Microsoft 365 Administrator — Question 344

You have a Microsoft 365 tenant that contains a Windows 10 device. The device is onboarded to Microsoft Defender for Endpoint.

From Microsoft 365 Defender portal, you perform a security investigation.

You need to run a PowerShell script on the device to collect forensic information.

Which action should you select on the device page?

Answer options

• A. Collect investigation package
• B. Go hunt
• C. Initiate Live Response Session
• D. Initiate Automated Investigation

Correct answer: C

Explanation

The correct choice is C, 'Initiate Live Response Session', which allows you to run scripts and commands directly on the device for forensic purposes. The other options, while related to investigations, do not provide the capability to execute PowerShell scripts on the device in real-time.