AZ-500 Question #300: Real Exam Question with Answer & Explanation

Question

You have 10 on-premises servers that run Windows Server 2019. You plan to implement Azure Security Center vulnerability scanning for the servers. What should you install on the servers first?

Options

• Athe Security Events data connector in Azure Sentinel
• Bthe Microsoft Endpoint Configuration Manager client
• Cthe Azure Arc enabled servers Connected Machine agent
• Dthe Microsoft Defender for Endpoint agent

Explanation

Azure Security Center Vulnerability Scanning for On-Premises Servers

To extend Azure Security Center (Microsoft Defender for Cloud) capabilities to on-premises servers, you must first install the Azure Arc Connected Machine agent, which "Arc-enables" the servers and registers them as Azure resources. Without Arc, on-premises machines cannot be managed, monitored, or scanned by Azure Security Center, as the service requires servers to appear as Azure resources in your subscription.

Why the distractors are wrong:

• Option A (Azure Sentinel data connector) is used for log ingestion and SIEM/SOAR purposes, not vulnerability scanning prerequisites
• Option B (Microsoft Endpoint Configuration Manager client) is a software deployment/management tool and has no direct role in enabling Azure Security Center vulnerability scanning
• Option D (Microsoft Defender for Endpoint agent) may be deployed after Arc onboarding as part of Defender for Servers, but it is not the first required step for on-premises machines

Memory Tip: Think of Azure Arc as the "bridge" - before Azure can see or protect anything outside its own cloud, you must build a bridge (Arc) connecting your on-premises servers to Azure. No bridge = no Azure Security Center coverage. Arc always comes first for hybrid/on-premises scenarios.

No community discussion yet for this question.