KT-EPS Antivirus status

GPO audit shows 18% of laptops with Defender disabled by local admin tools. Fix?

Multiple choice — select one answer

Answer choices

  1. a. Allow users to disable AV during presentations without logging events, without security or identity team coordination per policy.
  2. b. Whitelist all unsigned drivers to prevent future Defender alerts, without security or identity team coordination per policy.
  3. c. Remove AV entirely on those laptops to improve boot time for sales staff
  4. d. Enforce tamper protection via policy and investigate who disabled protection

Architectural breakdown & explanation

Disabled endpoint protection is a critical finding; restore centrally managed AV/EDR.

Correct answer(s): d. Enforce tamper protection via policy and investigate who disabled protection

Exam domain: Antivirus status (20% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Endpoint Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.