This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Contoso wants to onboard its Windows 11 devices to Microsoft Defender with the least administrative effort. Devices are already enrolled in Microsoft Intune and the Intune-to-Defender service connection is enabled. Which approach should the endpoint administrator use?
Download the onboarding package from the Microsoft Defender portal and deploy it as a custom configuration profile in Intune.
Create an Endpoint detection and response policy in Intune for the Windows platform and set the client configuration package type to Auto from connector.
Create a Microsoft Defender Antivirus policy in Intune and assign it to the Windows devices.
A security baseline assigned to a Windows device group enforces a setting that an existing endpoint security antivirus policy also configures with a different value. Where can the administrator see that two policies are setting the same value differently for the same device?
In the Microsoft Defender portal under Settings > Endpoints > Advanced features.
In the device's local Windows Security app on the endpoint itself.
In the Microsoft Intune admin center on the policy status pages, which report policy conflicts when different policies apply different values for the same setting.
An analyst opens an incident in the Microsoft Defender portal and needs to understand what happened, which assets are affected, and whether the threat is still active. Which incident-page artifact best supports this triage step?
The incident's correlated alerts, affected assets, evidence, and attack story view.
The Microsoft Defender Antivirus exclusions list configured in Intune.
The EDR Onboarding Status tab in the Intune admin center.
An endpoint administrator wants to deploy attack surface reduction rules in audit mode first to measure impact before blocking. Which Intune workload should they use, and what's a prerequisite?
Endpoint security > Attack surface reduction, with Microsoft Defender Antivirus as the primary antivirus on Windows devices.
Devices > Configuration profiles > Administrative templates, with the device joined to an on-premises Active Directory domain.
Endpoint security > Firewall, with a third-party antivirus configured as the primary antivirus on Windows devices.
A high-severity incident in the Microsoft Defender portal involves a privileged account and signs of lateral movement. According to the recommended triage workflow, what should the analyst do next?
Close the incident as informational because privileged accounts are expected to access multiple systems.
Delete the impacted accounts and reimage every affected device immediately, without further triage.
Assign an owner, add tags such as Privileged user and Needs escalation, summarize triage findings in comments, and notify the appropriate response team.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?