A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to ensure that all virtual machines have the Log Analytics agent installed and that missing system updates are remediated automatically. Which two recommendations should be enabled in a single policy initiative?
Defender for Cloud provides built-in initiatives that cover both.
Why this answer
Option D is correct because Microsoft Defender for Cloud includes a built-in policy initiative (the 'ASC Default' initiative) that contains both the 'System Updates' and 'Log Analytics agent' recommendations. Enabling this single initiative automatically assigns both requirements to the selected scope, ensuring that missing system updates are remediated and the Log Analytics agent is installed on all virtual machines without needing custom policies or separate assignments.
Exam trap
The trap here is that candidates often think they need to create custom initiatives or use separate assignments (Option A or B) because they assume the two requirements are unrelated, but Microsoft Defender for Cloud's built-in initiative already bundles them together, making Option D the simplest and most correct approach.
How to eliminate wrong answers
Option A is wrong because it suggests assigning two separate Azure Policy initiatives, which would require managing two distinct assignments and could lead to inconsistent enforcement; the built-in initiative already combines both requirements into a single assignment. Option B is wrong because creating a custom Azure Policy initiative is unnecessary and adds complexity when a built-in initiative that exactly meets the requirements already exists in Defender for Cloud. Option C is wrong because Azure Blueprints are used for deploying and governing entire environments with multiple artifacts (including policies, role assignments, and resource groups), not for simply enabling two specific recommendations within Defender for Cloud; using Blueprints here would be over-engineering and not the intended use case.