Exam SC-100 topic 7 question 2 discussion

In the current Exam it takes 2 choices!! I took both onboarding choices (A & D)

A is correct: A = Go to MDC > recommendations > Search for = Machines should have a vulnerability assessment solution > select a vm > Fix > and you will be prompted to deploy the integrated vulnerabilty scanner powered by Qualys B = The question talks about "The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution." > This has NOTHING to do with MDE C = The question talks about "The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution." > This has NOTHING to do with MEM and device compliance. D = Since these 20 vms are mentioned in the Azure Enviroment - Azure Arc is not required NOT D

AD 20 virtual machines are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud. Onboarding them via Azure Arc brings these machines under Defender for Cloud, enabling built-in vulnerability scanning.

If one answer then its B; if two answers then B+C A is deprecated (Enable vulnerability scanning with the integrated Qualys scanner (deprecated))

vulnerability scanning with the integrated Qualys scanner is already deprecated. You should go with answer of B. Onboard to defender for endpoint since it supports vulnerability assessment.

A. Enable the Qualys scanner in Defender for Cloud. B. Onboard the virtual machines to Microsoft Defender for Endpoint. https://www.youtube.com/watch?v=r-P-2lGzPFQ&list=PLQ2ktTy9rklhzzkSEZvDZT4QSIVUQZD-Y&index=9

To resolve the virtual machine issue and ensure that they are compliant with the HIPAA HITRUST standard, you should: B. Onboard the virtual machines to Microsoft Defender for Endpoint. Here's how this recommendation aligns with the requirements: Microsoft Defender for Cloud does not offer direct vulnerability scanning for virtual machines, but Microsoft Defender for Endpoint does. By onboarding the virtual machines to Microsoft Defender for Endpoint, you can enable vulnerability assessments and remediation for those virtual machines. This addresses the requirement for the virtual machines to be compliant in Defender for Cloud. Enabling vulnerability assessments through Microsoft Defender for Endpoint will help to address the secure score recommendation regarding the virtual machines needing a vulnerability assessment solution.

A: . If you're using Microsoft Defender for Cloud’s standard tier for VMs, you can quickly deploy a vulnerability assessment solution powered by Qualys with no additional configuration or extra costs.

The answer is A, you to have a Qualys vulnerability scanner not just Defender for Cloud.

A is the answer. https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm When a machine is found that doesn't have a vulnerability assessment solution deployed, Defender for Cloud generates the security recommendation: Machines should have a vulnerability assessment solution. Use this recommendation to deploy the vulnerability assessment solution to your Azure virtual machines and your Azure Arc-enabled hybrid machines. Defender for Cloud includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. This page provides details of this scanner and instructions for how to deploy it.

Focusing on the VM issue with vuln scanning.

I was thinking it should B but after reading the below section i have noticed that it really is A: The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution. If all of the machines should have a vulnerability assessment solution then you should enable the Vulnerability access solution ...

Answer A & B are correct, IMHO. From https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm Answer A is correct because of "Defender for Cloud includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. This page provides details of this scanner and instructions for how to deploy it." Answer B is correct because of "If you don't want to use the vulnerability assessment powered by Qualys, you can use Microsoft Defender for Endpoint's threat and vulnerability management or deploy a BYOL solution with your own Qualys license, Rapid7 license, or another vulnerability assessment solution."

Answer A is correct, Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines, https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm

I will go for B as (IMHO) Qualys is for vulnerability and hotfix management

Defender for EndPoint does not have server licenses and those VMs are servers. So won’t be B.

As per answer, issue is they are NOT onboarded to Defender for Cloud