20+ practice questions focused on vSphere Security — one of the most tested topics on the VMware Certified Professional Data Center Virtualization VCP-DCV exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start vSphere Security PracticeAn administrator is troubleshooting a situation where a virtual machine cannot be powered on. The error message indicates insufficient permissions. The VM is in a folder named 'Production' and the administrator has been assigned a custom role with 'Virtual machine > Power On' permission at the folder level. However, the VM is also in a resource pool. What additional permission is most likely missing?
Explanation: To power on a virtual machine that resides in a resource pool, the user must have the 'Resource > Assign virtual machine to resource pool' permission on that resource pool. Even though the user has 'Virtual machine > Power On' at the folder level, the VM's association with the resource pool introduces an additional authorization check. Without this resource pool permission, the power-on operation fails with an insufficient permissions error.
A security audit reveals that an ESXi host has been compromised due to an attacker gaining root access via the DCUI. The host is configured with a default DCUI password. Which security best practice should have been implemented to prevent this?
Explanation: DCUI Lockdown Mode 'Normal' disables direct root access via the Direct Console User Interface (DCUI) by requiring authentication through vCenter Single Sign-On (SSO). This prevents an attacker from using the default or weak DCUI password to gain root access, as the root account is no longer accepted for DCUI login. The mode still allows authorized vCenter administrators to access the host via the DCUI using their SSO credentials, maintaining manageability while eliminating the root password attack vector.
A vSphere administrator needs to ensure that all HTTPS traffic to ESXi hosts is encrypted using TLS 1.2. Where should the administrator configure the minimum TLS version?
Explanation: Option A is correct because the minimum TLS version for ESXi host HTTPS traffic is configured via the host advanced setting `Config.HostAgent.plugins.vimsvc.auth.minTLSVersion`. This setting directly controls the TLS protocol version used by the ESXi host's HTTP services, including the vSphere Client and API endpoints, ensuring only TLS 1.2 or higher is accepted.
An administrator is configuring a distributed switch and needs to ensure that all virtual machine traffic on a specific VLAN is isolated. The administrator creates a port group with VLAN ID 100. However, a security scanner reports that packets from this VLAN are appearing on other VLANs. Which security policy setting on the distributed switch should the administrator verify?
Explanation: The VLAN trunking policy on a distributed switch controls whether a port group can pass multiple VLAN IDs (trunk mode) or is restricted to a single VLAN (access mode). When VLAN trunking is enabled, the port group may forward traffic from VLAN 100 onto other VLANs if the virtual switch is configured to allow it, breaking isolation. The administrator should verify that VLAN trunking is disabled (set to 'Reject') to ensure strict VLAN isolation.
A vSphere environment uses Active Directory for authentication. The administrator notices that users from a specific AD group cannot log in to the vCenter Server, although other AD users can. The group is added to vCenter Server with the correct permissions. What is the most likely cause?
Explanation: The most likely cause is that the domain of the group is not configured as an identity source in vCenter Single Sign-On. Even if the group is added with correct permissions in vCenter Server, vCenter SSO must be able to authenticate users against the domain. Without the domain listed as an identity source, vCenter cannot validate the credentials of users from that group, causing authentication failures for all users in that domain.
+15 more vSphere Security questions available
Practice all vSphere Security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of vSphere Security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
vSphere Security questions on the VCP-DCV frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. vSphere Security is tested as part of the VMware Certified Professional Data Center Virtualization VCP-DCV blueprint. Practicing with targeted vSphere Security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free VCP-DCV practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but vSphere Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full vSphere Security practice session with instant scoring and detailed explanations.
Start vSphere Security Practice →