Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← vSphere Security practice sets

VCP-DCV vSphere Security • Complete Question Bank

VCP-DCV vSphere Security — All Questions With Answers

Complete VCP-DCV vSphere Security question bank — all 0 questions with answers and detailed explanations.

70
Questions
Free
No signup
Certifications/VCP-DCV/Practice Test/vSphere Security/All Questions
Question 1mediummultiple choice
Read the full vSphere Security explanation →

An administrator is troubleshooting a situation where a virtual machine cannot be powered on. The error message indicates insufficient permissions. The VM is in a folder named 'Production' and the administrator has been assigned a custom role with 'Virtual machine > Power On' permission at the folder level. However, the VM is also in a resource pool. What additional permission is most likely missing?

Question 2hardmultiple choice
Read the full vSphere Security explanation →

A security audit reveals that an ESXi host has been compromised due to an attacker gaining root access via the DCUI. The host is configured with a default DCUI password. Which security best practice should have been implemented to prevent this?

Question 3easymultiple choice
Read the full vSphere Security explanation →

A vSphere administrator needs to ensure that all HTTPS traffic to ESXi hosts is encrypted using TLS 1.2. Where should the administrator configure the minimum TLS version?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

An administrator is configuring a distributed switch and needs to ensure that all virtual machine traffic on a specific VLAN is isolated. The administrator creates a port group with VLAN ID 100. However, a security scanner reports that packets from this VLAN are appearing on other VLANs. Which security policy setting on the distributed switch should the administrator verify?

Question 5hardmultiple choice
Read the full vSphere Security explanation →

A vSphere environment uses Active Directory for authentication. The administrator notices that users from a specific AD group cannot log in to the vCenter Server, although other AD users can. The group is added to vCenter Server with the correct permissions. What is the most likely cause?

Question 6easymulti select
Read the full vSphere Security explanation →

Which TWO actions are recommended to secure the vCenter Server Appliance (VCSA)?

Question 7mediummulti select
Read the full vSphere Security explanation →

Which THREE security features are available in vSphere Trust Authority (vTA)?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation runs a vSphere environment with 100 ESXi hosts managed by a single vCenter Server. The security team mandates that all virtual machine disks (VMDKs) must be encrypted at rest. The administrator enables vSphere Virtual Machine Encryption and creates a Key Management Server (KMS) cluster. After encrypting a test VM, the VM powers on successfully, but the administrator notices that the VM's configuration files (VMX, NVRAM) are not encrypted. The security policy requires that all VM files, including configuration files, be encrypted. The administrator checks the VM storage policy and sees that the policy is set to 'VM Encryption Policy' with 'Disk Encryption' enabled. What should the administrator do to ensure the entire VM is encrypted?

Question 9mediummultiple choice
Read the full vSphere Security explanation →

A vSphere administrator needs to ensure that all virtual machine disks are encrypted at rest. The environment uses a KMS cluster with multiple KMIP-compliant servers. The administrator has already configured a storage policy with encryption enabled. However, newly created VMs on a particular datastore still show unencrypted disks. What is the most likely cause?

Question 10hardmulti select
Read the full vSphere Security explanation →

A security audit reveals that a vCenter Server has weak TLS configuration. The administrator needs to enforce strong ciphers and disable SSLv3. Which two steps should the administrator take? (Choose two.)

Question 11easymultiple choice
Read the full vSphere Security explanation →

An administrator is troubleshooting a failed attempt to add an ESXi host to a vCenter Server domain. The error message states: 'The host's certificate has been tampered with or is invalid.' What is the most likely cause?

Question 12hardmultiple choice
Read the full vSphere Security explanation →

A company has a vSphere environment with 20 ESXi hosts and 500 VMs. The security team mandates that all administrative access to vCenter Server must be through a single, highly restricted account with multi-factor authentication (MFA). The account must be used for both the vSphere Client and API integrations. Which step should the administrator take?

Question 13hardmultiple choice
Read the full vSphere Security explanation →

A large financial institution runs a vSphere 7.0 environment with 100 ESXi hosts and 2,000 VMs. The security team has identified that several VMs are vulnerable to a critical side-channel attack that requires disabling hyperthreading on the ESXi hosts. The administrator needs to implement a solution that minimizes performance impact while ensuring compliance. The environment uses DRS clusters with varying workloads: some VMs are CPU-intensive (financial modeling) and others are memory-bound (database servers). The administrator cannot afford to take hosts offline for maintenance during business hours. The change must be implemented within 48 hours. Which course of action should the administrator take?

Question 14mediummultiple choice
Read the full vSphere Security explanation →

A company is implementing vSphere 7.0 and wants to encrypt all vMotion traffic between ESXi hosts in a cluster. The cluster is not using any other encryption features. What is the minimum requirement to enable vMotion encryption?

Question 15hardmulti select
Read the full vSphere Security explanation →

Which TWO actions are required to enable encrypted vSphere vMotion for all virtual machines in a cluster?

Question 16easymultiple choice
Read the full vSphere Security explanation →

Refer to the exhibit. An administrator runs the vmkfstools command on an ESXi host and views the output. Which conclusion can be drawn from the output?

Exhibit

Refer to the exhibit.
```
vmkfstools -P /vmfs/volumes/datastore1/vm/vm.vmx
```

Output:
```
File system label: datastore1
File system type: VMFS-6
Volume capacity: 1024000 MB
Volume free: 512000 MB
Disk capacity: 1024000 MB
Disk free: 512000 MB
Block size: 1 MB
```
Question 17mediumdrag order
Read the full vSphere Security explanation →

Order the steps to take a snapshot of a virtual machine.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediummatching
Read the full vSphere Security explanation →

Match each vSphere networking component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logical grouping of ports with common configuration

Network interface for vSphere services like vMotion

Physical NIC connected to a virtual switch

Segments network traffic at Layer 2

Combining multiple uplinks for load balancing or failover

Question 19easymultiple choice
Read the full vSphere Security explanation →

A company wants to integrate vCenter Server with an external identity source to allow users to authenticate using their corporate credentials. The administrator must ensure that authentication traffic is encrypted. Which solution should the administrator implement?

Question 20mediummultiple choice
Read the full vSphere Security explanation →

An administrator is troubleshooting a failed VM encryption operation. The key provider status shows as 'Not Responding' in the vSphere Web Client. The administrator has verified network connectivity between the ESXi hosts and the key provider. What is the most likely cause of the failure?

Question 21hardmultiple choice
Read the full vSphere Security explanation →

An organization is implementing vSphere Trust Authority for sensitive workloads. The administrator must configure the trusted ESXi hosts to attest to vCenter Server. Which component is responsible for performing attestation?

Question 22easymultiple choice
Read the full vSphere Security explanation →

A vSphere administrator wants to restrict direct console access to an ESXi host to authorized administrators only, without interrupting running virtual machines. Which feature should the administrator enable?

Question 23mediummultiple choice
Read the full vSphere Security explanation →

An administrator needs to allow HTTP traffic from a specific management workstation to an ESXi host while blocking all other inbound traffic. The ESXi firewall uses the default ruleset. What should the administrator do?

Question 24hardmultiple choice
Read the full vSphere Security explanation →

A vSphere environment uses VMCA for certificate management. An administrator needs to replace the certificate for vCenter Server with a custom CA-signed certificate. The custom CA root certificate must be trusted by all ESXi hosts. Which method should the administrator use to distribute the custom CA root certificate to ESXi hosts?

Question 25easymultiple choice
Read the full vSphere Security explanation →

An administrator has created a custom role named 'VM Power User' with permissions to power on and off virtual machines. The role is assigned to a group of users at the datacenter level. A user from that group reports they cannot power on a VM in a particular cluster. What is the most likely reason?

Question 26mediummultiple choice
Read the full vSphere Security explanation →

An organization is deploying vCenter Server in a DMZ. Which security best practice should the administrator implement to protect the vCenter Server appliance?

Question 27hardmultiple choice
Read the full NAT/PAT explanation →

An administrator is configuring vSphere Native Key Provider (NKP) in a cluster. After enabling NKP, the administrator adds a VM and attempts to encrypt it, but receives an error that the key provider is not available. The cluster consists of three ESXi hosts. What is the most likely cause?

Question 28easymulti select
Read the full vSphere Security explanation →

Which TWO actions are required to enable vSphere VM encryption? (Choose two.)

Question 29mediummulti select
Read the full vSphere Security explanation →

Which THREE security hardening measures should be applied to an ESXi host? (Choose three.)

Question 30hardmulti select
Read the full vSphere Security explanation →

Which TWO statements about vCenter Single Sign-On (SSO) are true? (Choose two.)

Question 31easymultiple choice
Read the full vSphere Security explanation →

An administrator runs the command shown in the exhibit on a vCenter Server appliance. What is the primary purpose of the Machine ID?

Network Topology
/usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-idserver-name localhostRefer to the exhibit.Output from vCenter Server CLI:```Machine ID: 5f6a7b8c-9d0e-1f2a-3b4c-5d6e7f8a9b0c
Question 32mediummultiple choice
Read the full vSphere Security explanation →

An administrator notices that HTTP connections to the ESXi host are timing out frequently. Based on the exhibit, which configuration change would most likely resolve the issue?

Exhibit

Refer to the exhibit.

Configuration snippet from /etc/vmware/rhttpproxy/config.xml on an ESXi host:
```
<config>
  <client>
    <useProxy>false</useProxy>
    <proxyHost></proxyHost>
    <proxyPort>0</proxyPort>
  </client>
  <server>
    <maxKeepAliveTimeout>100</maxKeepAliveTimeout>
  </server>
</config>
```
Question 33hardmultiple choice
Read the full vSphere Security explanation →

An administrator configures permissions as shown in the exhibit. Users 'user1' and 'user2' are in the 'Limited' role which only allows 'Read' and 'Console interaction' privileges. User1 reports being unable to open a console to a VM running on host2.domain.com. What is the most likely cause?

Exhibit

Refer to the exhibit.

Output from ESXi host:
```
~ # esxcli system permission list
Path                                                                   User  Group  Role
/datacenter/host/cluster/host1.domain.com                              admin        Admin
/datacenter/host/cluster/host1.domain.com                              user1        Limited
/datacenter/host/cluster/host2.domain.com                              admin        Admin
/datacenter/host/cluster/host2.domain.com                              user2        Limited
```
Question 34easymultiple choice
Read the full vSphere Security explanation →

An administrator wants to prevent direct root access to an ESXi host via SSH and the DCUI. Which two configurations are necessary?

Question 35mediummultiple choice
Read the full vSphere Security explanation →

A company requires all vMotion traffic to be encrypted. The vSphere administrator enables vMotion encryption at the cluster level. What else must be configured to ensure vMotion operations are encrypted?

Question 36hardmultiple choice
Read the full vSphere Security explanation →

A vSphere administrator notices that after replacing the vCenter Server machine SSL certificate, all vCenter services start, but from one ESXi host, the vCenter Server appears as disconnected. Other hosts connect fine. What is the most likely cause?

Question 37mediummultiple choice
Read the full vSphere Security explanation →

An administrator needs to grant a group of vSphere administrators the ability to create and delete snapshots, and also to power on and off VMs, but not to delete VMs. The administrators should also be able to view the virtual machine console. Which custom role should be created?

Question 38easymultiple choice
Review the full subnetting walkthrough →

An administrator wants to configure the ESXi host firewall to allow connections only from a specific management subnet. How can this be achieved?

Question 39hardmultiple choice
Read the full vSphere Security explanation →

A vSphere environment uses vSAN and has VM encryption enabled. The administrator needs to recover a VM after an encrypted disk becomes corrupted. What is required?

Question 40mediummultiple choice
Read the full vSphere Security explanation →

During a security audit, it is found that the vCenter Server is using the default self-signed certificate. The administrator is tasked to replace it with a certificate from an enterprise CA. What is the first step after obtaining the CA-signed certificate?

Question 41easymultiple choice
Read the full vSphere Security explanation →

An administrator wants to ensure that no user can view or modify VMs in a particular folder except the folder owner. What is the proper method to achieve this?

Question 42hardmultiple choice
Read the full vSphere Security explanation →

A company uses an external Platform Services Controller (PSC) in a vSphere 6.7 environment. They plan to upgrade to vSphere 7.0. Which security-related consideration is most important?

Question 43mediummulti select
Read the full vSphere Security explanation →

Which TWO of the following are best practices for securing ESXi hosts? (Choose two.)

Question 44mediummulti select
Read the full vSphere Security explanation →

Which TWO of the following are required to configure vMotion encryption for a VM? (Choose two.)

Question 45hardmulti select
Read the full vSphere Security explanation →

Which THREE of the following are prerequisites for configuring vSAN encryption? (Choose three.)

Question 46easymultiple choice
Read the full vSphere Security explanation →

An administrator runs the above command on an ESXi host. Which of the following is true about this host?

Exhibit

Refer to the exhibit.

```
~ # esxcli system security lockdown list
Enabled: true
Mode: Normal
Exception users:
   root
Command list for exception users:
   term
   vimsh
```
Question 47mediummultiple choice
Read the full vSphere Security explanation →

A security administrator notices that a virtual machine (VM) running a legacy application is experiencing network connectivity issues after enabling Network I/O Control (NIOC) on the distributed switch. The VM is in a high-priority traffic class for management traffic. What is the most likely cause of the issue?

Question 48hardmultiple choice
Read the full vSphere Security explanation →

During a security audit, it is discovered that a vCenter Server instance is using the default self-signed certificate. The company policy requires all certificates to be signed by an internal enterprise CA. An administrator has imported the CA chain into the VMware Endpoint Certificate Store (VECS) and generated a Certificate Signing Request (CSR). After receiving the signed certificate from the CA, which additional step is required to complete the certificate replacement?

Question 49easymultiple choice
Read the full vSphere Security explanation →

A vSphere administrator wants to prevent users in a custom role from powering off virtual machines that have Fault Tolerance enabled. Which privilege must be removed from the custom role?

Question 50mediummultiple choice
Read the full vSphere Security explanation →

An organization is using vSphere Trust Authority (vTA) to secure ESXi hosts. A newly added ESXi host fails to attest with the Trust Authority. The administrator verifies that the host is connected to the vTA cluster and the trust relationship is configured. What is the most likely cause of the attestation failure?

Question 51hardmultiple choice
Read the full vSphere Security explanation →

A company uses vSphere with Tanzu to run container workloads. The security team requires that all container traffic between namespaces be encrypted. What is the best approach to achieve this?

Question 52easymultiple choice
Read the full vSphere Security explanation →

An administrator needs to lock down an ESXi host for FIPS 140-2 compliance. Which step must be taken?

Question 53mediummultiple choice
Read the full vSphere Security explanation →

During a vulnerability scan, an ESXi host is found to have the SSLv3 protocol enabled. The administrator wants to disable SSLv3 and enforce TLS 1.2 for all network services on the host. Which approach is most effective?

Question 54hardmultiple choice
Read the full vSphere Security explanation →

A vSphere administrator is preparing for a PCI DSS audit. The auditor requires that all virtual machine disks be encrypted at rest. The environment uses vSAN with storage policies. Which storage policy-based management (SPBM) rule should be applied to ensure encryption?

Question 55easymultiple choice
Read the full vSphere Security explanation →

An administrator needs to ensure that a service account used for vCenter Server backups has the minimum required privileges. The account should only be able to perform backup and restore operations. Which role should be assigned?

Question 56mediummulti select
Read the full vSphere Security explanation →

Which TWO of the following are valid methods to restrict access to the ESXi host's Direct Console User Interface (DCUI) to authorized administrators only?

Question 57hardmulti select
Read the full vSphere Security explanation →

Which THREE of the following are required components for setting up a vSphere Trust Authority (vTA) cluster?

Question 58mediummulti select
Read the full vSphere Security explanation →

Which TWO of the following are best practices for securing a vSphere environment against ransomware attacks?

Question 59hardmultiple choice
Read the full vSphere Security explanation →

A company runs a critical e-commerce platform on a vSphere 7 cluster with ESXi hosts connected to a vSAN datastore. The environment uses vSphere Trust Authority (vTA) and VM encryption with an external KMS. Recently, after a successful vTA attestation, one of the VMs (WebServer-01) failed to power on with the error: 'Unable to decrypt the encrypted virtual machine upon re-registration. Reason: The KMS server is unreachable.' The administrator verifies that other encrypted VMs on the same host power on successfully. The KMS cluster consists of two servers: KMS-01 and KMS-02, both accessible from the management network. The administrator checks the VM's configuration and finds that it uses a custom storage policy with encryption. What is the most likely cause of this specific VM's failure?

Question 60easymultiple choice
Read the full vSphere Security explanation →

A vSphere administrator needs to restrict access to a specific cluster so that only the storage team can manage datastores. The storage team members are in a group called 'storage_team' in Active Directory. What is the best practice to achieve this?

Question 61mediummultiple choice
Read the full vSphere Security explanation →

A vCenter Server's SSL certificate has expired, causing all ESXi hosts to display a certificate warning and some management tasks to fail. The administrator needs to restore secure communication with minimal disruption. Which action should the administrator take?

Question 62mediummulti select
Read the full vSphere Security explanation →

An administrator is configuring vSphere Trust Authority (vTA) to secure ESXi hosts in a sensitive environment. Which TWO components are required for a vTA deployment? (Choose two.)

Question 63hardmulti select
Read the full vSphere Security explanation →

A company is implementing vSphere with Tanzu for containerized workloads. To secure the workload management plane, which THREE security features should be configured? (Choose three.)

Question 64hardmultiple choice
Read the full vSphere Security explanation →

A financial institution operates a vSphere 7 environment with 1,000 VMs, many of which process sensitive data. The security team mandates VM encryption at rest using a Key Management Server (KMS) cluster. The administrator has configured the KMS cluster as a key provider in vCenter and enabled encryption on a test VM, which works correctly. However, after adding a new ESXi host to the cluster and attempting to power on a previously encrypted VM, the VM fails to start with the error: 'Key provider unavailable for host <hostname>.' The new host is correctly licensed for encryption and has network connectivity to the KMS. The administrator verifies that the KMS cluster is operational and that other hosts can power on encrypted VMs. What is the most likely cause of this issue?

Question 65mediummultiple choice
Read the full vSphere Security explanation →

A vSphere administrator is troubleshooting a permissions issue. A user named 'backup_admin' is a member of the AD group 'Backup Operators'. The group has been assigned a custom role at the datacenter level with the following privileges: Virtual machine > Provisioning > Create snapshot, Virtual machine > State > Create, Revert, Remove snapshot. The user can see all VMs in the 'Production' folder but cannot see VMs in the 'Development' folder, even though both folders are under the same datacenter. The administrator confirms that no other permissions exist for this user or group, and propagation is enabled. What is the most likely reason the user cannot see the Development VMs?

Question 66easymultiple choice
Read the full vSphere Security explanation →

An organization wants to secure management traffic between vCenter Server and ESXi hosts. The security policy mandates disabling all versions of TLS below 1.2. After the administrator configures vCenter to use only TLS 1.2, several ESXi hosts (all version 6.0) lose connectivity to vCenter. The hosts remain operational but show as disconnected in the vSphere Web Client. The administrator needs to restore management while maintaining the security requirement. Which action should the administrator take?

Question 67hardmultiple choice
Read the full vSphere Security explanation →

A vSphere administrator is implementing Lockdown Mode on an ESXi host that hosts critical VMs for a healthcare application. After enabling Normal Lockdown Mode, the administrator tests that vCenter can still manage the host, but the local DCUI root account is disabled. Later, a network outage occurs, causing vCenter to become unreachable. The administrator needs to access the host directly via DCUI to perform emergency troubleshooting. The host's DCUI is still running, but the local root account is disabled due to Lockdown Mode. What should the administrator have configured to ensure DCUI access during such an outage?

Question 68easymulti select
Read the full vSphere Security explanation →

Which two actions can be performed to restrict access to the ESXi host Direct Console User Interface (DCUI)? (Choose two.)

Question 69mediummultiple choice
Read the full vSphere Security explanation →

An administrator is adding an ESXi host to vCenter Server and is prompted to verify the host's certificate thumbprint. The administrator compares it to the output above and it matches. However, the add operation fails with a certificate verification error. What else could be the issue?

Exhibit

Refer to the exhibit.
```
~ # openssl x509 -in /etc/vmware/ssl/rui.crt -noout -fingerprint -sha256
SHA256 Fingerprint: AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90
```
Question 70hardmultiple choice
Read the full vSphere Security explanation →

A financial institution operates a vSphere 7.0 environment with three vCenter Servers in linked mode, each managing separate clusters. The company uses vSAN encryption with an external KMS appliance from a third-party vendor. The KMS appliance has a certificate that expires every two years. The storage administrator recently renewed the KMS certificate as per the vendor's instructions. After the renewal, the vCenter Server's 'Key Management Servers' view shows the KMS status as 'Unhealthy'. The administrator attempts to decrypt a test virtual machine, but the operation fails with an error: 'No key providers are available'. The KMS appliance is reachable from the vCenter Server, and the new certificate is installed on the KMS. The administrator has confirmed that the KMS IP address and port are correctly configured in vCenter. What is the most likely cause of the failure?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

VCP-DCV Practice Test 1 — 10 Questions→VCP-DCV Practice Test 2 — 10 Questions→VCP-DCV Practice Test 3 — 10 Questions→VCP-DCV Practice Test 4 — 10 Questions→VCP-DCV Practice Test 5 — 10 Questions→VCP-DCV Practice Exam 1 — 20 Questions→VCP-DCV Practice Exam 2 — 20 Questions→VCP-DCV Practice Exam 3 — 20 Questions→VCP-DCV Practice Exam 4 — 20 Questions→Free VCP-DCV Practice Test 1 — 30 Questions→Free VCP-DCV Practice Test 2 — 30 Questions→Free VCP-DCV Practice Test 3 — 30 Questions→VCP-DCV Practice Questions 1 — 50 Questions→VCP-DCV Practice Questions 2 — 50 Questions→VCP-DCV Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

vSphere Architecture, Products and SolutionsConfigure and Manage vSphere NetworkingConfigure and Manage vSphere StoragevSphere Lifecycle ManagementvSphere SecurityvSphere Performance and Scaling

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All vSphere Security setsAll vSphere Security questionsVCP-DCV Practice Hub