Domain 1 of 4 · Chapter 2 of 4

Manage Assets and Environments

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.

Included in this chapter:

  • Find the gap first: managed, unmanaged, unprotected
  • Device groups: membership, RBAC scope, rank order
  • Automation levels and AIR
  • Discovering unprotected cloud resources with Defender for Cloud
  • Defender Vulnerability Management: rank and remediate
  • Exposure Management in Defender XDR
  • Exam-pattern recognition

Asset and exposure tools: which surface answers which question

QuestionDevice inventory (MDE)Defender for CloudDefender Vulnerability ManagementExposure Management (XDR)
Primary scopeOnboarded + discovered endpointsAzure, AWS, GCP, on-prem workloadsSoftware, CVEs, misconfigs on devicesAttack paths across the whole estate
Finds the gapUnmanaged / undiscovered devicesResources with no Defender planUnpatched, vulnerable softwareExposed critical assets and chokepoints
Ranks byOnboarding status, risk levelSecure Score recommendationsExposure score, Secure Score for DevicesAttack-path and critical-asset criticality
Acts viaOnboard, isolate, AIREnable plan, apply recommendationRemediation request to IntunePrioritized recommendations, not direct fix
Question it answersIs this device monitored?Is this cloud resource protected?Which weakness do I patch first?Which exposure breaks the most paths?

Decision tree

What is the concern?endpoint / cloud / exposureEndpoint job?Defender for EndpointRank what to fix?device vs environmentDefender for Cloudcoverage, no plan = gapendpointcloudexposureDevice discoveryfind unmanaged devicesDevice group + RBACscope analyst accessGroup automation levellimit AIR on a subsetno sensorscope accesslimit auto-fixVulnerability Mgmtper-device, exposure scoreExposure Managementattack paths, critical assetsone devicewhole estate

Cheat sheet

  • An unmanaged device is discovered but has no sensor, so Defender cannot act on it
  • Device discovery uses onboarded endpoints as sensors; Standard probes, Basic is passive
  • A device group bundles membership, RBAC scope, and automation level together
  • Device-group membership is first-match-wins by rank
  • Device-group membership rules match on tag, name, domain, or OS
  • Device groups map to Entra ID groups to scope analyst access
  • A device group's automation level decides how far AIR remediates without approval
  • Microsoft recommends Full automation as the default for most estates
  • Three semi-automation levels differ by which folders need approval
  • Defender for Cloud inventory and coverage find resources with no Defender plan
  • Defender for Cloud is multicloud across Azure, AWS, and GCP
  • Attack-path analysis of cloud resources needs the paid Defender CSPM plan
  • MDVM ranks device weaknesses by exposure score; lower is better
  • Exposure score and Secure Score for Devices measure opposite things
  • MDVM Request remediation creates a task in Microsoft Intune
  • Core MDVM ships with Defender for Endpoint P2; baselines and app-blocking are the add-on
  • Exposure Management ranks attack paths across the whole estate, not one device
  • Remediating a chokepoint breaks many attack paths at once
  • Marking assets critical weights Exposure Management toward business impact
  • Exposure Management prioritizes; the fix happens in the owning product
  • Exposure Management reports posture through initiatives tracked by metrics
  • The Ungrouped devices (default) group: rank/deletion fixed, but remediation level and access editable

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://learn.microsoft.com/en-us/defender-endpoint/machines-view-overview
  2. https://learn.microsoft.com/en-us/defender-endpoint/device-discovery
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction
  4. https://learn.microsoft.com/en-us/defender-endpoint/machine-groups
  5. https://learn.microsoft.com/en-us/defender-endpoint/automation-levels
  6. https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-cloud-security-posture-management
  7. https://learn.microsoft.com/en-us/azure/defender-for-cloud/asset-inventory
  8. https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls
  9. https://learn.microsoft.com/en-us/defender-vulnerability-management/defender-vulnerability-management
  10. https://learn.microsoft.com/en-us/defender-endpoint/tvm-exposure-score
  11. https://learn.microsoft.com/en-us/defender-endpoint/tvm-microsoft-secure-score-devices
  12. https://learn.microsoft.com/en-us/security-exposure-management/microsoft-security-exposure-management