Microsoft SC-900 Exam With Confidence Using Practice Dumps

In Microsoft Defender for Endpoint, attack surface reduction (ASR) is described as the first defensive layer in the protection stack, and Network protection is a core ASR capability. Microsoft’s documentation states that “Attack surface reduction provides the first line of defense in the stack.” It further explains that these capabilities are designed to reduce opportunities for compromise before malware can run or persistence can be established. Within ASR, Microsoft specifically defines Network protection as a feature that “helps reduce the attack surface of your devices from Internet-based events.” Microsoft also clarifies how it works: “It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.”

Because the question asks for the feature in Defender for Endpoint that delivers the first line of defense by reducing the attack surface, the applicable ASR capability is Network protection. It proactively blocks access to known malicious IPs, domains, and URLs, shrinking the exploitable surface area and thereby reducing risk before an attack can execute. By contrast, automated investigation and automated remediation act after detections to contain and fix issues, and advanced hunting is an analyst-driven, query-based detection and investigation tool—not an attack-surface–reduction control. Hence, Network protection is the correct choice.

Microsoft 365 Endpoint Data Loss Prevention (Endpoint DLP) extends DLP controls to endpoints. Microsoft documentation describes Endpoint DLP as applying protections on “Windows 10/11 devices” (and, in current guidance, also macOS). The feature monitors and restricts actions like copying to USB, printing, or uploading to the web when sensitive items are involved. Importantly, Microsoft does not document Endpoint DLP support for iOS or Android; those platforms are governed through app protection policies in Intune and Microsoft Defender for Endpoint mobile capabilities, not Endpoint DLP. Given the answer choices provided, the only correct option that aligns with Microsoft’s Endpoint DLP platform support and excludes unsupported mobile OSs is Windows 10 only (noting that Microsoft also supports Windows 11 and macOS today, which are absent from the choices). Therefore, among the listed options, Windows 10 only is the correct selection because Endpoint DLP does not run on iOS or Android.

Endpoint data loss prevention (Endpoint DLP), a feature in Microsoft Purview, supports Windows 10 and 11 and now also supports macOS for core DLP capabilities. It allows organizations to monitor and restrict actions like copying sensitive files to USBs, printing, or uploading to unapproved cloud services.

SCI Extract: "Endpoint DLP extends Microsoft Purview Data Loss Prevention to Windows 10, Windows 11, and macOS devices, allowing for monitoring and control of sensitive data usage at the endpoint."

Other platforms like Linux, iOS, and Android are not currently supported for Endpoint DLP