Microsoft 365 Mobility and Security (legacy) — Question 71

You have a Microsoft 365 tenant that contains a Windows 10 device. The device is onboarded to Microsoft Defender for Endpoint.
From Microsoft Defender Security Center, you perform a security investigation.
You need to run a PowerShell script on the device to collect forensic information.
Which action should you select on the device page?

Answer options

• A. Initiate Live Response Session
• B. Initiate Automated Investigation
• C. Collect investigation package
• D. Go hunt

Correct answer: A

Explanation

The correct answer is A, 'Initiate Live Response Session', as this action allows you to directly run a PowerShell script on the device for forensic data collection. Options B and C do not provide the capability to run scripts, and option D is more focused on threat hunting rather than direct forensic action.