SC-200 Certification Practice Question #256

Question

You have a Microsoft 365 subscription. The subscription contains 500 devices that are onboarded to Microsoft Defender for Endpoint.

You have an Azure subscription that contains a Microsoft Sentinel workspace.

You need to run a pilot on 50 devices that will remediate threats automatically. The solution must meet the following requirements:

•	Minimize the impact on devices that are excluded from the pilot.
•	Minimize administrative effort.

What should you configure first?

Accepted Answer

Automated investigation and remediation (AIR) in Defender for Endpoint is scoped by device group — the "Automation level"/"Remediation level" (e.g. Full - remediate threats automatically) is a property set when you create the device group. To run a pilot on only 50 devices that auto-remediate while leaving the remaining 450 untouched and minimizing administrative effort, you must first create a device group containing those 50 devices and set its remediation level to Full. Everything else (any later policy or automation) is scoped to that group, so the device group is the correct first thing to configure. Suggested Answer, the lone community vote, and MS Learn all align on C; confidence is held at 88 rather than higher only because community participation is a single vote.

More SC-200 practice questions