I say B based on: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Add-an-IOC-or-BIOC-Rule-Exception "If you want to create a rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create an IOC or BIOC rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Rules. For each exception, you also specify the rule scope to which the exception applies." "Select Settings → Exception Configuration → IOC/BIOC Suppression Rules. Click + New Exception. Specify a Rule Name and an optional Description. etc."

I will go for D

D: Investigate Files: You can manage file execution on your endpoints by using file hashes that are included in your allow and block lists. If you trust a certain file and know it to be benign, you can add the file hash to the allow list and allow it to be executed on all your endpoints regardless of the WildFire or local analysis verdict. Similarly, if you want to always block a file from running on any of your endpoints, you can add the associated hash to the block list.

2.3.3 Outline malware protection flow https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcdra-study-guide.pdf Hash exception - A hash exception enables you to override the verdict for a specific file without affecting the settings in your Malware Security profile. The Hash Exception policy is evaluated first and takes precedence over all other methods to determine the hash verdict. The exception does not allow Hash value

It's B as its only asking create an exception for Windows Endpoint.Can't be D as it will create exeption for all endpoint regardless of the Platform Type.