed Google Play account.
  • Windows enrollment
  • Managing Windows 10 with Intune – The Many Ways to Enrol
• Configure automatic and bulk enrollment, including Windows, Apple, and Android
  • Set up automatic enrollment
  • Device enrollment manager
• Configure policy sets
  • Use policy sets
• Restart, retire, or wipe devices
  • Restart
  • Retire
  • Wipe

Manage device configuration for all supported device platforms by using Intune

• Specify configuration profiles to meet requirements
  • Determine requirements
• Implement configuration profiles
  • Configure device profiles
  • Create a filter
  • Add PowerShell scripts to Windows 10 devices in Microsoft Intune
• Monitor and troubleshoot configuration profiles
  • How Intune resolves policy conflicts
  • Troubleshoot policies and profiles
• Configure and implement Windows kiosk mode
  • Prepare a device for kiosk configuration
• Configure and implement profiles on Android devices, including fully managed, dedicated, corporate owned, and work profile
  • Android, Android Enterprise, AOSP
• Plan and implement Microsoft Tunnel for Intune
  • Microsoft Tunnel overview

Monitor devices

• Monitor devices by using Intune
  • Examine device inventory
• Monitor devices by using Azure Monitor
  • Review logs with Azure Monitor
• Analyze and respond to issues identified in Endpoint analytics and Adoption Score
  • What is Endpoint analyticc?

Manage device updates for all supported device platforms by using Intune

• Plan for device updates
  • Windows as a Service
  • Prepare servicing strategy for Windows client updates
  • Manage iOS/iPadOS software update policies in Intune
• Create and manage update policies by using Intune
  • Configure Windows Update for Business
  • Deploy updates using Windows Update for Business
• Manage Android updates by using configuration profiles
  • Android Enterprise device settings to allow or restrict features using Intune
• Monitor updates
  • Windows Update compliance reports
• Troubleshoot updates in Intune
  • Troubleshoot policies and profiles
• Configure Windows client delivery optimization by using Intune
  • Configure Delivery Optimization for Windows updates
• Create and manage update rings by using Intune
  • Configure Windows Update for Business
  • Deploy updates using Windows Update for Business

Implement endpoint protection for all supported device platforms

• Implement and manage security baselines in Intune
  • Manage security baselines
• Create and manage configuration policies for Endpoint security including antivirus, encryption, firewall, endpoint detection and response (EDR), and attack surface reduction (ASR)
  • Disk encryption
  • Windows Defender Application Control design guide
  • Enable exploit protection
  • Microsoft Defender Application Guard
  • Protect derived domain credentials with Credential Guard
  • Securing privileged access
• Onboard devices to Defender for Endpoint
  • Onboard to the Microsoft Defender for Endpoint service
  • Onboarding using Microsoft Endpoint Manager
  • Enable and configure always-on protection and monitoring
• Implement automated response capabilities in Defender for Endpoint
  • Endpoint detection and response overview
  • Evaluate capabilities
• Review and respond to device issues identified in the Microsoft Defender Vulnerability Management dashboard
  • Security operations dashboard
  • Threat protection reports

Manage applications (10–15%)

Deploy and update apps for all supported device platforms

• Deploy apps by using Intune
  • Assign apps to groups with Microsoft Intune
  • Dynamic group rule syntax
  • Deploy Windows 10/11 apps
• Configure Microsoft 365 Apps deployment by using the Microsoft Office Deployment Tool or Office Customization Tool (OCT)
  • Deployment guide
  • Overview of the Office Customization Tool
  • Overview of the Office Deployment Tool
  • Deploy Microsoft 365 Apps from a local source
• Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center
  • Overview of the Office cloud policy service for Microsoft 365 Apps for enterprise
• Deploy Microsoft 365 Apps by using Intune
  • Add Microsoft 365 apps to Windows 10/11 devices with Microsoft Intune
• Configure policies for Office apps by using Group Policy or Intune
  • Policies for Office apps in Intune
  • Change the update channel with Group Policy
  • Administrative Template files (ADMX/ADML) for Microsoft 365 Apps for enterprise
• Deploy apps to platform-specific app stores by using Intune
  • How to get Android apps
  • How to get iOS/iPadOS apps
  • Microsoft Store apps

Plan and implement app protection and app configuration policies

• Plan and implement app protection policies for iOS and Android
  • Determine requirements
• Manage app protection policies
  • Create app protection policies
  • App protection policies and work profiles (Android)
• Implement Conditional Access policies for app protection policies
  • App-based Conditional Access
• Plan and implement app configuration policies for managed apps and managed devices
  • iOS managed devices
  • Android managed devices
• Manage app configuration policies
  • App configuration policies