Exam MS-100 topic 2 question 38 discussion

This I am quite sure is wrong, a standalone sensor is the only option with port mirroring. Because you cant install agents on DC's, the answer provided is wrong (in my opinion). I am happy if someone wishes to challenge that.

I agree with @PlasticMind. Azure ATP Sensor will be installed on DC which is in this case not allowed (answers C and D). Azure ATP standalon sensor with port mirroring must be the correct answer (A). See here https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-capacity-planning#choosing-the-right-sensor-type-for-your-deployment

I hope the exam questions are clearer that this. The way i read it is, the company has a secuirty policy (writen) not configured, to not install any app on DC. And we need to use aATP sensor to monitor and report on this...the scenario does not specify that that it need to be monitored from the DC, but answer is indicated this was in the mind of the question creator.

I vote A.

If you don’t want to deploy the Azure ATP Sensor directly on your domain controllers, you can instead deploy the Azure ATP Standalone Sensor on a separate server. The standalone sensor monitors traffic that you direct to it by using port mirroring on your network switches. https://practical365.com/azure-atp-intro/

A is the way imo

no doubt A

This is the answer. Trust me bro :)

If you're installing on a domain controller, you don't need a standalone ATP sensor. You need to configure the detections to detect application installations. With an ATP sensor (non-standalone), you don't need to configure port mirroring. Reference: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step5 https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-capacity-planning#choosing-the-right-sen

Update answer to A

A, you cannot install on active directory due to policy

I'll go with A, since in the question it states "Your company has a security policy that prevents additional software from being installed on domain controllers." That being said you can install Azure ATP standalone sensor on domain controller.

Answer should be A We cannot install additional software on the domain controllers. Azure ATP Standalone Sensor is a full agent installed on a dedicated server that can monitor traffic from multiple domain controllers. This is an alternative to those that do not wish to install an agent directly on a domain controller.

From here looks like the "Azure ATP Sensor" is feasible to install on DC. So I'll go with C. https://docs.microsoft.com/en-us/defender-for-identity/install-step4

I think correct is A

Does a stand-alone sensor even exist now? I can;t see any reference to it in the MS install guides?

It's a tricky question. We need to install ATP to fulfill the security policy. In this way C is correct answer.