SC-200 Certification Practice Question #249

Question

You have 1,000 on-premises Windows 11 Pro devices that are onboarded to Microsoft Defender for Endpoint.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You identify that an attacker performed the following actions on a device:

•	Modified the filesystem path of a registry-based antivirus exclusion
•	Downloaded a malicious file to the file system path

You initiate a live response session on the device.

You need to undo the registry change.

Which command should you run?

Accepted Answer

The attacker modified a registry-based antivirus exclusion, and the goal is to undo that registry change during a live response session. Per MS Learn, the only live response command that acts on a registry entry is `remediate`, which for a Registry entry performs a **delete** (removing the attacker's malicious exclusion value); the `registry` command is a basic, read-only command that merely "Shows registry values". `scan` runs an antivirus scan and `analyze` only reaches a verdict — neither restores or removes a registry entry. The Most Recent dissent (Neshiri, B) misstates the capability of the `registry` command. Note that `undo` would only restore an entity that Defender itself previously remediated, not a change made by the attacker, so it does not apply here either. The Suggested Answer, the dominant 12-vote Highly Voted comment, and the documented command behavior all converge on A; confidence is set at 86 because of the well-articulated (but factually wrong) B dissent.

More SC-200 practice questions