You need to implement a solution that meets the compliance requirements for the Windows 10 computers.
Which two actions should you perform? Each correct answer presents part of the solution. (Choose two.)
NOTE: Each correct selection is worth one point.
To meet the compliance requirements for Windows 10 computers, you should deploy a Microsoft 365 Endpoint data loss prevention (Endpoint DLP) configuration package to the computers and configure hybrid Azure AD join for all the computers. Deploying the Endpoint DLP package directly to the computers allows you to monitor and control data loss from organizational devices. Configuring hybrid Azure AD join ensures that the devices are properly joined to Azure AD, which is necessary for enforcing compliance and security policies. These steps effectively implement the required compliance measures with minimal changes to the existing setup.
Why choose E instead of A? Why do we need to enroll the computers in Defender for Endpoint (so that they appear in Endpoint DLP dashboard automatically), where in fact we can download the package of Endpoint DLP directly and onboard it on the endpoints? E doesn't make any sense to me. By answering E, you are adding another solution (MDE) which is not even required. Answer is AC
Answer A is also another solution. but given answser is (C and E) the simplest way because enrolling devices in defender for endpoint, you will be able to deploy centrally all DLP policies on them by group as devices enrolled in defender for endpoint can be managed from microsoft 365 compliance center where you set your DLP policies. so CE are good answers.
But that will cause more changes, since the devices already have a third party malware solution. More administrative effort is the right answer in this question. AC
Here is my take on this, In order to deploy and manage endpoint DLP you require a trust type (Hybrid Azure AD joined, AADJ or AADR)(https://learn.microsoft.com/en-us/microsoft-365/compliance/device-onboarding-overview?view=o365-worldwide#prepare-your-windows-devices), since Fabrikam already syncs with AAD, the changes required to achieve Hybrid AADJ is minimal. (C) MDE is not configured by default, but in this scenario it should be done to minimize the changes required to achive the solution. Fabrikam already has MCAS deployed with all the necessary connectors to their cloud applications. One of the requirement for MCAS, Cloud Discovery, requires Defender for Endpoint (https://learn.microsoft.com/en-us/defender-cloud-apps/get-started#step-4-set-up-cloud-discovery) (E) So answers are good (CE)
It states, that Azure AD Connect is set up - by default there is no Hybrid Azure AD join. So i would say, the answer is correct: Hybrid Azure AD join followed by the enrollment in Defender for Endpoint.
I think correct answer is A,C
A. Deploy a Microsoft 365 Endpoint data loss prevention (Endpoint DLP) configuration package to the computers. Endpoint DLP allows you to monitor and control data loss from organizational devices. This directly addresses the need to enforce DLP policies on these machines.
Please read before posting. Not very helpful. AE - correct once. with love~
I agree with this. It is what the test is actually testing. I think the "modern work / desktop admin" types are overthinking the "least possible changes" aspect. It is testing if you understand you need to connect with MDE (or Purview onboarding, which is not an option) and to use DLP.
If I'm interpreting this correctly; A- Deploy package to endpoints (can be achieved via GPO in this case since endpoints are domain joined). C- Hybrid AD join is configured via AD Connect, which doesn't impact devices directly. Only way that has no impact on endpoints and both A and C directly correlate as C is a requirement for A to work.
i think you are right because of this sentence in the testlet: -All DLP policies must be applied to computers that run Windows 10, with the least possible changes to the computers.
Device onboarding is shared across Microsoft 365 and Microsoft Defender for Endpoint (MDE). If you've already onboarded devices to MDE, they will appear in the managed devices list and no further steps are necessary to onboard those specific devices. ll devices must be one of these: Azure Active Directory (Azure AD) joined Hybrid Azure AD joined AAD registered https://learn.microsoft.com/en-us/microsoft-365/compliance/device-onboarding-overview?view=o365-worldwide#onboard-windows-10-and-windows-11-devices-into-microsoft-365-overview
I wrote the exam today, this question was on it, I choose AC, scored 890!
ANSWER IS CE. All DLP policies must be applied to computers that run Windows 10, with the least possible changes to the computers. Requirement is LEAST POSSIBLE CHANGES Enroll into MS DEFENDER FOR ENDPOINT PROTECTION IS FASTER AND EFFORTLESS COMPARE TO USING DEPLOYMENT PACKAGE WHICH IS WHY I CHOOSE - E for C - is it common sense
Answer is AC. As you said "LEAST POSSIBLE CHANGES" and no "LEAST ADMINISTRATION EFFORT OR OVERHEAD". These computers already have a third party malware solution, if you add then to Microsoft Defender for Endpoint that's going to cause a lot of changes. That's not what we want.
You are totally right. The answers are A and C. The enrollment of devices into MS Defender for Endpoint is using the same steps as DLP for endpoint (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding?view=o365-worldwide). So why would you enroll a device into MS Defender for Endpoint to achieve the enrollment of the device in Endpoint DLP???
It is what the test is actually testing. I think the "modern work / desktop admin" types are overthinking the "least possible changes" aspect. It is testing if you understand you need to connect with MDE (or Purview onboarding, which is not an option) and to use endpoint DLP.
The answer is AC - why? If you onboard the devices to Defender for Endpoint then you need to add exclusionss to DFE for the current AV, and for DFE to the current AV, hence there are additional changes required to the client devices