SC-100 Question #213: Real Exam Question with Answer & Explanation

Question

You have a Microsoft 365 subscription and an Azure subscription. Microsoft Defender XDR and Microsoft Defender for Cloud are enabled. The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019. You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application. Which security control should you recommend?

Options

• Aapp registrations in the Microsoft Entra tenant
• BOAuth app policies in Microsoft Defender for Cloud Apps
• Capp protection policies in Microsoft Endpoint Manager
• Dapplication control policies in Microsoft Defender for Endpoint

Explanation

{"question_number": 9, "correct_answer": "D", "explanation": "Application control policies in Microsoft Defender for Endpoint use Windows Defender Application Control (WDAC) to create allowlists of authorized applications. When an unauthorized application attempts to run or be installed on a Windows Server 2019 VM, WDAC blocks it automatically-no administrator action needed until they explicitly authorize the application. This matches both requirements: only authorized apps run, and unauthorized ones are blocked automatically. App registrations in Entra (A) are for cloud application identity, not controlling what executes on a server OS. OAuth app policies in Defender for Cloud Apps (B) govern SaaS app access, not VM-level execution control. App protection policies in Microsoft Endpoint Manager (C) are designed for mobile application management (MAM) on end-user devices, not server-side application execution control.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.