Microsoft Endpoint Administrator
Updated 28-Apr-2026
HOTSPOT (Drag and Drop is not supported)You manage a Microsoft Deployment Toolkit (MDT) deployment share named DS1. DS1 contains an Out-of- Box Drivers folder named Windows 11 x64 that has subfolders in the format of {make name}\{model name}.You need to modify a deployment task sequence to ensure that all the drivers in the folder that match the make and model of the computers are installed without using PnP detection or selection profiles.What should you do? To answer, select the appropriate options in the answer area.Note: Each correct selection is worth one point.Hot Area:
Answer(s): A
Box 1: PreinstallPREINSTALLCompletes any tasks that need to be done (such as creating new partitions) before the target operating system is deployed.Incorrect:* INSTALLInstalls the target operating system on the target computer.* VALIDATIONIdentifies that the target computer is capable of running the scripts necessary to complete the deployment process.Box 2: Inject DriversInject DriversThis task sequence step injects drivers that have been configured for deployment to the target computer.The unique properties and settings for the Inject Drivers task sequence step type are:* Property: TypeSet this read-only type to Inject Drivers.* SettingsInstall only matching drivers: Injects only the drivers that the target computer requires and that match what is available in Out-of-Box DriversInstall all drivers: Installs all driversSelection profile: Installs all drivers in the selected profile
https://docs.microsoft.com/en-us/mem/configmgr/mdt/toolkit-reference
HOTSPOT (Drag and Drop is not supported)You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 11.You need to modify the deployment share to meet the following requirements:Ensure that the user who performs the installation is prompted to set the local Administrator passwordDefine a rule for how to name computers during the deployment.The solution must NOT replace the existing WinPE image.Which file should you modify for each requirement? To answer, select the appropriate options in the answer area,Note: Each correct selection is worth one point.Hot Area:
Box 1: CustomSettings.iniYou can skip the entire Windows Deployment Wizard by specifying the SkipWizard property in CustomSettings.ini. To skip individual wizard pages, use the following properties:SkipAdminPasswordEtc.Note: The CustomSettings.ini file includes for example:AdminPassword=pass@word1DomainAdmin=CONTOSO\MDT_JDDomainAdminPassword=pass@word1Some properties to use in the MDT Production rules file are as follows:DomainAdmin. The account to use when joining the machine to the domain.DomainAdminDomain. The domain for the join domain account.DomainAdminPassword. The password for the join domain account.Box 2: CustomSettings.iniExample of content in the CustomSettings.ini file:SkipComputerName=YESOSDComputerName=%ComputerName%
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using- mdthttps://docs.microsoft.com/en-us/mem/configmgr/mdt/samples-guide
HOTSPOT (Drag and Drop is not supported)You have a Microsoft Entra tenant that contains the following:Windows 11 devices that are joined to Microsoft EntraA user that has a display name of User1 and a UPN of user1@contoso.comYou enable Remote Desktop on the Windows 11 devices.You need to ensure that User1 can use Remote Desktop to connect to the devices.How should you complete the command that must be run on each device? To answer, select the appropriate options in the answer areaNote: Each correct selection is worth one point.Hot Area:
Box 1: "Remote Desktop Users"Connect to remote Azure Active Directory joined deviceAdd users to Remote Desktop Users groupRemote Desktop Users group is used to grant users and groups permissions to remotely connect to the device. Users can be added either manually or through MDM policies:Adding users manually:You can specify individual Azure AD accounts for remote connections by running the following command, where <userUPN> is the UPN of the user, for example user@domain.com:net localgroup "Remote Desktop Users" /add "AzureAD\<userUPN>"Box 2: AzureAD\User1@Contoso.com
https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc
HOTSPOT (Drag and Drop is not supported)You have a Microsoft 365 subscription that contains the devices shown in the following table.All the devices will be reimaged and licensed by using subscription activation.The devices are assigned to the users shown in the following table.For each of the following statements, select Yes if the statement is true. Otherwise, select No.Note: Each correct selection is worth one point.Hot Area:
Box 1: NoDevice1 has 14 GB RAM, 256 GB storage, and TPM version 1.2.TPM 2.0 is required to run Windows 11, as an important building block for security-related features. TPM 2.0 is used in Windows 11 for a number of features, including Windows Hello for identity protection and BitLocker for data protection.Note: Since July 28, 2016, all new device models, lines, or series (or if you're updating the hardware configuration of an existing model, line, or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the Minimum hardware requirements page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices.Box 2: NoDevice2 has 4 GB RAM, 64 GB storage, and TPM version 2.0. This is fine.At least 4 GB is required.At least 64 GB storage is required.Device2 is assigned to User2.There is a Microsoft 365 E3 license for this assignment.Microsoft 365 E3 is for Windows 11 Pro.Box 3: YesDevice3 meets the Windows 11 requirements.There is no Windows 11 license for Device3.
https://www.microsoft.com/en-us/windows/windows-11-specifications https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-recommendations
You have 500 computers that run Windows 10. The computers are joined to Microsoft Entra and enrolled in Microsoft Intune.You plan to distribute certificates to the computers by using Simple Certificate Enrollment Protocol (SCEP).You have the servers shown in the following table.NDES issues certificates from the subordinate CA.You are configuring a device configuration profile as shown in the exhibit. (Click the Exhibit tab.)You need to complete the SCEP profile.On which server is the required root certificate located?
Answer(s): C
As NDES issues certificates from the subordinate CA located at Server3, the root certificate should be used for Server3.
HOTSPOT (Drag and Drop is not supported)You have a Microsoft Entra tenant named contoso.com that contains the devices shown in the following table.The tenant contains the groups shown in the following table.You add an Autopilot deployment profile as shown in the following exhibit.For each of the following statements, select Yes if the statement is true. Otherwise, select No.Note: Each correct selection is worth one point.Hot Area:
Box 1: NoDevice1 is not deployed by using Windows Autopilot.Device1 is Azure AD joined.Device1 is not enrolled in Microsoft IntuneDevice1 is member of Group1.Group1 is an included group in the Autopilot deployment profile.Box 2: NoAs Device1, but Device2 is Enrolled in Microsoft Intune and is also member of Group2 as well.Group2 is excluded from Autopilot deployment profile.Box 3: YesAs Devíce1 but deployed by Windows Autopilot and Enrolled in Microsoft Intune.
https://learn.microsoft.com/en-us/autopilot/profiles
HOTSPOT (Drag and Drop is not supported)You have the Microsoft Deployment Toolkit (MDT) installed in three sites as shown in the following table.You use Distributed File System (DFS) Replication to replicate images in a share named Production.You configure the following settings in the Bootstrap.ini file.You plan to deploy Windows 10 to the computers shown in the following table.For each of the following statements, select Yes if the statement is true. Otherwise, select No.Note: Each correct selection is worth one point.Hot Area:
Box 1: NoBox 2: YesBox 3: Yes
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/build-a-distributed-environment- for-windows-10-deployment
DRAG DROP (Drag and Drop is not supported) (Drag and Drop is not supported)Your on-premises network contains an Active Directory Domain Services (AD DS) domain.You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains five virtual machines and is NOT connected to the on-premises network.You have a Microsoft 365 subscription that uses Microsoft Intune Suite.You purchase Windows 365 Enterprise licenses.You need to deploy Cloud PC. The solution must meet the following requirements:All users must be able to access their Cloud PC at any time without any restrictions.The users must be able to connect to the virtual machines on VNet1.How should you configure the provisioning policy for Windows 365? To answer, drag the appropriate options to the correct settings. Each option may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.Note: Each correct selection is worth one point.Select and Place:
Box 1: Microsoft Entra hybrid joinJoin typeSelect a Join type:Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Microsoft Entra ID by implementing Microsoft Entra hybrid joined devices. These devices are joined to your on-premises Active Directory and registered with Microsoft Entra ID.Microsoft Entra hybrid joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. If this requirement is a concern, consider Microsoft Entra joining your devices.Box 2: Azure network connectionNetwork*-> Hybrid Microsoft Entra join: You must select an ANC (Azure network connection) to use for this policy.Note:* Microsoft Entra Join: You have two options for Network:- Microsoft hosted network: Select a Geography where you want your Cloud PCs provisioned. Then, for Region, you can select:Automatic (Recommended): The Windows 365 service automatically chooses a region within the selected geography at the time of provisioning. This automation decreases the chance of provisioning failure. A specific region: This option makes sure that your Cloud PCs are only provisioned in the region that you choose.- Azure network connection: Select an ANC to use for this policy.Box 3: EnterpriseLicense type"You purchase Windows 365 Enterprise licenses."Enterprise: Provision Cloud PCs for Windows 365 Enterprise.Frontline: Provision Cloud PCs for Windows 365 Frontline.
https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join https://learn.microsoft.com/en-us/windows-365/enterprise/create-provisioning-policy
Share your comments for Microsoft MD-102 exam with other users:
AI Tutor Explanation 4/29/2026 5:25:25 AM
Question 1: Correct answer: C. Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft Intune admin center. Why this is correct
AI Tutor Explanation 4/29/2026 5:23:14 AM
Question 5: Correct answer: A. User4 and User1 only Why this is correct: - The Automatic Enrollment setting in Intune has MDM user scope: GroupA. Only users in GroupA can enroll devices via MDM auto-enrollment. - Device6 will be enrolled via Windows Autopilot and Intune, so enrollment is allowed only for users in GroupA. - Based on the group memberships in the scenario, User4 and User1 are in GroupA, while User2 and User3 are not. Therefore only User4 and User1 can enroll Device6. Quick tip for the exam: - Remember: MDM user scope determines who can auto-enroll devices; MAM scope controls app protection enrollment. When a new Autopilot device is enrolled, the signing-in user must be in the MDM scope.
AI Tutor Explanation 4/29/2026 5:17:10 AM
Why this is correct Correct answer: C. Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft Intune admin center. Why this is correct: - Windows Autopilot requires devices to be registered by their hardware IDs (hash) before Autopilot can deploy Windows 10 Enterprise. - Collect the hardware IDs from the new Phoenix machines, save them in a CSV, and upload that CSV in the Intune/Windows Autopilot area. This maps each device to an Autopilot deployment profile. - After registration, you can assign Autopilot profiles (Windows 10 Enterprise, etc.). Other options (serial number CSV, generalizing, or Mobility settings) are not the initial Autopilot registration steps.