Learn how Microsoft Defender for Endpoint applies IP address indicator blocking rules to devices based on their assigned device groups. Understand the behavior for Windows and Android devices.
Table of Contents
Question
You have a Microsoft 365 E5 subscription.
You have devices onboarded to Microsoft Defender for Endpoint as shown in the following table.
| Name | Platform |
|---|---|
| Device1 | Windows 11 |
| Computer2 | Windows 11 |
| Device3 | Android |
You create the device groups shown in the following table.
| Rank | Name | Matching rule |
|---|---|---|
| 1 | Group1 | Name Starts with Dev |
| 2 | Group2 | OS In Windows 11 |
| Last | Ungrouped device (default) | Not applicable |
IP address indicators are defined as shown in the following table.
| IP address | Action | Scope |
|---|---|---|
| 131.107.10.50 | Block | Group2 |
| 20.30.40.50 | Block | Group1 |
| 2.23.10.15 | Block | UnassignedGroup |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Statements:
- Defender for Endpoint blocks access to IP address 20.30.40.50 from Device1.
- Defender for Endpoint blocks access to IP address 2.23.10.15 from Computer2.
- Defender for Endpoint blocks access to IP address 131.107.10.50 from Computer3.
Answer
Defender for Endpoint blocks access to IP address 20.30.40.50 from Device1: Yes
Defender for Endpoint blocks access to IP address 2.23.10.15 from Computer2: No
Defender for Endpoint blocks access to IP address 131.107.10.50 from Computer3: No
Explanation
Yes, Defender for Endpoint blocks access to IP address 20.30.40.50 from Device1.
Explanation: Device1 starts with “Dev”, so it matches the rule for Group1 which has a rank of 1. Group1 has a block rule defined for IP address 20.30.40.50, so access to this IP will be blocked from Device1.
No, Defender for Endpoint does not block access to IP address 2.23.10.15 from Computer2.
Explanation: The IP address 2.23.10.15 has a block action scoped to the “UnassignedGroup”. However, no such group is defined in the device groups table. Computer2 matches Group2 based on its OS being Windows 11. Since Computer2 is assigned to a defined group, the block rule for the undefined “UnassignedGroup” does not apply.
No, Defender for Endpoint does not block access to IP address 131.107.10.50 from Computer3.
Explanation: The block rule for 131.107.10.50 is scoped to Group2, which matches devices with Windows 11 OS. However, Computer3 is an Android device, so it does not match the criteria for Group2 and will not have that block rule applied. The device groups are evaluated in rank order, and Computer3 does not match the higher ranked Group1 either, so it falls into the “Ungrouped devices (default)” group which has no block rules defined.
In summary, Defender for Endpoint will apply the IP address block rules based on the device group assignments, which are determined by the matching rules and rank order. Block rules scoped to undefined groups will not apply. The device platform also factors into group matching.
Microsoft MS-102 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft MS-102 exam and earn Microsoft MS-102 certification.