SC-200 Certification Practice Question #235

Question

You have a Microsoft 365 subscription. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint.

You have 500 devices that run Linux.

Users sign in to the Windows and Linux devices by using their Microsoft Entra credentials.

You need to recommend a response process for Microsoft Defender XDR security incidents associated with a compromised Linux endpoint. The solution must ensure that the compromised device is prevented from communicating with all devices onboarded to Defender for Endpoint.

Which response action should you include in the recommendation?

Accepted Answer

The compromised endpoint is Linux, and the goal is to stop it communicating with all Defender for Endpoint–onboarded devices. While "Contain device" literally describes blocking incoming/outgoing communication across onboarded devices, MS Learn restricts that capability to onboarded **Windows 10 / Server 2019+** devices — it cannot be applied to a Linux device. Device **isolation**, by contrast, is explicitly supported on Microsoft Defender for Endpoint on Linux and disconnects the device from the network (retaining only the Defender service connection), which prevents it from reaching any other device. Both the Suggested Answer and the community Most Voted converge on C, and the strongest comments (kasutakun, milkfish) cite the Linux isolation support directly. Confidence is held at 85% rather than higher because the requirement wording superficially favors "Contain device" and the community shows a real B-vs-C split.

More SC-200 practice questions