This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
An analyst opens a new incident in the Microsoft Defender portal that involves several devices and an obfuscated PowerShell script. What is the most appropriate first use of Microsoft Security Copilot?
Automatically isolate every affected device based on Copilot's guided response recommendations.
Generate an incident summary that organizes the attack overview, timeline, affected assets, and recommended actions, then ask follow-up questions to scope the investigation.
Skip Copilot entirely and rely only on manual review of each alert because AI output cannot be trusted in security investigations.
A help desk technician reports that one Windows device receives a VPN profile while another similar device doesn't. Which Copilot in Intune capability most directly helps narrow the cause?
Use Copilot to compare the two devices and identify differences in group membership, assigned policies, filters, and device attributes.
Ask Copilot to automatically reassign the VPN configuration profile to every Windows device in the tenant.
Run a Security Copilot promptbook for ransomware investigation against the affected device.
Why is AI-driven prioritization especially valuable when IT operations and security teams share responsibility for endpoints?
It removes the need for security teams to review high-risk threats because operations teams can handle every issue.
It guarantees that no device will ever require manual investigation again.
It gives both teams a shared view of device state and risk so operations can focus on reliability and policy health while security focuses on high-risk threats and incident response.
Microsoft Defender shows that several devices in the same Intune group are involved in repeated alerts for the same suspicious behavior. Based on the unit guidance, what is the best next step for the endpoint administrator?
Ignore the alerts because Intune already reports the devices as compliant.
Treat the repeated alerts as a signal that an Intune policy or security control might need to change, and use device entity insights and advanced hunting to confirm the scope before adjusting policy.
Immediately reimage every device in the group without further investigation.
An analyst wants to find every device in the environment that ran a specific suspicious file in the past two weeks. Which Microsoft Defender capability is designed for this question?
Microsoft Secure Score recommendations.
The threat analytics dashboard.
Advanced hunting, optionally launched from an entity using the Go hunt action.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?