A company plans to migrate a line-of-business application to Azure. The application will run on a virtual machine (IaaS). The company wants to ensure that the operating system is kept up to date with security patches. According to the shared responsibility model, who is primarily responsible for applying these patches?
This is correct. In IaaS, the customer is responsible for maintaining the guest OS, including applying security patches and updates.
Why this answer
In the shared responsibility model for IaaS, the customer retains control over the guest operating system, including applying security patches. Microsoft manages the physical host and hypervisor but does not patch the OS running inside the VM. Therefore, the customer is primarily responsible for keeping the OS up to date.
Exam trap
The trap here is that candidates often assume Microsoft handles all patching in Azure because of the 'as a service' nature, but in IaaS, the customer retains full control and responsibility for the guest OS.
How to eliminate wrong answers
Option A is wrong because Microsoft does not manage all operating system updates in Azure; they only manage the underlying infrastructure (hypervisor, physical hosts), not the guest OS. Option C is wrong because responsibility is not shared equally for OS patching in IaaS; the customer is fully responsible for the guest OS, while Microsoft handles the host OS and physical security. Option D is wrong because the cloud service provider is not responsible for OS patching in all services; in IaaS, the customer manages the guest OS, whereas in PaaS or SaaS, the provider may handle patching.