Question 17 - Microsoft Azure AZ-801 Real Exam Questions [March 2026 Update]

Q: 17

You have an Azure subscription that has Microsoft Defender for Cloud enabled. You have 50 Azure virtual machines that run Windows Server. You need to ensure that any security exploits detected on the virtual machines are forwarded to Defender for Cloud. Which extension should you enable on the virtual machines?

Options

Correct Answer:

Explanation

Microsoft Defender for Cloud uses a vulnerability assessment solution to scan virtual machines for security vulnerabilities and potential exploits. When you enable this feature, Defender for Cloud deploys a scanner extension, such as the one for Microsoft Defender Vulnerability Management or Qualys, to the virtual machines. This extension actively scans the machine's operating system and installed applications for known vulnerabilities. The findings, including detected exploits, are then reported directly to Defender for Cloud for remediation and tracking. This is the most direct method to meet the specified requirement.

Why Incorrect

B. Microsoft Dependency agent: This agent is used by Azure Monitor for VMs to discover and map network dependencies between virtual machines; it does not scan for security exploits.

C. Log Analytics agent for Azure VMs: This agent collects security events and performance data from the guest OS. While it is a prerequisite for many Defender for Cloud features, it does not perform the active vulnerability scanning itself.

D. Guest Configuration agent: This agent is part of Azure Policy and is used to audit and enforce operating system and application settings for compliance, not to scan for software vulnerabilities.

---

References

1. Microsoft Learn | Defender for Cloud Documentation. "Find vulnerabilities and misconfigurations with Microsoft Defender Vulnerability Management." This document states

"The vulnerability scanner is powered by Microsoft Defender Vulnerability Management... The scanner is deployed through extensions to Azure virtual machines and Azure Arc-enabled machines." This directly links the vulnerability assessment capability to an extension.

2. Microsoft Learn | Defender for Cloud Documentation. "Enable vulnerability assessment for machines." This guide explains the process: "When you enable vulnerability assessment

Defender for Cloud prompts you to select a vulnerability assessment solution for your machines... Defender for Cloud automatically deploys the extension for your chosen solution on all supported machines in the subscription."

3. Microsoft Learn | Defender for Cloud Documentation. "Overview of agents used by Defender for Cloud." This page clarifies the distinct roles of various agents and extensions. It describes the "Vulnerability assessment extensions" as the component that "scans your machines for vulnerabilities" and differentiates it from the Log Analytics agent

Dependency agent

and Guest Configuration agent

whose purposes are data collection

dependency mapping

and policy compliance

respectively.

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE