Microsoft Defender for Endpoint MS-102 Practice Test: EDR, ASR, AIR, Vulnerability Management

Section 1: Overview of Microsoft Defender for Endpoint (MDE)

Q1. Which MDE capability is primarily designed to reduce the number of ways malware can run on endpoints?

A. EDR
B. ASR
C. AIR
D. Vulnerability management

Answer: B
Explanation: Attack surface reduction (ASR) reduces exploitable behaviors (for example, blocking risky process creation patterns and hardening common attack vectors). EDR detects suspicious activity, AIR remediates, and vulnerability management focuses on exposure posture.

Q2. Your security team wants a feature that automatically investigates and can remediate detected threats by quarantining files or stopping malicious processes. Which MDE feature is this?

A. Next-generation protection
B. Threat analytics
C. Automated investigation and remediation (AIR)
D. Secure Score for Devices

Answer: C
Explanation: AIR performs automated investigation and can take remediation actions (quarantine, remove persistence, stop processes). Next-gen protection is prevention; threat analytics is intelligence; Secure Score is posture scoring.

Q3. Which statement best describes EDR?

A. Signature-based antivirus only
B. Behavioral detection and investigation based on endpoint telemetry
C. A compliance scoring tool
D. A patching service

Answer: B
Explanation: EDR is driven by behavioral telemetry and is used for detection, investigation, and response workflows.

Section 2: Integrating MDE with Intune (Service-to-service connection)

Q4. Your Intune admin center shows Defender for Endpoint connection status as “Unavailable.” Where do you enable the Intune connection?

A. Intune admin center → Devices → Windows → Configuration profiles
B. Microsoft 365 Defender portal → Settings → Endpoints → Advanced features
C. Entra admin center → Conditional Access
D. Microsoft 365 admin center → Settings → Org settings

Answer: B
Explanation: The Intune connection toggle is enabled in the Microsoft 365 Defender portal under Endpoints > Advanced features, then Intune reflects the status.

Q5. What is the main benefit of integrating MDE with Intune?

A. It replaces Microsoft Entra ID
B. It allows Defender threat signals to be used in Intune compliance and Conditional Access decisions
C. It converts Windows devices to Autopilot devices automatically
D. It disables the Windows firewall to prevent conflicts

Answer: B
Explanation: The integration enables risk/health signals from Defender to feed Intune compliance, which can then drive Conditional Access enforcement.

Section 3: Configuring Defender for Endpoint settings (Intune Endpoint security)

Q6. You need to deploy Defender for Endpoint onboarding to Windows 10/11 devices using Intune. Which policy area is most directly associated with onboarding configuration?

A. Endpoint security → Endpoint detection and response
B. Endpoint security → Antivirus
C. Apps → App configuration policies
D. Devices → Compliance policies

Answer: A
Explanation: The Endpoint detection and response (EDR) policy area includes onboarding/offboarding package options (including “Auto from connector” in integrated setups).

Q7. You want to standardize Defender security settings across platforms. Which Intune concept determines the category of settings for a feature (for example, Antivirus exclusions vs Antivirus core settings)?

A. Scope tag
B. Assignment filter
C. Profile
D. Compliance action

Answer: C
Explanation: In Intune Endpoint security, Profile selects the settings category within a feature for a platform.

Q8. You have both Windows 11 and macOS devices and want to configure disk encryption settings for each platform. What must you do?

A. One policy covers both platforms automatically
B. Create separate policies per platform/profile combination
C. Use only compliance policies
D. Configure only in Microsoft 365 admin center

Answer: B
Explanation: Endpoint security policies are platform-specific. You typically create at least one policy per platform for a feature.

Section 4: Compliance policy evaluation and device risk integration

Q9. You want Intune to mark devices noncompliant when Defender reports high risk. What do you configure first?

A. An Exchange transport rule
B. A Defender attack simulation
C. Intune–Defender service-to-service integration and compliance policy evaluation
D. A SharePoint sensitivity label

Answer: C
Explanation: You must integrate Intune and Defender and enable the evaluation settings so Intune can consume Defender signals for compliance.

Q10. You configured an Intune compliance policy and want to restrict access to Microsoft 365 apps from noncompliant devices. What is the next step?

A. Configure a Conditional Access policy that requires compliant device
B. Configure MFA for all users
C. Configure a retention policy
D. Configure a DLP policy for endpoints

Answer: A
Explanation: Compliance becomes enforceable for access when Conditional Access includes Require device to be marked as compliant.

Section 5: Onboarding Windows devices to MDE

Q11. You have 8 Windows 11 devices in a lab and need a quick onboarding method with minimal infrastructure. What is the best option?

A. Group Policy only
B. Local script onboarding
C. Third-party re-packaged installer
D. Disable Defender and use another antivirus

Answer: B
Explanation: For a small number of devices, local scripts are simple. Repackaging is not recommended because it can trigger tamper alerts.

Q12. You onboarded devices via the Intune connector and also deployed an EDR onboarding policy to the same group. Now you see conflicts. What is the best fix?

A. Keep both. Conflicts are required
B. Remove one onboarding method so each device is onboarded/configured by a single approach
C. Disable cloud protection
D. Disable Intune enrollment

Answer: B
Explanation: Use one primary method per device to avoid conflicts and confusing states.

Section 6: Onboarding macOS devices to MDE (Intune)

Q13. Why does macOS onboarding often require multiple configuration profiles?

A. macOS cannot run antivirus software
B. macOS requires explicit permission profiles for extensions, full disk access, network filtering, notifications, and background services
C. Intune does not support macOS enrollment
D. Defender for Endpoint does not support macOS

Answer: B
Explanation: macOS security model requires explicit configuration and permissions for full protection features.

Q14. What is the most common reason MDE on macOS appears installed but does not provide full protection signals?

A. The device is not Azure AD joined
B. Missing required macOS permissions such as Full Disk Access or system extensions approval
C. The user is not a Global Admin
D. The Mac must be domain-joined

Answer: B
Explanation: Without required permissions (TCC/FDA, extensions), MDE functionality is limited even if installed.

Section 7: Reviewing and responding to endpoint vulnerabilities

Q15. Your vulnerability team wants to prioritize remediation based on exposure and business impact rather than a raw list of CVEs. Which MDE capability helps most?

A. Vulnerability management with prioritized recommendations and exposure insights
B. App configuration policies
C. Microsoft Bookings
D. Transport rules

Answer: A
Explanation: Defender Vulnerability Management provides inventory, assessments, and prioritization to reduce exposure efficiently.

Q16. You need to confirm whether missing updates and insecure configurations are contributing to your endpoint risk posture. Where do you look first?

A. Microsoft 365 admin center billing
B. Microsoft 365 Defender portal vulnerability management / security recommendations views
C. SharePoint admin center
D. Teams admin center

Answer: B
Explanation: Vulnerability management and recommendations are reviewed in the Defender security portal.

Section 8: Reviewing and responding to risks (Incidents, alerts, AIR)

Q17. An incident is created with multiple related alerts across three endpoints. What is the best first step?

A. Immediately wipe all devices
B. Review the incident timeline and impacted entities, then validate scope and severity
C. Disable Conditional Access
D. Remove all users from groups

Answer: B
Explanation: Triage starts with incident scope, affected devices/accounts, and evidence to decide containment actions.

Q18. You suspect lateral movement. Which response action is most appropriate to immediately stop a device from communicating while you investigate?

A. Add device to dynamic group
B. Isolate device (containment)
C. Change desktop wallpaper
D. Disable Windows Update

Answer: B
Explanation: Isolation is a rapid containment step to prevent spread while preserving the device for investigation.

Q19. You want automated cleanup when Defender finds commodity malware, but you still want analysts to approve actions for high-risk cases. What is a reasonable approach?

A. Disable AIR entirely
B. Use automated investigation with configured automation levels and controlled approvals where needed
C. Only use manual remediation always
D. Move devices to another tenant

Answer: B
Explanation: You can tune automation to balance speed and control, especially across device groups.

Q20. Which combination best represents the flow from device health to cloud access enforcement?

A. DLP → retention → eDiscovery
B. MDE risk signals → Intune compliance → Conditional Access
C. Teams policy → SharePoint site → OneDrive sync
D. Exchange rule → DKIM → SPF

Answer: B
Explanation: This is the standard integration pattern tested in MS-102 scenarios.

 

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Related Posts

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by