Practice VCP-DCV vSphere Security questions with full explanations on every answer.
Start practicing
vSphere Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An administrator is troubleshooting a situation where a virtual machine cannot be powered on. The error message indicates insufficient permissions. The VM is in a folder named 'Production' and the administrator has been assigned a custom role with 'Virtual machine > Power On' permission at the folder level. However, the VM is also in a resource pool. What additional permission is most likely missing?
2A security audit reveals that an ESXi host has been compromised due to an attacker gaining root access via the DCUI. The host is configured with a default DCUI password. Which security best practice should have been implemented to prevent this?
3A vSphere administrator needs to ensure that all HTTPS traffic to ESXi hosts is encrypted using TLS 1.2. Where should the administrator configure the minimum TLS version?
4An administrator is configuring a distributed switch and needs to ensure that all virtual machine traffic on a specific VLAN is isolated. The administrator creates a port group with VLAN ID 100. However, a security scanner reports that packets from this VLAN are appearing on other VLANs. Which security policy setting on the distributed switch should the administrator verify?
5A vSphere environment uses Active Directory for authentication. The administrator notices that users from a specific AD group cannot log in to the vCenter Server, although other AD users can. The group is added to vCenter Server with the correct permissions. What is the most likely cause?
6Which TWO actions are recommended to secure the vCenter Server Appliance (VCSA)?
7Which THREE security features are available in vSphere Trust Authority (vTA)?
8A multinational corporation runs a vSphere environment with 100 ESXi hosts managed by a single vCenter Server. The security team mandates that all virtual machine disks (VMDKs) must be encrypted at rest. The administrator enables vSphere Virtual Machine Encryption and creates a Key Management Server (KMS) cluster. After encrypting a test VM, the VM powers on successfully, but the administrator notices that the VM's configuration files (VMX, NVRAM) are not encrypted. The security policy requires that all VM files, including configuration files, be encrypted. The administrator checks the VM storage policy and sees that the policy is set to 'VM Encryption Policy' with 'Disk Encryption' enabled. What should the administrator do to ensure the entire VM is encrypted?
9A vSphere administrator needs to ensure that all virtual machine disks are encrypted at rest. The environment uses a KMS cluster with multiple KMIP-compliant servers. The administrator has already configured a storage policy with encryption enabled. However, newly created VMs on a particular datastore still show unencrypted disks. What is the most likely cause?
10A security audit reveals that a vCenter Server has weak TLS configuration. The administrator needs to enforce strong ciphers and disable SSLv3. Which two steps should the administrator take? (Choose two.)
11An administrator is troubleshooting a failed attempt to add an ESXi host to a vCenter Server domain. The error message states: 'The host's certificate has been tampered with or is invalid.' What is the most likely cause?
12A company has a vSphere environment with 20 ESXi hosts and 500 VMs. The security team mandates that all administrative access to vCenter Server must be through a single, highly restricted account with multi-factor authentication (MFA). The account must be used for both the vSphere Client and API integrations. Which step should the administrator take?
13A large financial institution runs a vSphere 7.0 environment with 100 ESXi hosts and 2,000 VMs. The security team has identified that several VMs are vulnerable to a critical side-channel attack that requires disabling hyperthreading on the ESXi hosts. The administrator needs to implement a solution that minimizes performance impact while ensuring compliance. The environment uses DRS clusters with varying workloads: some VMs are CPU-intensive (financial modeling) and others are memory-bound (database servers). The administrator cannot afford to take hosts offline for maintenance during business hours. The change must be implemented within 48 hours. Which course of action should the administrator take?
14A company is implementing vSphere 7.0 and wants to encrypt all vMotion traffic between ESXi hosts in a cluster. The cluster is not using any other encryption features. What is the minimum requirement to enable vMotion encryption?
15Which TWO actions are required to enable encrypted vSphere vMotion for all virtual machines in a cluster?
16Refer to the exhibit. An administrator runs the vmkfstools command on an ESXi host and views the output. Which conclusion can be drawn from the output?
17Order the steps to take a snapshot of a virtual machine.
18Match each vSphere networking component to its description.
19A company wants to integrate vCenter Server with an external identity source to allow users to authenticate using their corporate credentials. The administrator must ensure that authentication traffic is encrypted. Which solution should the administrator implement?
20An administrator is troubleshooting a failed VM encryption operation. The key provider status shows as 'Not Responding' in the vSphere Web Client. The administrator has verified network connectivity between the ESXi hosts and the key provider. What is the most likely cause of the failure?
21An organization is implementing vSphere Trust Authority for sensitive workloads. The administrator must configure the trusted ESXi hosts to attest to vCenter Server. Which component is responsible for performing attestation?
22A vSphere administrator wants to restrict direct console access to an ESXi host to authorized administrators only, without interrupting running virtual machines. Which feature should the administrator enable?
23An administrator needs to allow HTTP traffic from a specific management workstation to an ESXi host while blocking all other inbound traffic. The ESXi firewall uses the default ruleset. What should the administrator do?
24A vSphere environment uses VMCA for certificate management. An administrator needs to replace the certificate for vCenter Server with a custom CA-signed certificate. The custom CA root certificate must be trusted by all ESXi hosts. Which method should the administrator use to distribute the custom CA root certificate to ESXi hosts?
25An administrator has created a custom role named 'VM Power User' with permissions to power on and off virtual machines. The role is assigned to a group of users at the datacenter level. A user from that group reports they cannot power on a VM in a particular cluster. What is the most likely reason?
26An organization is deploying vCenter Server in a DMZ. Which security best practice should the administrator implement to protect the vCenter Server appliance?
27An administrator is configuring vSphere Native Key Provider (NKP) in a cluster. After enabling NKP, the administrator adds a VM and attempts to encrypt it, but receives an error that the key provider is not available. The cluster consists of three ESXi hosts. What is the most likely cause?
28Which TWO actions are required to enable vSphere VM encryption? (Choose two.)
29Which THREE security hardening measures should be applied to an ESXi host? (Choose three.)
30Which TWO statements about vCenter Single Sign-On (SSO) are true? (Choose two.)
31An administrator runs the command shown in the exhibit on a vCenter Server appliance. What is the primary purpose of the Machine ID?
32An administrator notices that HTTP connections to the ESXi host are timing out frequently. Based on the exhibit, which configuration change would most likely resolve the issue?
33An administrator configures permissions as shown in the exhibit. Users 'user1' and 'user2' are in the 'Limited' role which only allows 'Read' and 'Console interaction' privileges. User1 reports being unable to open a console to a VM running on host2.domain.com. What is the most likely cause?
34An administrator wants to prevent direct root access to an ESXi host via SSH and the DCUI. Which two configurations are necessary?
35A company requires all vMotion traffic to be encrypted. The vSphere administrator enables vMotion encryption at the cluster level. What else must be configured to ensure vMotion operations are encrypted?
36A vSphere administrator notices that after replacing the vCenter Server machine SSL certificate, all vCenter services start, but from one ESXi host, the vCenter Server appears as disconnected. Other hosts connect fine. What is the most likely cause?
37An administrator needs to grant a group of vSphere administrators the ability to create and delete snapshots, and also to power on and off VMs, but not to delete VMs. The administrators should also be able to view the virtual machine console. Which custom role should be created?
38An administrator wants to configure the ESXi host firewall to allow connections only from a specific management subnet. How can this be achieved?
39A vSphere environment uses vSAN and has VM encryption enabled. The administrator needs to recover a VM after an encrypted disk becomes corrupted. What is required?
40During a security audit, it is found that the vCenter Server is using the default self-signed certificate. The administrator is tasked to replace it with a certificate from an enterprise CA. What is the first step after obtaining the CA-signed certificate?
41An administrator wants to ensure that no user can view or modify VMs in a particular folder except the folder owner. What is the proper method to achieve this?
42A company uses an external Platform Services Controller (PSC) in a vSphere 6.7 environment. They plan to upgrade to vSphere 7.0. Which security-related consideration is most important?
43Which TWO of the following are best practices for securing ESXi hosts? (Choose two.)
44Which TWO of the following are required to configure vMotion encryption for a VM? (Choose two.)
45Which THREE of the following are prerequisites for configuring vSAN encryption? (Choose three.)
46An administrator runs the above command on an ESXi host. Which of the following is true about this host?
47A security administrator notices that a virtual machine (VM) running a legacy application is experiencing network connectivity issues after enabling Network I/O Control (NIOC) on the distributed switch. The VM is in a high-priority traffic class for management traffic. What is the most likely cause of the issue?
48During a security audit, it is discovered that a vCenter Server instance is using the default self-signed certificate. The company policy requires all certificates to be signed by an internal enterprise CA. An administrator has imported the CA chain into the VMware Endpoint Certificate Store (VECS) and generated a Certificate Signing Request (CSR). After receiving the signed certificate from the CA, which additional step is required to complete the certificate replacement?
49A vSphere administrator wants to prevent users in a custom role from powering off virtual machines that have Fault Tolerance enabled. Which privilege must be removed from the custom role?
50An organization is using vSphere Trust Authority (vTA) to secure ESXi hosts. A newly added ESXi host fails to attest with the Trust Authority. The administrator verifies that the host is connected to the vTA cluster and the trust relationship is configured. What is the most likely cause of the attestation failure?
51A company uses vSphere with Tanzu to run container workloads. The security team requires that all container traffic between namespaces be encrypted. What is the best approach to achieve this?
52An administrator needs to lock down an ESXi host for FIPS 140-2 compliance. Which step must be taken?
53During a vulnerability scan, an ESXi host is found to have the SSLv3 protocol enabled. The administrator wants to disable SSLv3 and enforce TLS 1.2 for all network services on the host. Which approach is most effective?
54A vSphere administrator is preparing for a PCI DSS audit. The auditor requires that all virtual machine disks be encrypted at rest. The environment uses vSAN with storage policies. Which storage policy-based management (SPBM) rule should be applied to ensure encryption?
55An administrator needs to ensure that a service account used for vCenter Server backups has the minimum required privileges. The account should only be able to perform backup and restore operations. Which role should be assigned?
56Which TWO of the following are valid methods to restrict access to the ESXi host's Direct Console User Interface (DCUI) to authorized administrators only?
57Which THREE of the following are required components for setting up a vSphere Trust Authority (vTA) cluster?
58Which TWO of the following are best practices for securing a vSphere environment against ransomware attacks?
59A company runs a critical e-commerce platform on a vSphere 7 cluster with ESXi hosts connected to a vSAN datastore. The environment uses vSphere Trust Authority (vTA) and VM encryption with an external KMS. Recently, after a successful vTA attestation, one of the VMs (WebServer-01) failed to power on with the error: 'Unable to decrypt the encrypted virtual machine upon re-registration. Reason: The KMS server is unreachable.' The administrator verifies that other encrypted VMs on the same host power on successfully. The KMS cluster consists of two servers: KMS-01 and KMS-02, both accessible from the management network. The administrator checks the VM's configuration and finds that it uses a custom storage policy with encryption. What is the most likely cause of this specific VM's failure?
60A vSphere administrator needs to restrict access to a specific cluster so that only the storage team can manage datastores. The storage team members are in a group called 'storage_team' in Active Directory. What is the best practice to achieve this?
61A vCenter Server's SSL certificate has expired, causing all ESXi hosts to display a certificate warning and some management tasks to fail. The administrator needs to restore secure communication with minimal disruption. Which action should the administrator take?
62An administrator is configuring vSphere Trust Authority (vTA) to secure ESXi hosts in a sensitive environment. Which TWO components are required for a vTA deployment? (Choose two.)
63A company is implementing vSphere with Tanzu for containerized workloads. To secure the workload management plane, which THREE security features should be configured? (Choose three.)
64A financial institution operates a vSphere 7 environment with 1,000 VMs, many of which process sensitive data. The security team mandates VM encryption at rest using a Key Management Server (KMS) cluster. The administrator has configured the KMS cluster as a key provider in vCenter and enabled encryption on a test VM, which works correctly. However, after adding a new ESXi host to the cluster and attempting to power on a previously encrypted VM, the VM fails to start with the error: 'Key provider unavailable for host <hostname>.' The new host is correctly licensed for encryption and has network connectivity to the KMS. The administrator verifies that the KMS cluster is operational and that other hosts can power on encrypted VMs. What is the most likely cause of this issue?
65A vSphere administrator is troubleshooting a permissions issue. A user named 'backup_admin' is a member of the AD group 'Backup Operators'. The group has been assigned a custom role at the datacenter level with the following privileges: Virtual machine > Provisioning > Create snapshot, Virtual machine > State > Create, Revert, Remove snapshot. The user can see all VMs in the 'Production' folder but cannot see VMs in the 'Development' folder, even though both folders are under the same datacenter. The administrator confirms that no other permissions exist for this user or group, and propagation is enabled. What is the most likely reason the user cannot see the Development VMs?
66An organization wants to secure management traffic between vCenter Server and ESXi hosts. The security policy mandates disabling all versions of TLS below 1.2. After the administrator configures vCenter to use only TLS 1.2, several ESXi hosts (all version 6.0) lose connectivity to vCenter. The hosts remain operational but show as disconnected in the vSphere Web Client. The administrator needs to restore management while maintaining the security requirement. Which action should the administrator take?
67A vSphere administrator is implementing Lockdown Mode on an ESXi host that hosts critical VMs for a healthcare application. After enabling Normal Lockdown Mode, the administrator tests that vCenter can still manage the host, but the local DCUI root account is disabled. Later, a network outage occurs, causing vCenter to become unreachable. The administrator needs to access the host directly via DCUI to perform emergency troubleshooting. The host's DCUI is still running, but the local root account is disabled due to Lockdown Mode. What should the administrator have configured to ensure DCUI access during such an outage?
68Which two actions can be performed to restrict access to the ESXi host Direct Console User Interface (DCUI)? (Choose two.)
69An administrator is adding an ESXi host to vCenter Server and is prompted to verify the host's certificate thumbprint. The administrator compares it to the output above and it matches. However, the add operation fails with a certificate verification error. What else could be the issue?
70A financial institution operates a vSphere 7.0 environment with three vCenter Servers in linked mode, each managing separate clusters. The company uses vSAN encryption with an external KMS appliance from a third-party vendor. The KMS appliance has a certificate that expires every two years. The storage administrator recently renewed the KMS certificate as per the vendor's instructions. After the renewal, the vCenter Server's 'Key Management Servers' view shows the KMS status as 'Unhealthy'. The administrator attempts to decrypt a test virtual machine, but the operation fails with an error: 'No key providers are available'. The KMS appliance is reachable from the vCenter Server, and the new certificate is installed on the KMS. The administrator has confirmed that the KMS IP address and port are correctly configured in vCenter. What is the most likely cause of the failure?
The vSphere Security domain covers the key concepts tested in this area of the VCP-DCV exam blueprint published by VMware. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VCP-DCV domains — no account required.
The Courseiva VCP-DCV question bank contains 70 questions in the vSphere Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the vSphere Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included