Question 14 - Actual MS-102 Real Exam Questions [Jan 2026 Update]- Microsoft 365 Administrator

Q: 14

You have a Microsoft 365 tenant that contains a Windows 10 device. The device is onboarded to Microsoft Defender for Endpoint. From Microsoft Defender Security Center, you perform a security investigation. You need to run a PowerShell script on the device to collect forensic information. Which action should you select on the device page?

Options

Correct Answer:

Explanation

Live Response provides security operations teams with instantaneous remote access to a device through a shell connection. This capability allows for in-depth investigative work, such as running PowerShell scripts to collect forensic data, executing remediation actions, and gathering other artifacts in real-time. It is the designated feature within Microsoft Defender for Endpoint for interactively running commands and scripts on a specific device during an investigation.

Why Incorrect

B. Initiate Automated Investigation: This triggers an automated process that examines alerts and applies pre-defined remediation actions. It does not provide an interactive session for running custom scripts.

C. Collect investigation package: This action gathers a pre-defined set of forensic data from the device into a .zip file for offline analysis. It does not involve running custom PowerShell scripts.

D. Go hunt: This option navigates to the Advanced Hunting page with a pre-populated query for the specific device, allowing you to search for historical event data, not interact with the live device.

References

1. Microsoft Learn. "Investigate devices using Live Response in Microsoft Defender for Endpoint." Microsoft Docs. Under the "Live response commands" section

it explicitly lists run as a command to "Run a PowerShell script from the library." This confirms that Live Response is the correct feature for this task.

2. Microsoft Learn. "Take response actions on a device in Microsoft Defender for Endpoint." Microsoft Docs. This document provides an overview of response actions. The section "Live response" describes its purpose for deep investigative work and running scripts

distinguishing it from other actions like "Collect investigation package" which is for offline analysis.

3. Microsoft Learn. "Overview of Automated investigation and response (AIR) in Microsoft Defender for Endpoint." Microsoft Docs. This document explains that AIR is an automated feature that uses inspection algorithms and processes

which is distinct from the manual

interactive script execution required by the question.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE