SC-100 Question #169: Real Exam Question with Answer & Explanation

Question

You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled. The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019. You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application. Which security control should you recommend?

Options

• Aapp registrations in Azure AD
• Bapplication control policies in Microsoft Defender for Endpoint
• Capp discovery anomaly detection policies in Microsoft Defender for Cloud Apps
• DAzure AD Conditional Access App Control policies

Explanation

{"question_number": 5, "correct_answer": "B", "explanation": "Application control policies in Microsoft Defender for Endpoint leverage Windows Defender Application Control (WDAC) and/or AppLocker to create an allowlist of authorized applications. When an unauthorized application attempts to run or install, it is automatically blocked until an administrator explicitly authorizes it-which exactly matches the stated requirement. Option A (App registrations in Azure AD) is for registering apps for OAuth/OIDC authentication, not for controlling which executables run on a VM. Option C (Defender for Cloud Apps anomaly detection) monitors cloud app usage and doesn't enforce local application execution control. Option D (Conditional Access App Control) governs access to cloud-based SaaS applications, not binaries running locally on Windows Server VMs.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.