SC-100 Question #68: Real Exam Question with Answer & Explanation

Question

You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled. The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019. You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application. Which security control should you recommend?

Options

• AAzure Active Directory (Azure AD) Conditional Access App Control policies
• BOAuth app policies in Microsoft Defender for Cloud Apps
• Capp protection policies in Microsoft Endpoint Manager
• Dapplication control policies in Microsoft Defender for Endpoint

Explanation

{"question_number": 4, "correct_answer": "D", "explanation": "The correct answer is D: application control policies in Microsoft Defender for Endpoint. Defender for Endpoint uses Windows Defender Application Control (WDAC) policies to enforce an allowlist of authorized applications on Windows Server 2019 VMs. When an unauthorized application attempts to execute or install, it is automatically blocked and an alert is raised for administrator review. This matches the requirement of automatic blocking with a path to authorization. Conditional Access App Control (A) governs cloud app sessions, OAuth app policies (B) manage third-party app permissions in Defender for Cloud Apps, and app protection policies in Endpoint Manager (C) manage data protection within mobile apps-none of these control which executables can run on a Windows Server VM.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.