Exam MS-101 topic 2 question 86 discussion

I believe the answer to the second question is device configuration policy, device compliance policy and conditional access.

https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile To be successful, you'll use the following configurations in concert: Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint. This connection lets Microsoft Defender for Endpoint collect data about machine risk from supported devices you manage with Intune. Use a device configuration profile to onboard devices with Microsoft Defender for Endpoint. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level. Use a device compliance policy to set the level of risk you want to allow. Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as noncompliant. Use a conditional access policy to block users from accessing corporate resources from devices that are noncompliant.

- Device1, Device2, Device3, and Device4 - Device configuration Profile, device compliance policy, and conditional access policy

In question #82 apparently only MacOS and Windows devices can be configured with MS Endpoint config profiles. and now in this questions they say all devives can be applied to device config profile. WTF thanks for teaching me the meaning of the word 'obsfucate' ET's!

You plan to use risk levels in Microsoft Defender for Endpoint to identify whether a device is compliant. this is where you draw your answer from.. the policy is to identify whether its compliant or not

So I was torn but I think I understand why. You need a compliance policy and a conditional access policy. However the conditional access is for the application rather than the endpoint. The question states what endpoint policies would need to be implemented. A configuration profile is irrelevant to this question.

The answer should be 1 - Device1, Device2, Device3 and Device 4 2 - Device Configuration profile, device compliance policy, and conditional access policy If you look at Microsoft's official documentation, it says that it supports Windows 8.1, in addition to supporting iOS and Android, in addition to Windows 10. You can confirm at the link: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide As for the second question, it asks "security policies that must be configured", if you look at the beginning of the question, you will find the text "Noncompliant devices must be blocked from accessing corporate resources.", so to meet this demand, we first need to configure the Complaince Policy to mark whether the device is compliant or non-compliant, but still need to block if device is non-compliant, so we use Conditioanl Access. And finally the Configuration Profile is for onboarding with the MDE.

Ok, think I've sorted out the confusion, I hope this helps. Please flag if I've missed something. Endpoint supports all the listed devices(include 8.1), however intune only supports: Android, iOS/iPadOS, Windows 10/11 Use compliance policies to set device risk levels. Use conditional access policies to block devices that exceed your expected risk levels. The above two policies would be enough if we excluded windows 8.1, but to support that device - "You can manage Defender for Endpoint security configurations on devices that aren’t enrolled with Intune" So my answer: 1) device1, device2, device3, device4 2) device configuration policy, device compliance policy and conditional access. References: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile

But is Windows 8.1 correct in the first answer?

You would need config, compliance, and conditional access policies according to this MS doc: Use the information and procedures in this article to configure integration of Microsoft Defender for Endpoint with Intune. Configuration includes the following general steps: - Enable Microsoft Defender for Endpoint for your tenant - Onboard devices that run Android, iOS/iPadOS, and Windows 10/11 - Use compliance policies to set device risk levels - Use conditional access policies to block devices that exceed your expected risk levels Android and iOS/iPadOS, use app protection policies that set device risk levels. App protection polices work with both enrolled and unenrolled devices. https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure

Configuration profile is only needed if you want to onbaord devices through intune. The right answer for second question should be: "compliance policy and conditional access policy only". However, this is not an option, so I am thinking the question is asking for a solution for both on boadrding devices and controlling access through intune, and if this is the case the second question would be okay to include "configuraiton profile" in it, but in that case the answer for the first qustion should be "device 1 only", because it is not onbaord Android,IOS, and windows 8 thorugh "configuration profiles".

Devices managed with Intune: The following platforms are supported for Intune with Microsoft Defender for Endpoint: Android iOS/iPadOS Windows 10/11 (Hybrid Azure Active Directory Joined or Azure Active Directory Joined)

jkklim is linked a good document here. Win10/11, Android and iOS devices can be onboarded. We'd need all 3 policy types to set this up.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide

There's no need to create a configuration policy. You only need to block access when a device is not compliant. But that's not an option so the answer is we need to setup all profiles