You have 500 on-premises devices.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
You onboard 100 devices to Microsoft Defender 365.
You need to identify any unmanaged on-premises devices. The solution must ensure that only specific onboarded devices perform the discovery.
What should you do first?
To identify unmanaged on-premises devices effectively, you need to start by setting the Discovery mode to Basic on the onboarded devices. Basic discovery mode ensures that the onboarded devices can passively collect events in the network and extract the necessary device information without initiating network traffic. This will help you achieve the goal of identifying unmanaged devices while ensuring that only specific onboarded devices perform the discovery process.
C https://learn.microsoft.com/en-us/defender-endpoint/device-discovery?view=o365-worldwide
Basic discovery: In this mode, endpoints passively collect events in your network and extract device information from them. Basic discovery uses the SenseNDR.exe binary for passive network data collection and no network traffic is initiated. Endpoints extract data from all network traffic seen by an onboarded device. With basic discovery, you only gain limited visibility of unmanaged endpoints in your network.
Set Discovery mode to Basic. T
Answer D - Create a device tag. https://learn.microsoft.com/en-us/defender-endpoint/device-discovery-faq#can-i-control-which-devices-perform-standard-discovery A- Device groups are not used to specify which device perform discovery scans B- Exclusions are used to exclude specific devices from being scanned, no control which devices perform the scane C- setting discovery mode to basic just controls the type of scan that's performed it doesn't limit scans to only be run from a specific list of devices. D- as per the above article Devices tags can be used to ensure Standard Discovery scans are only performed by specific devices with the assigned tag. All other managed devices are limited to basic scans only. this doesn't quite meet the requirement in the question which infers ALL scans must be limited to specific devices but it is all that MS support and therefore answer D is the closest to meeting this requirement.
The keyword is first. The first think you should do is setup the discovery to basic. Then you can filter which devices can do the scan. It is during that second step that you will specify a tag,
I don't think you can setup a tag to a device if the discovery is set to Basic. The option to to choose 'Select Tag's grey's out in the portal.
I think D is correct as we will need to create a Tag for the devices and than tag these devices which can discover unmanaged devices. Even though the keyword is first, creating a tag should be the first step.
Set Discovery Mode to Basic: Configure the Discovery mode for your onboarded devices. Choose Basic discovery mode to passively collect events in your network and extract device information from them. Basic discovery uses the SenseNDR.exe binary for passive network data collection, and no network traffic is initiated. Endpoints extract data from all network traffic seen by an onboarded device. Note that with basic discovery, you gain limited visibility of unmanaged endpoints in your network