Exam SC-100 topic 1 question 12 discussion

AB looks correct to me

I don't think this is correct. Zero Trust its reffering to Conditional Access, so would be Microsoft Intune reports the endpoints as compliant. https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection and I assume The client access tokens are refreshed.

• Enforce conditional access based on trusted devices. We recommend that you enforce location-based conditional access to suit your organizational requirements. • Reset passwords after eviction for any user accounts that may have been compromised. • Revoke refresh tokens immediately after rotating your credentials. https://learn.microsoft.com/en-us/azure/security/fundamentals/recover-from-identity-compromise#remediate-user-and-service-account-access

B. Microsoft Intune reports the endpoints as compliant: Intune ensures that the endpoints meet the organization's compliance policies, verifying that they are secure and properly configured. https://learn.microsoft.com/en-us/security/zero-trust/deploy/endpoints D. Microsoft Defender for Endpoint reports the endpoints as compliant: Defender for Endpoint provides advanced threat protection and ensures that the endpoints are free from malware and other security threats. https://learn.microsoft.com/en-us/defender-endpoint/zero-trust-with-microsoft-defender-endpoint These conditions help maintain the integrity of the Zero Trust model by ensuring that only secure and compliant endpoints can access corporate applications.

B. Microsoft Intune reports the endpoints as compliant: In a Zero Trust model, compliance is verified before granting access. Intune is used to manage device compliance policies, and the endpoints need to be reported as compliant to ensure they are safe for accessing corporate applications again. D. Microsoft Defender for Endpoint reports the endpoints as compliant: Defender for Endpoint provides security management for endpoints. After the malware is removed, Defender must report that the endpoints are secure and compliant, ensuring that they are safe for access.

A. The client access tokens are refreshed B. Microsoft Intune reports the endpoints as compliant

Agree with the given answer

Tokens need to be refreshed, when a device is marked as incompliant. The access is revoked due to the incomliance state. Answer A In Intune you configure the compliance policy. Within the compliance policy you configure the risk level for defender. Intune reports the compliance state as compliant, if the defender risk level is equal to or lower than the configured value. Answer B. Answer C: Is wrong Answer D is incorrect, because Defender does not report compliance. It reports the client risk level.

Questions asks "which 2 conditions must be met". The answer is: D: Defender must report the risk as being mitigated to Intune B: Intune reports the device as compliant

Answer should be B and C from the below key points in the question and the reference conditional access link: The customer discovers that several endpoints are infected with malware. - This comes under Microsoft intune compliance reporting. The customer suspends access attempts from the infected endpoints. - Conditional access kicks in "when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated." The malware is removed from the endpoints. - "an automated investigation and remediation process is launched." https://learn.microsoft.com/en-us/defender-endpoint/conditional-access?view=o365-worldwide <<Understand the Conditional Access flow>>

To ensure that endpoint users can access the corporate applications again after malware removal, the following two conditions must be met: B. Microsoft Intune reports the endpoints as compliant: This ensures that the devices meet the organization’s compliance policies and are considered secure1. D. Microsoft Defender for Endpoint reports the endpoints as compliant: This confirms that the endpoints are free from threats and meet the security requirements1.

B and D is correct answer

Answer: B. Microsoft Intune reports the endpoint as compliant. D. Microsoft Defender for Endpoint reports the endpoint as compliant. Reason: In a Zero Trust model, it is necessary to verify the security and compliance status of endpoints before they access corporate applications. Microsoft Intune and Microsoft Defender for Endpoint report the compliance status of endpoints and ensure that the endpoints are secure. Reasons why other answers are different: A. Client access tokens are refreshed: While refreshing tokens is important, it is not directly related to verifying the security status of endpoints. C. A new Azure Active Directory (Azure AD) Conditional Access policy is applied: Conditional access policies help with access control but are not directly related to verifying the compliance status of endpoints.

Answer is BD Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide

Today, I read more about this question and eliminated given options based on the question scenario.. So, company uses zero trust model.. It already performed what needs to be done.. So, if some endpoints are malware infected and suspended to access company applications.. For re-access to applications (it says corporate applications not Microsoft 365 apps etc.) User's token needs to be refreshed and also Microsoft Defender for Endpoint also mark device healthy after scan etc.. So Options are; A and D.

When you force option C, automatically Conditional Access combined with B and D options.. So, there is last option with option C that is A.

To ensure that endpoint users can access the corporate applications again after the malware removal, consider the following two conditions: Microsoft Intune Reports Endpoints as Compliant (Option B): Microsoft Intune is a cloud-based endpoint management solution that helps manage and secure devices. After malware removal, the endpoints should be scanned and verified by Microsoft Intune to ensure compliance. If Intune reports the endpoints as compliant, it indicates that they meet security and policy requirements, allowing users to access corporate applications. Microsoft Defender for Endpoint Reports Endpoints as Compliant (Option D): Microsoft Defender for Endpoint (formerly Windows Defender ATP) provides advanced threat protection for endpoints. After malware removal, Microsoft Defender for Endpoint should verify that the endpoints are free from threats. If Defender reports the endpoints as compliant, it confirms that they are secure and can safely access corporate resources.