Question 199 of 1,639
Mitigate threats using Microsoft Defender for CloudmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to enable the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page. This action automatically provisions the integrated Microsoft Defender Vulnerability Management (MDVM) solution to all existing and future Azure VMs without requiring manual agent installation, because Defender for Cloud natively manages the scanner deployment at scale. On the SC-200 exam, this scenario tests your understanding of how to enable vulnerability assessment for Azure VMs using Defender for Cloud as a centralized, policy-driven approach, often contrasting it with the older method of manually deploying the Qualys agent. A common trap is selecting a per-VM manual installation option, which fails to cover future VMs automatically. Remember the key phrase: "enable at the plan level, not the VM level"—think of it as flipping a subscription-wide switch rather than wiring each machine individually.

SC-200 Practice Question: Mitigate threats using Microsoft Defender for Cloud

This SC-200 practice question tests your understanding of mitigate threats using microsoft defender for cloud. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A security administrator wants to enable vulnerability assessment for all existing and future Azure virtual machines in a subscription using the integrated Microsoft Defender Vulnerability Management solution. What is the recommended action in Microsoft Defender for Cloud?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Enable the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page.

Option A is correct because enabling the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page automatically provisions the integrated Microsoft Defender Vulnerability Management (MDVM) solution to all existing and future Azure VMs without manual agent installation. This is the recommended and native method in Microsoft Defender for Cloud to enable vulnerability assessment at scale, leveraging the built-in Qualys or MDVM scanner that is managed by the platform.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page.

    Why this is correct

    This action enables automatic deployment of the vulnerability assessment agent to all VMs in the subscription.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Manually install the Microsoft Defender Vulnerability Management agent on each VM via an Azure Policy initiative.

    Why it's wrong here

    Manual installation is not scalable and does not cover future VMs automatically. Azure Policy can be used but the question asks for the recommended action in Defender for Cloud itself.

  • Create an Azure Policy that assigns the 'Configure machines to receive a vulnerability assessment provider' built-in policy to the subscription.

    Why it's wrong here

    This is an alternative approach but not the recommended action within Defender for Cloud settings. The built-in toggle is simpler and more direct.

  • Enable 'Vulnerability assessment for machines' in the Azure Security Benchmark compliance dashboard.

    Why it's wrong here

    The Azure Security Benchmark dashboard shows compliance status but does not enable the vulnerability assessment solution.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse the 'Vulnerability assessment for machines' component with a separate policy assignment or manual agent installation, not realizing that the correct action is a simple toggle in the Defender for Servers plan settings that automatically handles provisioning and lifecycle management.

Trap categories for this question

  • Command / output trap

    The Azure Security Benchmark dashboard shows compliance status but does not enable the vulnerability assessment solution.

Detailed technical explanation

How to think about this question

Under the hood, enabling the 'Vulnerability assessment for machines' component in Defender for Servers plan settings triggers the deployment of the Microsoft Defender Vulnerability Management extension (MdeVulnScan) on supported VMs, which uses the same scanning engine as Microsoft Defender for Endpoint. This integration allows continuous vulnerability discovery without requiring a separate agent, and the results are surfaced in the Defender for Cloud recommendations and security score. A subtle behavior is that this setting must be enabled at the subscription level within the Defender for Cloud pricing blade, and it applies to both existing and future VMs via Azure Policy auto-provisioning, but only if the Defender for Servers plan is turned on.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SC-200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-200 question test?

Mitigate threats using Microsoft Defender for Cloud — This question tests Mitigate threats using Microsoft Defender for Cloud — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Enable the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page. — Option A is correct because enabling the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page automatically provisions the integrated Microsoft Defender Vulnerability Management (MDVM) solution to all existing and future Azure VMs without manual agent installation. This is the recommended and native method in Microsoft Defender for Cloud to enable vulnerability assessment at scale, leveraging the built-in Qualys or MDVM scanner that is managed by the platform.

What should I do if I get this SC-200 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on SC-200

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A security administrator wants to enable vulnerability assessment for all existing and future Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. Which action should they take in Microsoft Defender for Cloud?

medium
  • A.Enable 'Microsoft Defender for Servers' plan and check the 'Vulnerability assessment' option in the environment settings
  • B.Install the Log Analytics agent and configure the Qualys connector on each VM
  • C.Create a policy assignment from the built-in initiative 'Enable Azure Monitor for VMs'
  • D.Enable 'Servers' workload protection in Defender for Cloud and then manually deploy the VA agent to each existing VM using Azure Policy

Why A: To enable vulnerability assessment for all existing and future Azure VMs using the integrated Microsoft Defender Vulnerability Management solution, you must enable the 'Microsoft Defender for Servers' plan in Defender for Cloud and then check the 'Vulnerability assessment' option within the environment settings. This action activates the built-in, agentless vulnerability assessment engine that is part of Defender for Cloud, automatically scanning VMs without requiring additional agents or manual deployment.

Variation 2. A security administrator wants to ensure that all existing and future Azure virtual machines have Microsoft Defender for Cloud's built-in vulnerability assessment solution (Qualys or Microsoft) installed without manual intervention. Which feature should the administrator configure?

medium
  • A.Continuous export of security findings to Log Analytics
  • B.Auto-provisioning of the vulnerability assessment solution
  • C.Just-in-time VM access
  • D.Regulatory compliance dashboard

Why B: Auto-provisioning of the vulnerability assessment solution ensures that Microsoft Defender for Cloud automatically installs either the Qualys or Microsoft built-in vulnerability assessment extension on all existing and future Azure VMs without manual intervention. This feature is specifically designed to enable continuous vulnerability scanning by deploying the agent at scale, covering both new and existing resources as they are provisioned or discovered.

Keep practising

More SC-200 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.