You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
From Automatic remediation in the Microsoft Defender portal, you set Automation level to Semi – require approval for non-temp folders for the endpoints.
You need to identify the impact of the Automation level setting on the endpoints.
Which two actions will occur based on the remediation settings? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
Correct answer is given: B and D. Go here to view how they define "temporary" https://learn.microsoft.com/en-us/defender-endpoint/automation-levels#levels-of-automation
B. Devices will be remediated automatically if a threat is detected in the \program files (X86)* folder. The \program files (X86)\* folder is classified as a temporary folder under the automation level definitions. This means threats detected in this folder are remediated automatically without requiring approval. D. Devices will be remediated automatically if a threat is detected in the \users*\downloads* folder. The \users\*\downloads\* folder is also classified as a temporary folder, so threats in this location are remediated automatically. C. is the \windows\ directory is not classified as a temporary folder, but its subdirectory \windows\temp\* is. Since the question specifically references \windows\, it would require approval under the "Semi – require approval for non-temp folders" setting.
Link provided by Ody proves that answer is B + D
Devices will be remediated only after end-user approval for non-temporary folders such as the \program files (X86)\* and \windows\ folders. This aligns with the need for manual approval for actions in non-temporary folders to prevent unintended disruptions. Devices will be remediated automatically if a threat is detected in the \users\\downloads\ folder**. The Downloads folder is typically considered a temporary location, and automatic remediation can be applied without requiring manual approval. Correct Answers: A. D.
No, because "\program files (x86)\*" is considered as temporary folder (which is very confusing in this case), so the remediations in this folder will be automatic, without end-user approval. "\windows\*" is a core folder and "\windows\temp\*" temporary.
Seems correct https://learn.microsoft.com/en-us/defender-endpoint/automation-levels
That seems correct but in the link you provided says: With this level of semi-automation, approval is required for any remediation actions needed on files or executables that aren't* in temporary folders. Remediation actions can be taken AUTOMATICALLY on files or executables that are in temporary folders. Pending actions for files or executables that aren't in temporary folders can be viewed and APPROVED in the Action Center, on the Pending tab. So I think there is a leak of a right option here and the only correct one would be the A. Devices are remediated only after end-user approval. B. is an automatic remediation for non-temp folder C: is a core folder D. is an automatic remediation for non-temp folder
\Windows\* is not a temp folder but rather a core folder...Core is covered in "Semi - require approval for core folders remediation", which was not selected in this question.
Link provided by Ody proves that answer is B + D
ChatGPT o1 using below link as a resource (B and D): Semi‐automated remediation automatically cleans threats in recognized system folders (such as “\Windows” and “\Program Files…”), while requiring approval for non‐system (e.g., user) paths. Therefore, the two correct answers are: B. Devices will be remediated automatically if a threat is detected in the “\program files (X86)*” folder. C. Devices will be remediated automatically if a threat is detected in the “\windows\” folder. All other user folders (including “\users*\downloads*”) require manual approval before remediation. https://learn.microsoft.com/en-us/defender-endpoint/automation-levels#levels-of-automation
Sorry meant to say B & C: Under Semi automation (“Require approval for remediation in non-temp folders”), Microsoft Defender for Endpoint will automatically remediate threats in recognized system folders (for example, \Windows\ and \Program Files (x86)\) but requires approval for user folders (for example, \Users\<username>\Downloads\). Accordingly: • \Windows\ is a recognized system folder. Threats here are automatically remediated. • \Program Files (x86)\ is also a recognized system folder. Threats here are automatically remediated. • \Users\<username>\Downloads\ is a user folder, so approval is required before remediation. Hence, the two folders that are automatically remediated under Semi automation are: \Windows\ \Program Files (x86)\