You have 10 on-premises servers that run Windows Server 2019. You plan to implement Azure Security Center vulnerability scanning for the servers. What should you install on the servers first?
A.
the Azure Arc enabled servers Connected Machine agent
B.
the Microsoft Defender for Endpoint agent
C.
the Security Events data connector in Azure Sentinel
D.
the Microsoft Endpoint Configuration Manager client
Since the question is talking about On-Prem it is Option A.
Microsoft defender for endpoint is a separate solution that is not required for this as the question mentions ASC (aka Defender For Cloud)
A. Azure Arc enabled servers Connected Machine agent:
Azure Arc extends Azure management and services to on-premises, multi-cloud, and edge environments.
Azure Arc enabled servers allows you to manage on-premises servers like they are part of Azure, enabling Azure features such as Azure Security Center vulnerability scanning, monitoring, and management.
This is the correct choice because the Connected Machine agent allows you to connect your on-premises servers to Azure Security Center and enable the vulnerability scanning feature.
Azure Arc-enabled servers lets you manage Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. To connect hybrid machines to Azure, you install the Azure Connected Machine agent on each machine. This agent doesn't replace the Azure Log Analytics agent / Azure Monitor Agent. The Log Analytics agent or Azure Monitor Agent for Windows and Linux is required in order to:
Proactively monitor the OS and workloads running on the machine
Manage it using Automation runbooks or solutions like Update Management
Use other Azure services like Microsoft Defender for Cloud
https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview
A)
FROM MICROSOFT:
The integrated vulnerability assessment solution supports both Azure virtual machines and hybrid machines. To deploy the vulnerability assessment scanner to your on-premises and multicloud machines, connect them to Azure first with Azure Arc as described in Connect your non-Azure machines to Defender for Cloud.
A. the Azure Arc enabled servers Connected Machine agent
Explanation:
Azure Security Center vulnerability scanning for on-premises servers can be achieved using the Azure Arc enabled servers Connected Machine agent. This agent allows you to connect and manage your on-premises servers in Azure, and it's a prerequisite for enabling Security Center features like vulnerability assessment on these servers.
You can direct-onboard on-premises servers using Defender for Endpoint https://learn.microsoft.com/en-us/azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint.
Since there is specified windows server 2019 and that we want to use Vulnerability Assessment feature, which is supported by direct onboarding, I would go with B.
A is the answer.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview#supported-cloud-operations
When you connect your machine to Azure Arc-enabled servers, you can perform many operational functions, just as you would with native Azure virtual machines. Below are some of the key supported actions for connected machines.
- Protect non-Azure servers with Microsoft Defender for Endpoint, included through Microsoft Defender for Cloud, for threat detection, for vulnerability management, and to proactively monitor for potential security threats.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management#availability
Machine types:
- Azure virtual machines
- Azure Arc-enabled machines
A: https://docs.microsoft.com/en-us/azure/azure-arc/servers/overview
"To deliver this experience with your hybrid machines, you need to install the Azure Connected Machine agent on each machine. This agent does not deliver any other functionality, and it doesn't replace the Azure Log Analytics agent."
To deploy the vulnerability assessment scanner to your on-premises and multi-cloud machines, connect them to Azure first with Azure Arc as described in Connect your non-Azure machines to Defender for Cloud.
Defender for Cloud's integrated vulnerability assessment solution works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Defender for Cloud and no Log Analytics agent is required.
Source:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm
Because B says that you "install" an agent, which is nonsense as the agent is part of the OS. You can "onboard" the computer to Defender, but that is not what B says.
This section is not available anymore. Please use the main Exam Page.AZ-500 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
satpan
Highly Voted 3 years, 1 month agogiggsie
Highly Voted 3 years agogolitech
Most Recent 2 months, 3 weeks agoBigShot0
1 year, 7 months agoheatfan900
1 year, 7 months agoalfaAzure
1 year, 8 months ago[Removed]
1 year, 8 months ago_fvt
1 year, 8 months agopentium75
9 months agoSelf_Study
1 year, 8 months agozellck
1 year, 12 months agomajstor86
2 years, 1 month agoKhasan
2 years, 2 months agoSutty
3 years, 1 month agotunstila
3 years, 1 month agobur88
3 years, 1 month agoAjdlfasudfo0
2 years, 3 months agogentos
3 years, 2 months agopentium75
9 months agoPayday123
3 years, 2 months ago