Exam SC-200 topic 6 question 38 discussion

Actual exam question from Microsoft's SC-200

Question #: 38
Topic #: 6

You have a Microsoft 365 E5 subscription that contains a device named Device1.

From the Microsoft Defender portal, you discover that an alert was triggered for Device1.

From the Device inventory page, you isolate Device1.

You need to collect a list of installed programs on Device1.

What should you do?

A. Initiate a live response session and run the processes command.
B. Initiate an automated investigation and view the results in the Action center.
C. Initiate a live response session and run the analyze command.
D. Run an advanced hunting query against the DeviceTvmSoftwareInventory table.

Show Suggested Answer

Suggested Answer: B 🗳️

by Krayzr at June 13, 2025, 8:31 p.m.

Comments

Submit Cancel

Krayzr

1 day, 19 hours ago

Selected Answer: D

repeat Q D. Run an advanced hunting query against the DeviceTvmSoftwareInventory table. Here's why: Device isolation limits direct interaction with the device, so live response sessions (options A and C) may not be immediately possible or effective unless explicitly allowed during isolation. Automated investigations (option B) are useful for identifying threats and taking remediation actions, but they do not typically provide a comprehensive list of installed software. Advanced hunting using the DeviceTvmSoftwareInventory table (option D) is specifically designed to retrieve software inventory data across devices, including isolated ones, using Microsoft Defender for Endpoint's advanced hunting capabilities.

upvoted 1 times

...