CCNA vSphere Security Questions

70 questions · vSphere Security · All types, answers revealed

1
MCQeasy

An administrator wants to ensure that no user can view or modify VMs in a particular folder except the folder owner. What is the proper method to achieve this?

A.Use the No Access permission on the folder for all other users.
B.Assign the folder owner with Administrator role on the folder.
C.Create a global role that denies access to all VMs except the folder owner.
D.On the folder, assign permissions to the folder owner with the desired role and ensure propagation is set to 'All children'.
AnswerD

This applies the role to VMs within the folder.

Why this answer

Option C is correct by setting a permission for the folder and propagating it to child objects. Option A is incorrect because propagation can be controlled. Option B is incorrect because global roles affect all objects.

Option D is incorrect because inheritance can be blocked using No Access permissions.

2
MCQhard

A vSphere environment uses VMCA for certificate management. An administrator needs to replace the certificate for vCenter Server with a custom CA-signed certificate. The custom CA root certificate must be trusted by all ESXi hosts. Which method should the administrator use to distribute the custom CA root certificate to ESXi hosts?

A.Restart the rhttpproxy service on each ESXi host with a new configuration
B.Import the root CA certificate into vCenter Server and it will automatically push to hosts
C.Manually upload the root CA certificate to each ESXi host via SCP
D.Create a host profile containing the custom CA root certificate and apply it to the ESXi hosts
AnswerD

Host profiles provide consistent, policy-based distribution.

Why this answer

Option C is correct because using a host profile to apply the certificate ensures consistency and is policy-driven. Option A is wrong because manually copying to each host is not scalable. Option B is wrong because vCenter does not automatically push root CAs to hosts; it only replaces the machine SSL certificate.

Option D is wrong because the rhttpproxy service is for proxying, not for certificate distribution.

3
MCQhard

A vSphere environment uses vSAN and has VM encryption enabled. The administrator needs to recover a VM after an encrypted disk becomes corrupted. What is required?

A.The vSAN health service.
B.A recent backup of the VM files.
C.The key management server (KMS) and the KEK/Rekey.
D.The VM’s storage policy.
AnswerC

The KMS stores the encryption keys; without them, the data cannot be decrypted.

Why this answer

Option D is correct because for encrypted VMs, the key server (KMIP) and the associated encryption keys are essential for decryption. Option A is incorrect because the encryption policies are stored in vCenter, but the actual keys are external. Option B is incorrect because vSAN has repair mechanics but cannot decrypt without keys.

Option C is incorrect because file-based backup does not guarantee recoverability without keys.

4
Multi-Selecthard

Which TWO statements about vCenter Single Sign-On (SSO) are true? (Choose two.)

Select 2 answers
A.It supports multiple identity sources such as Active Directory and LDAP
B.It uses Kerberos to authenticate users to vCenter Server
C.It stores user passwords in plaintext for faster authentication
D.It requires a Windows Active Directory domain to function
E.It uses SAML 2.0 tokens for authentication between vCenter services
AnswersA, E

SSO can integrate with various identity providers.

Why this answer

Options B and D are correct. SSO supports multiple identity sources (e.g., AD, LDAP) and uses SAML tokens for authentication. Option A is wrong because passwords are stored hashed, not in plaintext.

Option C is wrong because SSO can work without a Windows Active Directory. Option E is wrong because SSO uses SAML, not Kerberos, for token exchange.

5
MCQhard

A security audit reveals that an ESXi host has been compromised due to an attacker gaining root access via the DCUI. The host is configured with a default DCUI password. Which security best practice should have been implemented to prevent this?

A.Configure the DCUI lockdown mode to 'Normal'
B.Disable the DCUI service
C.Set a strong password for the root account
D.Disable SSH access
AnswerA

Normal lockdown mode restricts DCUI access to local console only.

Why this answer

DCUI Lockdown Mode 'Normal' disables direct root access via the Direct Console User Interface (DCUI) by requiring authentication through vCenter Single Sign-On (SSO). This prevents an attacker from using the default or weak DCUI password to gain root access, as the root account is no longer accepted for DCUI login. The mode still allows authorized vCenter administrators to access the host via the DCUI using their SSO credentials, maintaining manageability while eliminating the root password attack vector.

Exam trap

The trap here is that candidates often choose 'Set a strong password for the root account' because they focus on password strength, but the question specifically highlights a default password being used, and the correct solution is to eliminate the root password as an authentication method for the DCUI entirely.

How to eliminate wrong answers

Option B is wrong because the DCUI service cannot be disabled; it is the console interface for local host management and is always available when the host is powered on. Option C is wrong because while a strong root password is a basic security measure, it does not prevent an attacker who already knows or guesses the default password from gaining root access via the DCUI; the core issue is that the default password is used, not its strength. Option D is wrong because disabling SSH does not affect DCUI access; the attack vector in this scenario is the DCUI, not SSH, so disabling SSH would not mitigate the compromise.

6
Multi-Selectmedium

Which THREE security features are available in vSphere Trust Authority (vTA)?

Select 3 answers
A.Attestation of ESXi hosts
B.Integration with Active Directory for authentication
C.Trusted Platform Module (TPM) based attestation
D.Encryption of vMotion traffic
E.Key provider services for virtual machines
AnswersA, C, E

vTA attests host integrity.

Why this answer

Option A is correct because vSphere Trust Authority (vTA) uses attestation to verify the integrity of ESXi hosts before allowing them to interact with trusted infrastructure. This attestation process confirms that the host is running genuine, untampered VMware code, which is a core security feature of vTA.

Exam trap

The trap here is that candidates often confuse general vSphere security features (like vMotion encryption or AD integration) with vTA-specific capabilities, which are narrowly focused on attestation and key provider services.

7
Multi-Selectmedium

Which TWO of the following are best practices for securing ESXi hosts? (Choose two.)

Select 2 answers
A.Grant the root user direct permissions on all hosts.
B.Disable the ESXi firewall to simplify management.
C.Enable lockdown mode on the host.
D.Allow DCUI access from trusted management networks.
E.Configure Active Directory integration for host authentication.
AnswersC, E

Lockdown mode disables direct root access via SSH and DCUI.

Why this answer

Options A and B are correct. Option A: Lockdown mode restricts direct root access. Option B: Active Directory integration allows centralized user management.

Option C is incorrect because DCUI should be restricted, not allowed from the network; DCUI is for local console. Option D is incorrect because keeping the firewall enabled is a security best practice. Option E is incorrect because using root directly is not recommended (use delegated admins).

8
MCQeasy

An administrator needs to lock down an ESXi host for FIPS 140-2 compliance. Which step must be taken?

A.Disable the ESXi Shell and SSH services.
B.Enable lockdown mode on the ESXi host.
C.Configure a host profile with a security policy.
D.Enable FIPS mode in the host's BIOS.
AnswerB

Lockdown mode restricts direct console and SSH access, enforcing FIPS requirements.

Why this answer

Option C is correct. The ESXi host must be placed in lockdown mode to restrict direct access. Option A is incorrect because SSH can still be used even if the shell is disabled; lockdown mode disables both.

Option B is incorrect because host profiles help configure but do not enforce lockdown. Option D is incorrect because FIPS mode is a separate configuration.

9
Multi-Selectmedium

Which TWO of the following are required to configure vMotion encryption for a VM? (Choose two.)

Select 2 answers
A.The source and destination hosts must be from the same vendor.
B.The source and destination ESXi hosts must be version 6.5 or later.
C.A Key Management Server (KMS) must be configured in vCenter.
D.The virtual hardware version of the VM must be 11 or later.
E.The VM must have encryption enabled at the VM level.
AnswersB, D

vMotion encryption is supported from ESXi 6.5 onward.

Why this answer

Options A and D are correct. Option A: The host must support vMotion encryption (ESXi 6.5+). Option D: The VM must have virtual hardware version 11 or later.

Option B is incorrect because VM encryption is separate; vMotion encryption can be enabled independently. Option C is incorrect because both sides need not be identical; they just need to support encryption. Option E is incorrect because a KMS is not required for vMotion encryption; only for VM encryption.

10
MCQhard

A financial institution operates a vSphere 7.0 environment with three vCenter Servers in linked mode, each managing separate clusters. The company uses vSAN encryption with an external KMS appliance from a third-party vendor. The KMS appliance has a certificate that expires every two years. The storage administrator recently renewed the KMS certificate as per the vendor's instructions. After the renewal, the vCenter Server's 'Key Management Servers' view shows the KMS status as 'Unhealthy'. The administrator attempts to decrypt a test virtual machine, but the operation fails with an error: 'No key providers are available'. The KMS appliance is reachable from the vCenter Server, and the new certificate is installed on the KMS. The administrator has confirmed that the KMS IP address and port are correctly configured in vCenter. What is the most likely cause of the failure?

A.The vSAN encryption keys were lost during the certificate renewal
B.The KMS cluster in vCenter needs to be recreated
C.The new KMS certificate has not been imported into the vCenter Server trust store
D.The vCenter Server services need to be restarted
AnswerC

vCenter must trust the KMS certificate to communicate; otherwise, it shows the KMS as unhealthy.

Why this answer

Option A is correct: The new KMS certificate must be imported into the vCenter Server's trust store so that vCenter can establish a trusted connection to the KMS. Even if the KMS is reachable, without the new certificate being trusted, vCenter will consider the KMS unhealthy. Option B is unnecessary because the KMS cluster configuration is still valid; option C is a common but ineffective workaround; option D is incorrect because encryption keys are not lost during certificate renewal—they remain stored in the KMS.

11
MCQhard

A vSphere administrator is implementing Lockdown Mode on an ESXi host that hosts critical VMs for a healthcare application. After enabling Normal Lockdown Mode, the administrator tests that vCenter can still manage the host, but the local DCUI root account is disabled. Later, a network outage occurs, causing vCenter to become unreachable. The administrator needs to access the host directly via DCUI to perform emergency troubleshooting. The host's DCUI is still running, but the local root account is disabled due to Lockdown Mode. What should the administrator have configured to ensure DCUI access during such an outage?

A.Use the vSphere Web Client to add the host as an exception before the outage.
B.Configure the DCUI access list with specific users or groups before enabling Lockdown Mode.
C.Enable Strict Lockdown Mode to allow vCenter access exclusively.
D.Disable Lockdown Mode only during the maintenance window.
AnswerB

This allows designated users to access DCUI even when Lockdown Mode is active.

Why this answer

Option A is correct. Normal Lockdown Mode allows you to configure a DCUI access list of users (from the host's local authentication or AD) who can log in via DCUI even when Lockdown Mode is active. Option B is wrong because Strict Lockdown Mode disables all local accounts and DCUI entirely.

Option C is wrong because disabling Lockdown Mode would require prior vCenter access. Option D is wrong because the vSphere Web Client is not available during an outage.

12
MCQhard

A vSphere administrator notices that after replacing the vCenter Server machine SSL certificate, all vCenter services start, but from one ESXi host, the vCenter Server appears as disconnected. Other hosts connect fine. What is the most likely cause?

A.The vCenter certificate's Common Name does not match the host's IP address.
B.The ESXi host does not trust the signing certificate authority of the new vCenter certificate.
C.The ESXi host has a different system time than the vCenter Server.
D.The vCenter Server certificate was not imported into the SSO trusted domain.
AnswerB

The host needs the root CA certificate in its trusted store to validate the vCenter certificate.

Why this answer

Option C is correct because if the ESXi host's certificate store does not have the new vCenter certificate's root CA, the verification fails. Option A is incorrect because clock skew usually affects both sides. Option B is incorrect because the vCenter certificate does not need to match the host's IP.

Option D is incorrect because replacing the machine SSL certificate does not inherently break SSO unless the STS certificates were also replaced improperly.

13
MCQhard

A large financial institution runs a vSphere 7.0 environment with 100 ESXi hosts and 2,000 VMs. The security team has identified that several VMs are vulnerable to a critical side-channel attack that requires disabling hyperthreading on the ESXi hosts. The administrator needs to implement a solution that minimizes performance impact while ensuring compliance. The environment uses DRS clusters with varying workloads: some VMs are CPU-intensive (financial modeling) and others are memory-bound (database servers). The administrator cannot afford to take hosts offline for maintenance during business hours. The change must be implemented within 48 hours. Which course of action should the administrator take?

A.Use a vSphere DRS rule to disable hyperthreading for all VMs in the cluster, avoiding the need to modify host BIOS.
B.Place each host in maintenance mode individually, disable hyperthreading in the host BIOS, reboot the host, and then move to the next host. Rebalance VMs after all hosts are updated.
C.Delay the change and schedule a maintenance window for the next month when business impact is lower.
D.Disable hyperthreading on all hosts simultaneously using a vSphere Cluster feature, then reboot all hosts at once during off-peak hours.
AnswerB

This minimizes downtime as VMs are migrated off each host before reboot, and can be completed within 48 hours.

Why this answer

Option B is correct because disabling hyperthreading to mitigate side-channel attacks (e.g., L1TF or MDS) requires a host BIOS change, which necessitates a reboot. The only supported method in vSphere 7.0 is to place each host into maintenance mode, change the BIOS setting, reboot, and then repeat for all hosts. This approach minimizes performance impact by allowing VMs to be migrated via vMotion and avoids simultaneous downtime, meeting the 48-hour requirement without taking all hosts offline during business hours.

Exam trap

The trap here is that candidates mistakenly believe hyperthreading can be disabled via a vSphere software setting (like a DRS rule or cluster feature) without a host reboot, when in reality it requires a physical BIOS change and reboot per host.

How to eliminate wrong answers

Option A is wrong because vSphere DRS rules cannot disable hyperthreading at the VM or host level; hyperthreading is a hardware feature controlled only via BIOS or host-level CPU configuration, and DRS rules only influence VM placement and resource allocation. Option C is wrong because delaying the change for a month violates the explicit requirement to implement the fix within 48 hours, and the security vulnerability demands immediate remediation. Option D is wrong because there is no vSphere Cluster feature to disable hyperthreading across all hosts simultaneously; disabling hyperthreading requires a BIOS change and reboot per host, and rebooting all hosts at once would cause total cluster downtime, violating the constraint of no business-hour outages.

14
Multi-Selecthard

Which THREE of the following are required components for setting up a vSphere Trust Authority (vTA) cluster?

Select 3 answers
A.A Key Provider, such as VMware Key Provider or an external KMS.
B.A dedicated Trust Authority cluster with at least one host.
C.NSX-T Data Center deployed for network segmentation.
D.A physical Trusted Platform Module (TPM) on each trusted host.
E.The Attestation Service and Key Cache services installed on the Trust Authority cluster.
AnswersB, D, E

The Trust Authority cluster hosts the attestation service.

Why this answer

Options A, C, and D are correct. vTA requires at least one trusted ESXi host, a Trust Authority cluster, and an attestation service. Option B is incorrect because a Key Provider is part of vSphere Trusted Infrastructure (vTPM) but not vTA. Option E is incorrect because NSX is not required for vTA.

15
Matchingmedium

Match each vSphere networking component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logical grouping of ports with common configuration

Network interface for vSphere services like vMotion

Physical NIC connected to a virtual switch

Segments network traffic at Layer 2

Combining multiple uplinks for load balancing or failover

Why these pairings

Networking constructs in vSphere.

16
MCQeasy

An administrator has created a custom role named 'VM Power User' with permissions to power on and off virtual machines. The role is assigned to a group of users at the datacenter level. A user from that group reports they cannot power on a VM in a particular cluster. What is the most likely reason?

A.The user must be assigned the role individually at the VM level
B.The cluster has a permission that blocks inheritance from the datacenter
C.The role is not assigned to a resource pool containing the VM
D.The user is not a member of the group assigned to the role
AnswerB

Blocked inheritance prevents the role from applying.

Why this answer

Option B is correct because permissions are not inherited by default if a child object has explicit permissions set that block propagation. Option A is wrong because the group is assigned the role; individual membership suffices. Option C is wrong because the role does not require resource assignment.

Option D is wrong because the user is part of the group; no separate assignment needed.

17
MCQmedium

A vCenter Server's SSL certificate has expired, causing all ESXi hosts to display a certificate warning and some management tasks to fail. The administrator needs to restore secure communication with minimal disruption. Which action should the administrator take?

A.Reboot the vCenter Server appliance to regenerate the certificate automatically.
B.Replace the vCenter Server certificate and then reconnect each ESXi host to vCenter.
C.Replace the SSL certificate on each ESXi host individually using the vSphere Web Client.
D.Use vSphere Auto Deploy to push new certificates to all hosts simultaneously.
AnswerB

This directly resolves the expired certificate and restores trust without host reboots.

Why this answer

Option B is correct because replacing the vCenter Server certificate and then reconnecting each ESXi host is the standard procedure to restore trust. Option A is wrong because replacing certificates on each host individually is inefficient and does not address the vCenter certificate. Option C is wrong because rebooting vCenter does not replace the expired certificate.

Option D is wrong because even if Auto Deploy is used, the vCenter certificate still needs to be replaced.

18
MCQmedium

During a vulnerability scan, an ESXi host is found to have the SSLv3 protocol enabled. The administrator wants to disable SSLv3 and enforce TLS 1.2 for all network services on the host. Which approach is most effective?

A.Update the TLS configuration in vCenter Server and reboot the host.
B.Change the host's security settings in the DCUI to require TLS 1.2.
C.Disable all unnecessary services on the host via the DCUI.
D.Set the advanced system option 'SSLv3.Enabled' to false and 'TLSv1.2.Enabled' to true.
AnswerD

These advanced options control which SSL/TLS versions are enabled on the ESXi host.

Why this answer

Option D is correct. The ESXi host's SSL/TLS configuration can be controlled via the Host Advanced Settings by setting the appropriate option to require TLS 1.2. Option A is incorrect because disabling services does not change the protocol.

Option B is incorrect because the vCenter's TLS configuration does not directly affect the host's. Option C is incorrect because there is no direct setting in the DCUI for this.

19
MCQeasy

An administrator runs the above command on an ESXi host. Which of the following is true about this host?

A.Root user can still access the DCUI or SSH using the allowed exception commands.
B.Lockdown mode is not enabled.
C.The exception user can run any command via the DCUI.
D.The host is in strict lockdown mode.
AnswerA

Root is an exception and has access to term and vimsh.

Why this answer

Option B is correct because the command shows lockdown mode is enabled, root is an exception user, and the exception commands allow terminal access and vimsh. Option A is incorrect because root is in exception list. Option C is incorrect because the host is in normal lockdown, not strict.

Option D is incorrect because the commands allowed are terminal and vimsh, not all commands.

20
MCQeasy

A vSphere administrator wants to restrict direct console access to an ESXi host to authorized administrators only, without interrupting running virtual machines. Which feature should the administrator enable?

A.Lockdown mode
B.Enable DRS
C.Configure a host profile
D.Disable SSH service
AnswerA

Lockdown mode restricts direct console access while allowing vCenter access.

Why this answer

Option A is correct because lockdown mode restricts direct access to the ESXi host via DCUI and SSH, but allows access through vCenter Server while VMs continue to run. Option B is wrong because disabling SSH alone does not restrict DCUI. Option C is wrong because host profiles configure settings but do not enforce access restriction.

Option D is wrong because DRS is for load balancing, not security.

21
MCQmedium

An administrator needs to allow HTTP traffic from a specific management workstation to an ESXi host while blocking all other inbound traffic. The ESXi firewall uses the default ruleset. What should the administrator do?

A.Open all firewall ports for the management subnet
B.Disable the ESXi firewall and use a network firewall
C.Modify the service console firewall rules
D.Use esxcli network firewall ruleset set to create an allowed IP list for the HTTP ruleset
AnswerD

This allows specific IPs while blocking others.

Why this answer

Option D is correct because the ESXi firewall allows creating allow rules for specific IP addresses via esxcli, which overrides the default deny. Option A is wrong because opening all ports is insecure. Option B is wrong because service console firewall is not used in modern ESXi.

Option C is wrong because disabling firewall is insecure.

22
Multi-Selectmedium

Which TWO of the following are valid methods to restrict access to the ESXi host's Direct Console User Interface (DCUI) to authorized administrators only?

Select 2 answers
A.Disable SSH access on the host to prevent remote DCUI access.
B.Enable lockdown mode and add only authorized administrators to the Exception Users list.
C.Remove the root user from the DCUI local users list.
D.Set the advanced option 'DCUI.Access' to a list of authorized users.
E.Configure Active Directory integration and use group policy to disable DCUI.
AnswersB, D

Lockdown mode restricts DCUI access to users in the Exception Users list.

Why this answer

Options A and D are correct. Lockdown mode disables DCUI access if not in Exception Users list; configuring DCUI.Access advanced option restricts which users can access the DCUI. Option B is incorrect because root user cannot be removed from the DCUI.

Option C is incorrect because Active Directory integration does not restrict DCUI. Option E is incorrect because SSH access is separate from DCUI.

23
Multi-Selecthard

Which TWO actions are required to enable encrypted vSphere vMotion for all virtual machines in a cluster?

Select 2 answers
A.Set the vMotion encryption policy to 'Encrypt all data' in the cluster settings.
B.Configure a Key Management Server (KMS) for the cluster.
C.Enable Storage DRS on the cluster.
D.Ensure all ESXi hosts in the cluster are joined to the same Active Directory domain.
E.Set the vMotion encryption policy to 'Encrypt when supported' in the cluster settings.
AnswersA, D

Correct: This forces encryption for all vMotion traffic in the cluster.

Why this answer

Option A is correct because setting the vMotion encryption policy to 'Encrypt all data' in the cluster settings enforces encryption for all vMotion migrations within that cluster. This ensures that memory and state data transferred between ESXi hosts is protected using TLS 1.2, preventing eavesdropping or tampering during live migrations.

Exam trap

The trap here is that candidates often confuse the need for a KMS with vMotion encryption, but vMotion encryption uses host-based certificates and does not require an external KMS, unlike VM-level encryption or encrypted vSAN.

24
MCQmedium

A company requires all vMotion traffic to be encrypted. The vSphere administrator enables vMotion encryption at the cluster level. What else must be configured to ensure vMotion operations are encrypted?

A.Allocate at least 4 GB of additional memory for cryptographic operations.
B.Upgrade all ESXi hosts to version 7.0 or later.
C.Enable VM Encryption also.
D.Ensure all VMs have virtual hardware version 11 or later.
AnswerD

Virtual hardware version 11 or later is required to support encrypted vMotion.

Why this answer

Option B is correct because for vMotion encryption to work, the VM’s virtual hardware must be version 11 or later. Option A is incorrect because encryption is independent of the VM's hardware version; still required. Option C is incorrect because ESXi hosts must have at least 3 GB of dedicated memory for crypto operations? Actually, vMotion encryption has no specific memory requirements.

Option D is incorrect because the hosts must be at least ESXi 6.5, not 7.0.

25
Multi-Selectmedium

Which TWO of the following are best practices for securing a vSphere environment against ransomware attacks?

Select 2 answers
A.Implement a backup solution with immutable snapshots and offsite storage.
B.Enable vMotion encryption for all migrations.
C.Use VM snapshots as primary backup method.
D.Enable vSAN encryption to protect data at rest.
E.Configure the distributed firewall to allow all outbound traffic by default.
AnswersA, D

Immutable backups protect against ransomware altering or deleting backups.

Why this answer

Options A and C are correct. Enabling vSAN encryption protects data at rest; using backup software with immutable backups prevents deletion. Option B is incorrect because egress filtering is not default.

Option D is incorrect because snapshots are not backups and can be deleted. Option E is incorrect because vMotion is for migration, not security.

26
Multi-Selecthard

A security audit reveals that a vCenter Server has weak TLS configuration. The administrator needs to enforce strong ciphers and disable SSLv3. Which two steps should the administrator take? (Choose two.)

Select 2 answers
A.Use the vSphere Certificate Manager utility to replace the machine SSL certificate with a new one that uses strong ciphers.
B.Edit the registry on the vCenter Server to disable SSLv3.
C.Disable TLS 1.2 and enable only TLS 1.3 on all ESXi hosts.
D.Configure the TLS settings in the vSphere Web Client under Administration > Security.
E.Modify the Tomcat server.xml file on the vCenter Server to restrict ciphers and protocols.
AnswersA, E

This utility can update the TLS configuration.

Why this answer

Option A is correct because the vSphere Certificate Manager utility can be used to replace the machine SSL certificate with one that enforces strong ciphers, directly addressing the weak TLS configuration. This utility manages certificate operations and allows administrators to specify cipher strength during certificate generation or replacement, ensuring compliance with security policies.

Exam trap

The trap here is that candidates may confuse vCenter Server's Windows-based legacy behavior with its current Linux-based architecture, leading them to incorrectly select registry editing (Option B) instead of recognizing that Tomcat configuration files are the correct method.

27
MCQeasy

An administrator wants to prevent direct root access to an ESXi host via SSH and the DCUI. Which two configurations are necessary?

A.Set the host to lockdown mode with root exception.
B.Disable DCUI and SSH services.
C.Configure SSO to require Smart Card authentication.
D.Enable lockdown mode and remove root from permissions.
AnswerD

Lockdown mode disables SSH/DCUI and removing root from permissions prevents any root login.

Why this answer

Option C is correct because enabling lockdown mode disables SSH and DCUI for root, and withdrawing the root user from permissions further restricts access. Option A is wrong because disabling DCUI but allowing SSH would still leave SSH open. Option B is wrong because locking down the host only disables DCUI and SSH but root still exists.

Option D is wrong because SSO configuration is not directly related to local root access.

28
MCQmedium

An administrator needs to grant a group of vSphere administrators the ability to create and delete snapshots, and also to power on and off VMs, but not to delete VMs. The administrators should also be able to view the virtual machine console. Which custom role should be created?

A.Snapshot creation/removal, Power operations, Delete VM, ConsoleInteraction
B.Snapshot creation/removal, Power operations, VirtualMachine.Interact.ConsoleInteraction
C.Power operations, ConsoleInteraction only
D.Snapshot creation/removal, Power operations, Remove Disk, ConsoleInteraction
AnswerB

This set provides snapshot management, power actions, and console access without delete VM.

Why this answer

Option A is correct because the combination of privileges for snapshot operations, power operations, and console access is exactly what is needed. Option B includes Delete VM permission, which is not desired. Option C includes Remove Disk which is not requested.

Option D is too restrictive and does not include snapshot management.

29
MCQeasy

A company wants to integrate vCenter Server with an external identity source to allow users to authenticate using their corporate credentials. The administrator must ensure that authentication traffic is encrypted. Which solution should the administrator implement?

A.Local OS authentication on vCenter Server
B.Active Directory over NTLM
C.Active Directory over LDAPS
D.Active Directory over LDAP
AnswerC

LDAPS uses SSL/TLS to encrypt authentication traffic.

Why this answer

Option B is correct because Active Directory over LDAPS encrypts authentication traffic with SSL/TLS. Option A is wrong because standard LDAP transmits credentials in plaintext. Option C is wrong because NTLM authentication is not supported as a direct identity source for vCenter Single Sign-On.

Option D is wrong because local OS authentication does not use corporate credentials.

30
MCQmedium

A vSphere administrator needs to ensure that all virtual machine disks are encrypted at rest. The environment uses a KMS cluster with multiple KMIP-compliant servers. The administrator has already configured a storage policy with encryption enabled. However, newly created VMs on a particular datastore still show unencrypted disks. What is the most likely cause?

A.The datastore is a vSAN datastore, which does not support VM-level encryption.
B.The KMS cluster must have at least two KMS servers to function correctly.
C.The datastore is formatted with VMFS6, which does not support encryption.
D.The storage policy with encryption is not assigned to the VMs or their home namespace.
AnswerD

The encryption-enabled storage policy must be explicitly assigned; otherwise, the default storage policy is used.

Why this answer

Option D is correct because even when a storage policy with encryption is configured, it must be explicitly assigned to the VMs or their home namespace (the VM's configuration and swap files). If the policy is not assigned, the VM will be created using the default datastore policy, which typically does not include encryption, resulting in unencrypted disks. The administrator must ensure the encryption-enabled policy is applied to the VM during creation or via a storage policy-based management (SPBM) assignment.

Exam trap

The trap here is that candidates assume configuring a storage policy with encryption is sufficient, but they forget that the policy must be explicitly assigned to the VM or its home namespace for encryption to take effect.

How to eliminate wrong answers

Option A is wrong because vSAN datastores fully support VM-level encryption (encryption at rest) when a KMS is configured and the appropriate storage policy is applied; vSAN does not preclude encryption. Option B is wrong because a KMS cluster can function with a single KMS server, though multiple servers are recommended for high availability; the question states a KMS cluster is already configured, so this is not the cause of unencrypted disks. Option C is wrong because VMFS6 fully supports VM-level encryption; encryption is a feature of the vSphere platform and the storage policy, not the VMFS version.

31
MCQeasy

A vSphere administrator wants to prevent users in a custom role from powering off virtual machines that have Fault Tolerance enabled. Which privilege must be removed from the custom role?

A.VirtualMachine.State.Suspend
B.VirtualMachine.Interrupt.PowerOff
C.VirtualMachine.Interrupt.Reset
D.VirtualMachine.Interrupt.PowerOn
AnswerB

This privilege allows powering off a VM; removing it prevents power off.

Why this answer

Option A is correct. The 'Power Off' privilege directly controls the ability to power off a VM. Option B is incorrect because 'Power On' is a separate action.

Option C is incorrect; 'Reset' also powers off but is not the primary control. Option D is incorrect because 'Suspend' is not powering off.

32
MCQhard

An administrator configures permissions as shown in the exhibit. Users 'user1' and 'user2' are in the 'Limited' role which only allows 'Read' and 'Console interaction' privileges. User1 reports being unable to open a console to a VM running on host2.domain.com. What is the most likely cause?

A.The 'Limited' role does not include 'Console interaction' privilege
B.User1 does not have permissions on host2.domain.com
C.The permissions are applied at the datacenter level, not the host level
D.User1 should be added to the admin group
AnswerB

Permissions are host-specific; user1 is only assigned on host1.

Why this answer

Option A is correct because user1 has permissions only on host1, not on host2. The 'Limited' role on host1 does not propagate to host2. Option B is wrong because the 'Limited' role does allow console interaction.

Option C is wrong because permissions are applied at the host level for the respective hosts. Option D is wrong because admin group membership is not mentioned.

33
MCQeasy

Refer to the exhibit. An administrator runs the vmkfstools command on an ESXi host and views the output. Which conclusion can be drawn from the output?

A.The datastore has approximately 50% free space.
B.The VMDK file is thin provisioned.
C.The datastore has a block size of 1 MB, which is the maximum for VMFS-6.
D.The virtual machine's disk is encrypted.
AnswerA

Correct: Volume free is half of volume capacity.

Why this answer

The vmkfstools command output shows the capacity and free space values for the datastore. In this case, the free space is approximately half of the total capacity, indicating roughly 50% free space. This is a direct calculation from the displayed numbers, not an inference about provisioning or encryption.

Exam trap

The trap here is that candidates often confuse datastore-level free space with VMDK-level provisioning attributes, assuming that a high free space percentage implies thin provisioning, when in fact thin provisioning is a separate property of the virtual disk file.

How to eliminate wrong answers

Option B is wrong because thin provisioning is a property of the VMDK file itself, not directly shown in the basic vmkfstools capacity/free output; you would need to use 'vmkfstools -i' or check the disk descriptor for 'thinProvisioned' flag. Option C is wrong because VMFS-6 supports a maximum block size of 1 MB, but the output does not display block size; block size is shown with 'vmkfstools -P -v 10' or similar commands. Option D is wrong because encryption status is not indicated in this output; encryption would require checking the VM's configuration or using 'vmkfstools -c' or 'vsan' encryption-related commands.

34
MCQhard

A company runs a critical e-commerce platform on a vSphere 7 cluster with ESXi hosts connected to a vSAN datastore. The environment uses vSphere Trust Authority (vTA) and VM encryption with an external KMS. Recently, after a successful vTA attestation, one of the VMs (WebServer-01) failed to power on with the error: 'Unable to decrypt the encrypted virtual machine upon re-registration. Reason: The KMS server is unreachable.' The administrator verifies that other encrypted VMs on the same host power on successfully. The KMS cluster consists of two servers: KMS-01 and KMS-02, both accessible from the management network. The administrator checks the VM's configuration and finds that it uses a custom storage policy with encryption. What is the most likely cause of this specific VM's failure?

A.The vCenter Server's KMS cluster configuration has been deleted, affecting all VMs but not this one.
B.The storage policy used by the VM has been modified and no longer includes encryption.
C.The vTA attestation process failed for the VM's host, but the error message is misleading.
D.The VM's encryption key was retrieved from a different KMS server that is now unavailable, and the key ID in the VM's metadata points to that KMS server.
AnswerD

If the KMS server list in the VM's configuration is not updated, the host tries to contact the wrong KMS.

Why this answer

Option B is correct. The VM's encryption key is cached on the host only if it was previously powered on; if the host was rebooted or the cache cleared, it must fetch the key from KMS. The error indicates the KMS is unreachable for this VM, but other VMs work, suggesting the host can reach KMS.

However, if the VM's encryption key is associated with an older KMS key ID that is no longer present or the KMS server specified in the VM's configuration is different (e.g., from a previous KMS setup), the host may try to contact a different KMS server. Option A is incorrect because vTA attestation is separate. Option C is incorrect because the storage policy is in use.

Option D is incorrect because vCenter SSO is not involved in decryption.

35
MCQhard

A company has a vSphere environment with 20 ESXi hosts and 500 VMs. The security team mandates that all administrative access to vCenter Server must be through a single, highly restricted account with multi-factor authentication (MFA). The account must be used for both the vSphere Client and API integrations. Which step should the administrator take?

A.Configure the built-in administrator account to require smart card authentication.
B.Integrate vCenter Server with an external identity provider (e.g., ADFS, Okta) that supports MFA, and use a service account with MFA for API access.
C.Create a new local account and configure it as a member of the Administrators group, then enforce MFA via a third-party tool on the vCenter Server OS.
D.Disable the built-in administrator account and create a new local account with the same privileges.
AnswerB

External identity providers can enforce MFA and work with both UI and API access.

Why this answer

Option B is correct because integrating vCenter Server with an external identity provider (IdP) such as ADFS or Okta allows the use of a single service account that supports multi-factor authentication (MFA) for both the vSphere Client and API integrations. This approach meets the security mandate by centralizing authentication through an IdP that enforces MFA, while also supporting OAuth 2.0 token-based API access, which is required for modern vSphere API integrations. The built-in administrator account cannot be directly configured with MFA in a way that satisfies both interactive and API access requirements without external integration.

Exam trap

The trap here is that candidates assume the built-in administrator account can be directly configured with MFA for all access types, but vCenter Server does not natively support MFA for local accounts or API integrations without an external identity provider.

How to eliminate wrong answers

Option A is wrong because configuring the built-in administrator account for smart card authentication only enforces certificate-based MFA for interactive logins, but it does not support MFA for API integrations, which typically require token-based or challenge-response mechanisms. Option C is wrong because creating a new local account and enforcing MFA via a third-party tool on the vCenter Server OS is not supported; vCenter Server runs on a hardened Photon OS or appliance, and local accounts cannot be integrated with external MFA solutions for API access. Option D is wrong because disabling the built-in administrator account and creating a new local account does not enable MFA; local accounts in vCenter Server do not support MFA natively, and this approach fails to address the requirement for MFA on API integrations.

36
MCQhard

A financial institution operates a vSphere 7 environment with 1,000 VMs, many of which process sensitive data. The security team mandates VM encryption at rest using a Key Management Server (KMS) cluster. The administrator has configured the KMS cluster as a key provider in vCenter and enabled encryption on a test VM, which works correctly. However, after adding a new ESXi host to the cluster and attempting to power on a previously encrypted VM, the VM fails to start with the error: 'Key provider unavailable for host <hostname>.' The new host is correctly licensed for encryption and has network connectivity to the KMS. The administrator verifies that the KMS cluster is operational and that other hosts can power on encrypted VMs. What is the most likely cause of this issue?

A.The ESXi host has not been added to the Key Provider's trust list or KMS configuration.
B.The ESXi host's firewall is blocking outbound connections to the KMS cluster.
C.The ESXi host does not have the required encryption feature license.
D.The VM's encryption policy is set to 'vSphere Native Key Provider' instead of 'KMS'.
AnswerA

Hosts must be trusted by the KMS to retrieve keys; a newly added host is not automatically trusted.

Why this answer

Option B is correct because when a new ESXi host is added, it must be explicitly added to the Key Provider's trust list (or the KMS must be configured to trust the host's certificate). Without this, the host cannot retrieve keys. Option A is wrong because the host has network connectivity to the KMS as verified.

Option C is wrong because the error is about key provider availability, not policy. Option D is wrong because the host is correctly licensed.

37
Multi-Selecteasy

Which TWO actions are recommended to secure the vCenter Server Appliance (VCSA)?

Select 2 answers
A.Enable the auto-lock feature for the admin account
B.Change the default 'root' password
C.Disable SSH access
D.Configure the password policy for local accounts
E.Enable FIPS 140-2 compliance mode
AnswersB, C

Default passwords should be changed.

Why this answer

Option B is correct because changing the default 'root' password is a fundamental security best practice for the VCSA. The default password is well-known and documented, leaving the appliance vulnerable to unauthorized access if not changed immediately after deployment. This action directly mitigates the risk of brute-force or credential-based attacks against the root account.

Exam trap

The trap here is that candidates often confuse 'recommended security actions' with 'all possible security configurations,' leading them to select options like enabling FIPS or configuring password policies, which are not the two primary actions emphasized in VMware's official security hardening guidance for the VCSA.

38
Multi-Selecteasy

Which TWO actions are required to enable vSphere VM encryption? (Choose two.)

Select 2 answers
A.Configure a Key Management Server (KMS) or native key provider
B.Enable SSH on each ESXi host to manage encryption keys
C.Disable vMotion on the cluster
D.Assign an encryption storage policy to the virtual machine or enable encryption on the VM
E.Place the ESXi hosts in lockdown mode
AnswersA, D

A key provider is necessary to store and manage encryption keys.

Why this answer

Options B and D are correct. A key provider (KMS) must be configured and associated with the vCenter Server, and then encryption must be enabled on the VM (via storage policy or directly). Option A is wrong because encryption does not require disabling vMotion.

Option C is wrong because SSH access is not required. Option E is wrong because host lockdown mode is unrelated.

39
MCQmedium

An organization is deploying vCenter Server in a DMZ. Which security best practice should the administrator implement to protect the vCenter Server appliance?

A.Join the vCenter Server to the corporate Active Directory domain
B.Enable SSH for remote administration
C.Enable FIPS 140-2 mode on the vCenter Server appliance
D.Delete the root user account
AnswerC

FIPS mode enforces strong cryptography.

Why this answer

Option D is correct because enabling FIPS mode on the appliance ensures cryptographic compliance and strengthens security. Option A is wrong because joining Active Directory may introduce attack surface. Option B is wrong because vCenter does not use SSH by default for management.

Option C is wrong because vCenter does not use root account in the same way; the appliance uses the 'root' user but best practice is to limit its use, not delete.

40
Multi-Selecthard

A company is implementing vSphere with Tanzu for containerized workloads. To secure the workload management plane, which THREE security features should be configured? (Choose three.)

Select 3 answers
A.Pod Security Policies
B.vCenter Single Sign-On
C.Content Library
D.vSphere Native Key Provider
E.Network Policies
AnswersA, D, E

Enforces security standards for pods.

Why this answer

Options A, B, and C are correct. Pod Security Policies enforce security standards for pods. vSphere Native Key Provider enables encryption for Kubernetes objects. Network Policies control traffic between pods.

Option D is incorrect because vCenter SSO is already in place for authentication, not a new feature. Option E is incorrect because Content Library is for content management, not security.

41
MCQhard

A vSphere environment uses Active Directory for authentication. The administrator notices that users from a specific AD group cannot log in to the vCenter Server, although other AD users can. The group is added to vCenter Server with the correct permissions. What is the most likely cause?

A.The users are not members of the vCenter Single Sign-On domain
B.The user accounts have expired passwords
C.The group is nested within another group
D.The domain of the group is not configured as an identity source in vCenter Single Sign-On
AnswerD

Without the identity source, authentication fails.

Why this answer

The most likely cause is that the domain of the group is not configured as an identity source in vCenter Single Sign-On. Even if the group is added with correct permissions in vCenter Server, vCenter SSO must be able to authenticate users against the domain. Without the domain listed as an identity source, vCenter cannot validate the credentials of users from that group, causing authentication failures for all users in that domain.

Exam trap

The trap here is that candidates often assume that adding a group to vCenter permissions is sufficient for authentication, overlooking the prerequisite that the group's domain must first be registered as an identity source in vCenter Single Sign-On.

How to eliminate wrong answers

Option A is wrong because vCenter Single Sign-On domains are not the same as Active Directory domains; users are not members of the SSO domain unless they are explicitly created there, and the question states the users are from an AD group, meaning they are AD users, not SSO domain users. Option B is wrong because expired passwords would affect individual users, not an entire group, and the symptom is that all users from the specific group cannot log in, which points to a domain-level issue rather than individual password expiration. Option C is wrong because nested groups are fully supported in Active Directory and vCenter Server; if the group is nested within another group, the permissions would still apply as long as the parent group has the correct permissions, and this would not cause a complete authentication failure for all users in the group.

42
MCQhard

A vSphere administrator is preparing for a PCI DSS audit. The auditor requires that all virtual machine disks be encrypted at rest. The environment uses vSAN with storage policies. Which storage policy-based management (SPBM) rule should be applied to ensure encryption?

A.Set the rule 'EncryptionEnabled' to 'True'.
B.Set the rule 'SPBM.Encryption' to 'Enabled'.
C.Set the rule 'VSAN.encryption' to 'Required'.
D.Set the rule 'VSAN.encryption' to 'Yes'.
AnswerD

This is the correct SPBM rule to enable vSAN encryption for a VM storage policy.

Why this answer

Option A is correct. vSAN storage policies include a rule for encryption; setting it to 'Yes' ensures all VMs using that policy are encrypted. Option B is incorrect because 'SPBM.Encryption' is not a valid rule. Option C is incorrect because 'EncryptionEnabled' is not a standard rule.

Option D is incorrect because the rule must be set to 'Yes' to enable encryption.

43
MCQmedium

A vSphere administrator is troubleshooting a permissions issue. A user named 'backup_admin' is a member of the AD group 'Backup Operators'. The group has been assigned a custom role at the datacenter level with the following privileges: Virtual machine > Provisioning > Create snapshot, Virtual machine > State > Create, Revert, Remove snapshot. The user can see all VMs in the 'Production' folder but cannot see VMs in the 'Development' folder, even though both folders are under the same datacenter. The administrator confirms that no other permissions exist for this user or group, and propagation is enabled. What is the most likely reason the user cannot see the Development VMs?

A.The user's permissions are inherited from a different group that denies access.
B.The user's group lacks the 'System > View' privilege on the Development folder.
C.The user's role does not include the 'Folder > Create' privilege.
D.The user's group has been assigned 'No Access' on the Development folder.
AnswerB

The user cannot see objects if they don't have the View privilege on the parent folder.

Why this answer

Option C is correct. To see objects in vCenter, a user must have the 'System > View' privilege on the object. Even if the user has permissions on the VMs, they cannot see them if they lack the 'View' privilege on the parent folder.

Option A is wrong because 'Folder > Create' is not required to see existing folders. Option B is wrong because 'System > View' is a privilege, but the user likely lacks it on the Development folder. Option D is wrong because if there were 'No Access' exactly, the user wouldn't see any objects; but they see Production, so the Development folder likely has an explicit permission that doesn't include View.

44
MCQmedium

An administrator is adding an ESXi host to vCenter Server and is prompted to verify the host's certificate thumbprint. The administrator compares it to the output above and it matches. However, the add operation fails with a certificate verification error. What else could be the issue?

A.The vCenter Server's certificate is invalid
B.The certificate has expired
C.The certificate is not signed by a trusted Certificate Authority
D.The certificate common name does not match the hostname
AnswerD

If the certificate's CN does not match the host's FQDN, vCenter will reject the certificate during verification.

Why this answer

Option C is correct because if the certificate common name (CN) does not match the ESXi host's fully qualified domain name (FQDN) or IP address, vCenter Server will reject the certificate even if the thumbprint is correct. Option A is unlikely as the thumbprint would change if expired; option B is not directly related because self-signed certificates are accepted with thumbprint verification; option D is incorrect because the error is about the host certificate, not vCenter's.

45
MCQmedium

An administrator is configuring a distributed switch and needs to ensure that all virtual machine traffic on a specific VLAN is isolated. The administrator creates a port group with VLAN ID 100. However, a security scanner reports that packets from this VLAN are appearing on other VLANs. Which security policy setting on the distributed switch should the administrator verify?

A.MAC address changes
B.Forged transmits
C.VLAN trunking
D.Promiscuous mode
AnswerC

VLAN trunking ensures proper tagging.

Why this answer

The VLAN trunking policy on a distributed switch controls whether a port group can pass multiple VLAN IDs (trunk mode) or is restricted to a single VLAN (access mode). When VLAN trunking is enabled, the port group may forward traffic from VLAN 100 onto other VLANs if the virtual switch is configured to allow it, breaking isolation. The administrator should verify that VLAN trunking is disabled (set to 'Reject') to ensure strict VLAN isolation.

Exam trap

The trap here is that candidates confuse VLAN trunking (which controls multi-VLAN forwarding) with promiscuous mode (which controls traffic visibility), leading them to incorrectly select promiscuous mode as the cause of VLAN leakage.

How to eliminate wrong answers

Option A is wrong because MAC address changes policy controls whether a virtual machine can change its MAC address, which is unrelated to VLAN traffic leaking between VLANs. Option B is wrong because forged transmits policy prevents a VM from sending frames with a source MAC address different from its own, which does not affect VLAN isolation. Option D is wrong because promiscuous mode allows a VM to see all traffic on the port group, but it does not cause traffic from one VLAN to appear on another VLAN.

46
MCQmedium

A security administrator notices that a virtual machine (VM) running a legacy application is experiencing network connectivity issues after enabling Network I/O Control (NIOC) on the distributed switch. The VM is in a high-priority traffic class for management traffic. What is the most likely cause of the issue?

A.NIOC is blocking the VM's MAC address due to a security policy.
B.The VM is assigned to the management traffic class, but its traffic should be in a different class, causing bandwidth throttling.
C.The VM is using jumbo frames, which are not supported with NIOC.
D.The virtual switch has promiscuous mode enabled, which conflicts with NIOC.
AnswerB

NIOC classes limit bandwidth; wrong class assignment can restrict traffic.

Why this answer

Option B is correct. NIOC traffic classes limit bandwidth per class; if the VM is in the wrong class (management instead of the correct class for its traffic), it may be throttled. Option A is incorrect because NIOC does not require jumbo frames.

Option C is incorrect because NIOC does not affect MAC learning. Option D is incorrect because NIOC does not block promiscuous mode; that's a security policy.

47
MCQmedium

An administrator is troubleshooting a failed VM encryption operation. The key provider status shows as 'Not Responding' in the vSphere Web Client. The administrator has verified network connectivity between the ESXi hosts and the key provider. What is the most likely cause of the failure?

A.The vCenter Server certificate has expired
B.The firewall on the key provider is blocking port 443
C.The ESXi hosts cannot reach the internet
D.The key provider certificate is expired or invalid
AnswerD

Expired or invalid KMS certificate causes hosts to reject connections.

Why this answer

Option C is correct because the key provider certificate may be expired or invalid, causing the hosts to reject the connection even if network is reachable. Option A is wrong because ESXi hosts do not need an internet connection for on-premises KMS. Option B is wrong because vCenter Server does not manage key provider certificates directly.

Option D is wrong because a firewall rule blocking the correct port would typically show as 'Unreachable' rather than 'Not Responding'.

48
MCQmedium

An administrator notices that HTTP connections to the ESXi host are timing out frequently. Based on the exhibit, which configuration change would most likely resolve the issue?

A.Increase maxKeepAliveTimeout to a higher value, such as 180
B.Restart the rhttpproxy service
C.Set useProxy to true and specify a proxy server
D.Set maxKeepAliveTimeout to 0 to disable keepalive
AnswerA

A longer timeout prevents premature disconnection.

Why this answer

Option B is correct because the maxKeepAliveTimeout is set to 100 seconds, which is the default but may be too low for environments with long-running connections; increasing it can reduce timeouts. Option A is wrong because enabling a proxy is not needed. Option C is wrong because the keepalive is already enabled by default and disabling it would worsen the issue.

Option D is wrong because restarting rhttpproxy without changing the timeout would not help.

49
MCQhard

A company uses an external Platform Services Controller (PSC) in a vSphere 6.7 environment. They plan to upgrade to vSphere 7.0. Which security-related consideration is most important?

A.The external PSC will automatically convert to an embedded PSC during upgrade.
B.The external PSC is deprecated; it must be converged into the vCenter Server.
C.The SSL certificates for the PSC must be reissued from a new CA.
D.The STS certificates need to be replaced with custom ones immediately after upgrade.
AnswerB

vSphere 7.0 does not support external PSCs.

Why this answer

Option B is correct because vSphere 7.0 removes the external PSC model; all services are embedded. Option A is incorrect because there is no migration wizard for external PSC to embedded, but does not default to AD. Option C is incorrect because vSphere 7.0 still uses VECS.

Option D is incorrect because STS certificates can be managed within the embedded PSC.

50
MCQeasy

An administrator wants to configure the ESXi host firewall to allow connections only from a specific management subnet. How can this be achieved?

A.Enable vSphere HA and set it to control management traffic.
B.Use the ESXi firewall settings to define allowed IP addresses for the required services.
C.Configure the DCUI to restrict management access.
D.Set the firewall to enabled and allow all incoming connections.
AnswerB

The ESXi firewall allows per-rule IP-based restrictions.

Why this answer

Option B is correct because the ESXi firewall can be configured with rule sets that allow traffic only from specific IP addresses or subnets. Option A is incorrect because disabling all firewall rules would be too permissive. Option C is incorrect because the DCUI is for direct console access, not firewall rules.

Option D is incorrect because vSphere HA is not related to firewall configuration.

51
MCQeasy

An administrator runs the command shown in the exhibit on a vCenter Server appliance. What is the primary purpose of the Machine ID?

A.To calculate workload distribution in DRS
B.To identify an ESXi host to vCenter Server
C.To serve as a unique identifier for the vCenter Server instance in SSO
D.To uniquely identify a virtual machine for vMotion
AnswerC

Machine ID is used in SSO and certificate operations.

Why this answer

Option D is correct because the Machine ID is a unique identifier for the vCenter Server instance, used for SSO and certificate management. Option A is wrong because the Machine ID is not used for vMotion. Option B is wrong because it is not used for host identification.

Option C is wrong because it is not used for DRS.

52
MCQeasy

A vSphere administrator needs to restrict access to a specific cluster so that only the storage team can manage datastores. The storage team members are in a group called 'storage_team' in Active Directory. What is the best practice to achieve this?

A.Create a custom role with required Datastore privileges and assign it to the 'storage_team' group at the cluster level.
B.Create an SSO group for the storage team and assign the default 'ReadOnly' role at the cluster level.
C.Assign the 'storage_team' group a role with Datastore privileges at the vCenter level using global permissions.
D.Add each member of the storage team to the local Administrators group on the vCenter Server.
AnswerA

This is correct because it provides granular, least-privilege access at the appropriate scope.

Why this answer

Option A is correct because creating a custom role with Datastore privileges and assigning it at the cluster level provides the most granular and least-privileged access. Option B is wrong because global permissions apply to all objects, granting too broad access. Option C is wrong because the Administrator role grants full access, violating the principle of least privilege.

Option D is wrong because SSO groups do not define privileges; they must be linked to a role.

53
MCQeasy

A vSphere administrator needs to ensure that all HTTPS traffic to ESXi hosts is encrypted using TLS 1.2. Where should the administrator configure the minimum TLS version?

A.Host Advanced Settings (Config.HostAgent.plugins.vimsvc.auth.minTLSVersion)
B.Security Profile in the vSphere Client
C.vCenter Server Appliance (VAMI) web interface
D.ESXi Firewall rules
AnswerA

This advanced setting controls the minimum TLS version.

Why this answer

Option A is correct because the minimum TLS version for ESXi host HTTPS traffic is configured via the host advanced setting `Config.HostAgent.plugins.vimsvc.auth.minTLSVersion`. This setting directly controls the TLS protocol version used by the ESXi host's HTTP services, including the vSphere Client and API endpoints, ensuring only TLS 1.2 or higher is accepted.

Exam trap

The trap here is that candidates confuse the ESXi host's TLS configuration (set via advanced settings) with vCenter Server's TLS configuration (set via VAMI), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option B is wrong because the Security Profile in the vSphere Client manages firewall rules and service startup policies, not TLS protocol version settings. Option C is wrong because the VAMI web interface configures vCenter Server Appliance services (e.g., vCenter Single Sign-On, licensing), not the TLS version of individual ESXi hosts. Option D is wrong because ESXi Firewall rules control network traffic filtering (allow/deny by port/protocol), not encryption parameters like TLS version.

54
MCQmedium

An administrator is troubleshooting a situation where a virtual machine cannot be powered on. The error message indicates insufficient permissions. The VM is in a folder named 'Production' and the administrator has been assigned a custom role with 'Virtual machine > Power On' permission at the folder level. However, the VM is also in a resource pool. What additional permission is most likely missing?

A.Network > Assign network permission on the network
B.Resource > Assign virtual machine to resource pool permission on the resource pool
C.Datastore > Allocate space permission on the datastore
D.Virtual machine > Configuration permission on the VM
AnswerB

This permission is necessary to assign the VM to the resource pool during power on.

Why this answer

To power on a virtual machine that resides in a resource pool, the user must have the 'Resource > Assign virtual machine to resource pool' permission on that resource pool. Even though the user has 'Virtual machine > Power On' at the folder level, the VM's association with the resource pool introduces an additional authorization check. Without this resource pool permission, the power-on operation fails with an insufficient permissions error.

Exam trap

The trap here is that candidates assume folder-level permissions cascade fully to all operations, but vSphere enforces a 'least privilege' model where resource pool membership requires explicit assignment rights, even if the VM already exists in the pool.

How to eliminate wrong answers

Option A is wrong because 'Network > Assign network' is required only when attaching a VM to a network, not for the power-on operation itself. Option C is wrong because 'Datastore > Allocate space' is needed for creating or registering a VM or for snapshot operations, not for powering on an existing VM. Option D is wrong because 'Virtual machine > Configuration' covers changes to VM settings (e.g., CPU, memory), but the specific missing permission here is the resource pool assignment right, not a general configuration right.

55
Multi-Selecthard

Which THREE of the following are prerequisites for configuring vSAN encryption? (Choose three.)

Select 3 answers
A.vSphere Enterprise Plus license.
B.Intel Software Guard Extensions (SGX) on ESXi hosts.
C.All-flash disk group configuration.
D.A Key Management Server (KMS) supporting KMIP protocol.
E.TPM 2.0 chip on each ESXi host.
AnswersA, D, E

vSAN encryption is available with Enterprise Plus and above.

Why this answer

Options A, C, and D are correct. Option A: vSAN encryption requires a KMS (KMIP) to manage keys. Option C: The ESXi hosts must have TPM 2.0 for hardware root of trust.

Option D: vSAN encryption requires Enterprise Plus license (or equivalent such as VCF). Option B is incorrect because vSAN encryption does not require Intel SGX. Option E is incorrect because vSAN encryption is supported with all-flash or hybrid configurations; it does not require all-flash.

56
MCQeasy

An administrator is troubleshooting a failed attempt to add an ESXi host to a vCenter Server domain. The error message states: 'The host's certificate has been tampered with or is invalid.' What is the most likely cause?

A.The vCenter Server's account lockout policy has been triggered.
B.The ESXi host's SSH keys have been rotated.
C.The ESXi host's certificate has expired.
D.The ESXi host's certificate thumbprint does not match the thumbprint stored in vCenter Server.
AnswerD

This mismatch causes the 'tampered' error.

Why this answer

The error 'The host's certificate has been tampered with or is invalid' occurs when the ESXi host presents a certificate whose thumbprint does not match the thumbprint that vCenter Server has stored for that host. This mismatch can happen if the host's certificate was replaced (e.g., due to a reinstall or manual rotation) without updating the vCenter Server's trusted store. vCenter Server verifies the host's identity by comparing the SHA-1 or SHA-256 thumbprint of the presented certificate against its stored record; a mismatch triggers this specific error.

Exam trap

The trap here is that candidates often confuse certificate expiration with thumbprint mismatch, but the error message 'tampered with or invalid' specifically points to a thumbprint mismatch rather than a date-based validity issue.

How to eliminate wrong answers

Option A is wrong because an account lockout policy would produce a different error, such as 'Login failed' or 'Access denied', not a certificate tampering message. Option B is wrong because SSH keys are used for SSH authentication, not for the SSL/TLS certificate validation that occurs during host addition to vCenter Server; rotating SSH keys does not affect certificate thumbprint matching. Option C is wrong because an expired certificate would generate an error like 'Certificate has expired' or 'Certificate is not yet valid', not a 'tampered with or invalid' message, which specifically indicates a thumbprint mismatch rather than a validity period issue.

57
MCQmedium

A company is implementing vSphere 7.0 and wants to encrypt all vMotion traffic between ESXi hosts in a cluster. The cluster is not using any other encryption features. What is the minimum requirement to enable vMotion encryption?

A.A VM Encryption Key Management Server must be configured.
B.The ESXi hosts must be joined to an Active Directory domain.
C.The ESXi hosts must have a host profile applied with encryption enabled.
D.The cluster must be configured with Enhanced vMotion Compatibility (EVC).
AnswerB

Correct: vMotion encryption uses certificates from the domain to establish encrypted tunnels.

Why this answer

In vSphere 7.0, vMotion encryption can be enabled without any additional infrastructure by setting the vMotion encryption policy to 'Required' or 'Opportunistic' on the ESXi host's advanced system settings. The minimum requirement is that the ESXi hosts must be joined to an Active Directory domain, because vMotion encryption relies on Kerberos authentication (RFC 4120) to establish a secure channel between hosts. This eliminates the need for a separate Key Management Server (KMS) for vMotion traffic alone, as the domain provides the necessary trust and key exchange mechanism.

Exam trap

The trap here is that candidates often assume vMotion encryption requires a Key Management Server (KMS) because they conflate it with VM-level encryption, but vMotion encryption is a separate feature that leverages Active Directory Kerberos instead.

How to eliminate wrong answers

Option A is wrong because a VM Encryption Key Management Server is required for encrypting virtual machine disks (VM-level encryption), not for vMotion traffic; vMotion encryption uses Kerberos from Active Directory, not a KMS. Option C is wrong because a host profile is a management tool for applying consistent configurations across hosts, but it is not a prerequisite for enabling vMotion encryption; the encryption setting can be configured directly on each host via advanced system parameters (e.g., 'VMkernel.Boot.vmotionEncryption'). Option D is wrong because Enhanced vMotion Compatibility (EVC) ensures CPU compatibility for live migrations but has no role in encrypting vMotion traffic; EVC does not provide any encryption or authentication mechanism.

58
MCQhard

A multinational corporation runs a vSphere environment with 100 ESXi hosts managed by a single vCenter Server. The security team mandates that all virtual machine disks (VMDKs) must be encrypted at rest. The administrator enables vSphere Virtual Machine Encryption and creates a Key Management Server (KMS) cluster. After encrypting a test VM, the VM powers on successfully, but the administrator notices that the VM's configuration files (VMX, NVRAM) are not encrypted. The security policy requires that all VM files, including configuration files, be encrypted. The administrator checks the VM storage policy and sees that the policy is set to 'VM Encryption Policy' with 'Disk Encryption' enabled. What should the administrator do to ensure the entire VM is encrypted?

A.Modify the VM storage policy to include encryption of VM home files
B.Enable encryption on the datastore where the VM resides
C.Add a second KMS cluster for redundancy
D.Enable vSphere Host Encryption on each ESXi host
AnswerA

The policy must include 'Virtual Machine Home' encryption.

Why this answer

The VM storage policy 'VM Encryption Policy' with only 'Disk Encryption' enabled encrypts VMDK files but not the VM configuration files (VMX, NVRAM, logs, etc.). To encrypt all VM files, the storage policy must include the 'Encrypt VM home files' option, which applies encryption to the entire VM home directory on the datastore. This ensures compliance with the security mandate for full VM encryption at rest.

Exam trap

The trap here is that candidates assume 'VM Encryption Policy' with 'Disk Encryption' covers all VM files, but VMware explicitly separates disk encryption from home file encryption in the storage policy settings.

How to eliminate wrong answers

Option B is wrong because datastore-level encryption (e.g., vSAN encryption or Storage DRS encryption) is a separate feature that encrypts the entire datastore, but it does not selectively encrypt VM home files when using VM Encryption Policy; the policy must explicitly include home file encryption. Option C is wrong because adding a second KMS cluster provides redundancy for key management but does not affect which VM files are encrypted; the encryption scope is defined by the storage policy, not the KMS topology. Option D is wrong because vSphere Host Encryption encrypts host memory and vMotion traffic, not VM files at rest on the datastore; it does not address VMDK or configuration file encryption.

59
MCQhard

An organization is implementing vSphere Trust Authority for sensitive workloads. The administrator must configure the trusted ESXi hosts to attest to vCenter Server. Which component is responsible for performing attestation?

A.The administrator's workstation
B.A separate vCenter Server instance acting as the Trust Authority
C.The Key Provider (KMS) server
D.The trusted ESXi hosts themselves
AnswerB

The Trust Authority vCenter performs host attestation.

Why this answer

Option B is correct because vSphere Trust Authority uses a dedicated vCenter Server (Trust Authority vCenter) to perform attestation of ESXi hosts. Option A is wrong because the workstation is not part of the trust chain. Option C is wrong because the trusted ESXi hosts themselves do not perform attestation; they are attested.

Option D is wrong because the Key Provider is used for encryption keys, not attestation.

60
MCQmedium

During a security audit, it is found that the vCenter Server is using the default self-signed certificate. The administrator is tasked to replace it with a certificate from an enterprise CA. What is the first step after obtaining the CA-signed certificate?

A.Convert the certificate and private key into PEM format and place them in the appropriate directory.
B.Use the vSphere Web Client to upload the certificate.
C.Import the private key into the Windows Certificate Store.
D.Restart the VMware Certificate Service.
AnswerA

vCenter expects PEM files for certificates and keys.

Why this answer

Option A is correct because the certificate must be in a format that vCenter can use; typically, it needs to be combined with the private key. Option B is premature before preparing the certificate. Option C is incorrect because certificate import is done via certificate management tools, not vSphere Web Client.

Option D is incorrect because the private key is included in the signed certificate generation process, not imported separately.

61
Multi-Selectmedium

An administrator is configuring vSphere Trust Authority (vTA) to secure ESXi hosts in a sensitive environment. Which TWO components are required for a vTA deployment? (Choose two.)

Select 2 answers
A.Trusted Host Cluster
B.Certificate Authority (CA)
C.Attestation Service
D.Key Management Server (KMS)
E.Key Provider
AnswersC, E

Required to verify host trust status.

Why this answer

Options B and C are correct. vTA requires an Attestation Service to verify host trust, and a Key Provider to manage keys. Option A is incorrect because Trusted Host Cluster is not a component but a concept. Option D is incorrect because KMS is for VM encryption, not vTA.

Option E is incorrect because a Certificate Authority is not a required component of vTA.

62
MCQeasy

An administrator needs to ensure that a service account used for vCenter Server backups has the minimum required privileges. The account should only be able to perform backup and restore operations. Which role should be assigned?

A.ReadOnly
B.Administrator
C.BackupOperator
D.NoAccess
AnswerC

This role is specifically designed for backup and restore operations with minimal privileges.

Why this answer

Option D is correct. The 'BackupOperator' role (or 'VR Backup Operator' in some contexts) provides the necessary permissions for backup/restore. Option A is incorrect because 'Administrator' has full access.

Option B is incorrect because 'ReadOnly' cannot perform backups. Option C is incorrect because 'NoAccess' denies all permissions.

63
MCQmedium

An organization is using vSphere Trust Authority (vTA) to secure ESXi hosts. A newly added ESXi host fails to attest with the Trust Authority. The administrator verifies that the host is connected to the vTA cluster and the trust relationship is configured. What is the most likely cause of the attestation failure?

A.The Trust Authority's network is isolated from the ESXi host's management network.
B.The ESXi host is not in the same cluster as the Trust Authority.
C.The ESXi host does not have a virtual Trusted Platform Module (vTPM) attached.
D.The TPM on the ESXi host is disabled or not properly initialized.
AnswerD

vTA attestation requires a functional TPM; if disabled, attestation fails.

Why this answer

Option D is correct. The host's TPM must be enabled and properly configured for vTA attestation. Option A is incorrect because the host can be in a different cluster as long as it's trusted.

Option B is incorrect because vTA uses TPM, not vTPM. Option C is incorrect because the trusted infrastructure hosts do not require special networking beyond connectivity.

64
Drag & Dropmedium

Order the steps to take a snapshot of a virtual machine.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Initiate snapshot, name it, choose memory and quiesce options, then confirm.

65
Multi-Selectmedium

Which THREE security hardening measures should be applied to an ESXi host? (Choose three.)

Select 3 answers
A.Increase memory resource allocation for management VMs
B.Enable lockdown mode
C.Enable SNMP v3
D.Apply a host profile for security settings
E.Disable ESXi Shell and SSH services
AnswersB, D, E

Restricts direct host access.

Why this answer

Options A, B, and D are correct. Enabling lockdown mode restricts direct access, disabling shell/SSH reduces attack surface, and a host profile ensures consistent security settings. Option C is wrong because SNMP is a management protocol that does not primarily provide security.

Option E is wrong because increasing memory workload does not improve security.

66
Multi-Selecteasy

Which two actions can be performed to restrict access to the ESXi host Direct Console User Interface (DCUI)? (Choose two.)

Select 2 answers
A.Disable the DCUI service
B.Enable lockdown mode
C.Add users to the DCUI exception list
D.Remove the root user from the local password store
E.Set DCUI access to 'Strict'
AnswersB, E

Lockdown mode disables direct DCUI access except for exception users, thus restricting access.

Why this answer

Lockdown mode (option B) disables direct DCUI access, and Strict mode (option D) further restricts access to only exception users. Option A is incorrect as enabling lockdown mode is already a restriction; option C is incorrect because exception users are allowed access; option E is incorrect as removing root may lock out all access but is not a standard method. The correct answers are B and D.

67
MCQhard

A company uses vSphere with Tanzu to run container workloads. The security team requires that all container traffic between namespaces be encrypted. What is the best approach to achieve this?

A.Use the NSX Container Plugin with IPsec to encrypt traffic.
B.Enable vSAN encryption to encrypt data at rest and assume it covers in-transit traffic.
C.Deploy NSX-T and enable the Network Encryption feature for East-West traffic.
D.Install a third-party CNI like Calico with IPsec enabled.
AnswerC

NSX-T provides encryption for container overlay traffic as part of its micro-segmentation capabilities.

Why this answer

Option A is correct. NSX-T provides micro-segmentation and encryption for container traffic. Option B is incorrect because vSAN encryption protects data at rest, not in transit.

Option C is incorrect because the NSX Container Plugin has been deprecated in favor of NSX-T. Option D is incorrect because Calico is not native and does not offer the same integration with vSphere with Tanzu.

68
MCQhard

During a security audit, it is discovered that a vCenter Server instance is using the default self-signed certificate. The company policy requires all certificates to be signed by an internal enterprise CA. An administrator has imported the CA chain into the VMware Endpoint Certificate Store (VECS) and generated a Certificate Signing Request (CSR). After receiving the signed certificate from the CA, which additional step is required to complete the certificate replacement?

A.Replace the default certificate in the VECS store with the CA-signed certificate and then generate a new CSR.
B.Restart the vCenter Management Agent (vma) service.
C.Import the signed certificate into the appropriate VECS store and run the certificate-manager utility to update the services.
D.Run the certificate manager tool (certool) to generate a new self-signed certificate.
AnswerC

The certificate-manager utility applies the new certificate to all vCenter services.

Why this answer

Option D is correct. After importing the signed certificate into VECS, the administrator must update vCenter services to use the new certificate. Option A is incorrect because restarting the Management Agent is not the proper step.

Option B is incorrect because certool is used for creating self-signed certificates, not for importing signed ones. Option C is incorrect because it reverses the process.

69
MCQhard

An administrator is configuring vSphere Native Key Provider (NKP) in a cluster. After enabling NKP, the administrator adds a VM and attempts to encrypt it, but receives an error that the key provider is not available. The cluster consists of three ESXi hosts. What is the most likely cause?

A.The VM is stored on NFS storage which is not supported with NKP
B.The vCenter Server is disconnected from the cluster
C.The ESXi hosts are on different network segments
D.Only one ESXi host in the cluster is available; the other two are offline
AnswerD

NKP requires quorum; with only one host, the key provider is unavailable.

Why this answer

Option A is correct because NKP requires a majority of hosts (at least 2) to be active and reachable to form a quorum. If one host is offline, the key provider may be unavailable if the remaining hosts cannot achieve quorum. Option B is wrong because NKP works with any storage type.

Option C is wrong because vCenter Server availability is not required for NKP after initial setup. Option D is wrong because the network is separate from key provider availability.

70
MCQeasy

An organization wants to secure management traffic between vCenter Server and ESXi hosts. The security policy mandates disabling all versions of TLS below 1.2. After the administrator configures vCenter to use only TLS 1.2, several ESXi hosts (all version 6.0) lose connectivity to vCenter. The hosts remain operational but show as disconnected in the vSphere Web Client. The administrator needs to restore management while maintaining the security requirement. Which action should the administrator take?

A.Upgrade the legacy ESXi hosts to version 6.5 or later.
B.Disable certificate verification on the vCenter Server.
C.Use SSH to connect vCenter to the ESXi hosts for management.
D.Re-enable TLS 1.0 on the vCenter Server as a temporary workaround.
AnswerA

Upgrading allows hosts to support TLS 1.2, meeting security requirements.

Why this answer

Option A is correct because ESXi 6.0 only supports TLS 1.0; to use TLS 1.2, hosts must be upgraded to ESXi 6.5 or later. Option B is wrong because enabling TLS 1.0 would violate the security policy. Option C is wrong because SSH is not for vCenter management.

Option D is wrong because disabling certificate verification weakens security.

Ready to test yourself?

Try a timed practice session using only vSphere Security questions.