You have a Microsoft 365 tenant that contains a Windows 10 device named Device1 and the Microsoft Endpoint Manager policies shown in the following table. The policies are assigned to Device1. Which policy settings will be applied to Device1?
This rule is only applicable to ASR. Device Configuration Profile -> Endpoint protection template -> Microsoft Defender Exploit Guard -> Attack Surface Reduction. Though the question is the height of obfuscation itself, I believe the answer is A. Policy 2 is related to email, Policy 3 is not defining any setting.
Disable and not configure are same stage disable. Source: https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp?pivots=atp-december-2020#attack-surface-reduction-rules
D: No settings
Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules.
Source: https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp?pivots=atp-december-2020#attack-surface-reduction-rules
Agreed, D
Note
Conflict handling:
"If you assign a device two different ASR policies, the way conflict is handled is rules that are assigned different states, there is no conflict management in place, and the result is an error.
Non-conflicting rules will not result in an error, and the rule will be applied correctly. The result is that the first rule is applied, and subsequent non-conflicting rules are merged into the policy."
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#mem
Disagree. That paragraph is related to two asr policies.
You missed the most important statement:
Policy Conflict
If a conflicting policy is applied via MDM and GP, the setting applied from MDM will take precedence.
Reference: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
Look at this discussion: https://techcommunity.microsoft.com/t5/microsoft-intune/difference-between-quot-devices-gt-configuration-profiles-quot/m-p/3260865
There someone tested it and confirmed that a setting in a Device Configuration Profile took precedence over a ASR policy.
So for me answer is Policy 1, Answer A
No settings apply due to policy conflicts as previously stated - see Bakje's answer. Dont get misdirected mistaking the values of the settings with the policies themselves. The values are set to Audit or Disabled, not if the policy itself is audit or disabled.
Answer is D because the setting about "Block obfuscation of potentially obfuscated scripts" has 3 conflicting values, so it will no applied (https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp?pivots=atp-december-2020#attack-surface-reduction-rules)
https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp?pivots=atp-december-2020#attack-surface-reduction-rules
The key here is that this rule, "Block obfuscation of potentially obfuscated scripts" is an attack surface reduction rule. You can configure it from the three places the article is talking about. Therefore, the statement in the article applies;
When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don't conflict are added to the superset policy that applies to a device.
The answer is D.
D: No Settings.
When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don't conflict are added to the superset policy that applies to a device.
I would agree this. There are only four values that an ASR policy can have listed below. This would make the first two in conflict and not apply leaving only the last policy to apply as not configured is not an ASR value.
0 : Disable (Disable the ASR rule)
1 : Block (Enable the ASR rule)
2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)
6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)
I think A as well. Auditing is not actively doing anything on the policy, but it's still tracking and pulling logs for the device it attached to and that is "something"
This section is not available anymore. Please use the main Exam Page.MS-101 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
mnak
Highly Voted 3 years, 6 months agoqhuy199
1 year, 4 months agoBakje
Highly Voted 3 years, 6 months agoOneplusOne
3 years, 4 months agous3r
3 years, 5 months agoamymay101
3 years, 5 months agoIamrandom
2 years, 11 months agoFeyenoord
Most Recent 2 years agoprabhjot
2 years, 1 month agoEsamiTopici
2 years, 1 month agoLelek
2 years, 3 months agohufflepuff
2 years, 3 months agohufflepuff
2 years, 3 months agopsp65
2 years, 4 months agobac0n
2 years, 5 months ago4Shawsy
2 years, 6 months agosoydlm
2 years, 10 months agoAZalan
3 years agoKalzonee3611
3 years, 3 months agoJAPo123
3 years, 3 months agoLK4723
2 years, 8 months agoJoshycannon
3 years, 3 months agoLlex
3 years, 4 months ago