The security team has requested that high-sensitivity workloads be protected using Confidential Computing in your VMware vSphere Foundation (VVF) 9.0 environment.
These workloads handle regulated data that must be isolated from the hypervisor and other tenants, even when running on the same ESX host.
The vSphere administrator is responsible for ensuring that only trusted hosts are used and that virtual machines are configured with hardware-enforced memory isolation.
Which two configurations must you implement to support Confidential Computing for these workloads? (Choose two.)
A. Create virtual machines with hardware version 22 and set the Confidential Computing flag.
B. Use TPM 2.0 on the guest OS to generate attestation reports for VM launch.
C. Enable AMD SEV-SNP or Intel TDX support in the host BIOS and confirm compatibility in vSphere.
D. Configure Encrypted vMotion with "Required" mode for the VM.
E. Enable vSphere Trust Authority and set the Confidential Computing flag.
Explanation:
For VMware vSphere Foundation (VVF) 9.0 Confidential Computing, high-sensitivity workloads require hardware-enforced memory isolation and trusted host verification .
Option C - Enable AMD SEV-SNP or Intel TDX in host BIOS:
Confidential Computing relies on CPU-based memory encryption technologies (AMD SEV-SNP or Intel TDX). These must be enabled at the firmware level on each ESXi host and confirmed compatible in vSphere to provide isolation from the hypervisor and other tenants .
Option E - Enable vSphere Trust Authority and set Confidential Computing flag:
vSphere Trust Authority (vTA) provides attestation services to verify hosts are genuine and untampered. The Confidential Computing flag on the VM enables hardware-based memory isolation. Together, they ensure only trusted hosts run sensitive workloads .
Why other options are incorrect:
A (Hardware version 22):
While new features may require updated hardware versions, Confidential Computing specifically requires CPU features + vTA, not a specific version number .
B (TPM 2.0 guest attestation):
TPM 2.0 is for host-side attestation with vTA, not guest OS attestation for VM launch. Confidential Computing uses hardware-based attestation .
D (Encrypted vMotion):
Encrypted vMotion protects data in transit but does not provide memory isolation or trusted boot verification required for Confidential Computing .
Reference:
VMware vSphere 9.0 Confidential Computing Requirements; VMware Docs on AMD SEV-SNP and Intel TDX .
An administrator must configure identity access for VMware vSphere Foundation (VVF) to allow admin accounts from the enterprise Active Directory domain corp.local to log in using domain credentials. Security requires authentication to use the default Active Directory protocol, without federation.
Which configuration step is required to enable Active Directory users to authenticate to vCenter?
A. Add the domain controller certificate to the Trusted Root store in vCenter.
B. Configure Identity Federation using SAML with corp.local.
C. Configure a trusted identity provider using OpenID Connect (OIDC).
D. Add Active Directory over LDAP as an identity source.
Explanation:
✅ Why Option D is Correct
In vSphere 9.0, the legacy Integrated Windows Authentication (IWA) method for joining vCenter directly to an Active Directory domain has been deprecated and removed. The supported method for authenticating AD users with domain credentials using the default AD protocol (LDAP) is to configure Active Directory over LDAP (or LDAPS for security) as an identity source within vCenter Single Sign-On.
The administrator navigates to Administration → Single Sign-On → Configuration → Identity Sources, clicks "Add," and selects "Active Directory over LDAP". This allows vCenter to query the AD domain controller using the LDAP protocol without requiring federation technologies.
❌ Why Other Options Are Incorrect
A. Add the domain controller certificate to the Trusted Root store in vCenter.
Uploading certificates is required only if you configure LDAPS (secure LDAP) to encrypt traffic. However, the question explicitly states authentication should use the "default Active Directory protocol, without federation"—referring to standard LDAP—and does not mandate SSL encryption. Certificate configuration is an optional security enhancement, not a required step for basic AD authentication.
B. Configure Identity Federation using SAML with corp.local.
SAML federation is used for external identity providers (e.g., AD FS, Microsoft Entra ID), not for native AD authentication. The question specifies "without federation," making this option invalid.
C. Configure a trusted identity provider using OpenID Connect (OIDC).
OIDC is another federation protocol for external IdPs, not for integrating directly with Active Directory over standard LDAP. This contradicts the requirement to avoid federation.
📚 References
Broadcom KB 433065: "Integrated Windows Authentication option missing in vCenter 9.0" – Confirms IWA removal and mandates AD over LDAP
Broadcom TechDocs: "Add or Edit a vCenter Single Sign-On Identity Source" – Official configuration steps for AD over LDAP
The operations team is tasked with the preparation of a weekly health status overview of a VMware vSphere Foundation (VVF) environment to senior management with the following
requirements:
It should be sent every Monday morning.
It must include KPIs related to cluster health, storage usage, and virtual machine (VM) growth trends.
1 Operational overhead should be minimized.
Which two actions must the administrator perform to satisfy these requirements? (Choose two.)
A. Create a custom dashboard with the required KPIs.
B. Configure the scheduler to send the report via e-mail weekly.
C. Export the built-in Cluster Summary report via FTP.
D. Create a custom View with the KPIs and add it to a new Report Template.
E. Export the desired metrics from the Metrics Explorer to CSV.
Explanation:
Why B is correct: Management requires the report to be sent every Monday morning. To satisfy this without manual intervention (minimizing overhead), the administrator must configure a scheduler. The requirement to send it "via e-mail" means the delivery method must be set up within the vCenter reporting tools.
Why D is correct: The report must include specific KPIs related to "cluster health, storage usage, and virtual machine (VM) growth trends." The standard built-in reports likely do not match this exact combination. Therefore, the administrator needs to create a custom View containing these specific KPIs, and then attach that View to a new Report Template. This template can then be used by the scheduler to generate the specific report required.
Why the other options are less effective:
Option A (Custom Dashboard):
While a dashboard visualizes KPIs, it is an interactive interface for real-time viewing, not a static report that can be scheduled for automated email delivery.
Option C (Export via FTP):
Exporting via FTP does not fulfill the "send via e-mail" requirement. Additionally, the "Cluster Summary report" is a standard report; it may not contain the specific VM growth trends requested, nor does it automate the email delivery.
Option E (Export to CSV):
While this extracts raw data, it does not generate a formatted, automated report. Relying on manual exports would violate the "minimize operational overhead" requirement.
Reference:
This approach follows standard vRealize Operations (vROps) or vCenter reporting logic, where "Report Templates" combine specific "Views" (KPIs), and "Scheduled Reports" manage automated delivery.
An administrator is tasked with adding a 96-core VMware ESX host to a VMware vSphere Foundation (VVF) 9.0 vCenter cluster. The vCenter has been previously licensed for 1024 cores and the existing hosts equal 960 cores. The administrator adds the host to the vCenter cluster and places the cluster back into production.
What issue will occur if the administrator performs no additional actions to this vCenter?
A. The new ESX host will operate in evaluation mode until more capacity is added to the license to license the host. If the host is not licensed when the evaluation period expires, the host will be limited to 64 cores until 32 cores or greater is added to the license.
B. The new ESX host has been limited to 64 cores until more capacity is added to the license to license the host. Once 32 cores or greater is added to the license, the full 96 cores of the new host will be useable.
C. The new ESX host will operate in evaluation mode until more capacity is added to the license to license the host. If the host is not licensed when the evaluation period expires, it is disconnected from the vCenter instance.
D. No issue will occur. The new host was added to the vCenter cluster successfully and will operate for the valid period of the applied license.
Explanation:
✅ Why Option C is Correct
In VMware vSphere Foundation (VVF) 9.0, licensing is managed centrally at the vCenter Server level using a subscription-based license file rather than per-host license keys . The license capacity is calculated based on the total number of physical CPU cores across all ESXi hosts, with a minimum of 16 cores per physical CPU .
In this scenario:
Licensed capacity = 1024 cores
Existing hosts consume 960 cores
Remaining available capacity = 64 cores
New host requires 96 cores → Insufficient license capacity
Because the license cannot cover the new host's cores, the host operates in evaluation mode (typically 60-90 days) upon addition to vCenter . If the administrator takes no action to add more license capacity before evaluation expires, the host becomes disconnected from vCenter. Powered-on VMs continue running, but the host cannot be managed and new VMs cannot be powered on .
❌ Why Other Options Are Incorrect
Option A (limit to 64 cores after evaluation)
– Incorrect. When an unlicensed ESXi host's evaluation period expires, it is disconnected from vCenter entirely; it is not "limited to 64 cores" .
Option B (operate in evaluation, then limited to 64 cores) – Incorrect. Same as A—core limitation is not a behavior of evaluation expiry. Disconnection occurs, not throttling.
Option D (no issue) – Incorrect. The license capacity is insufficient (960 used + 96 needed = 1056 > 1024), so the host cannot be properly licensed without adding capacity.
📚 References
VMware TechDocs:"Licensing for ESXi Hosts" – Evaluation mode and license expiry behavior
Broadcom KB 95927: "Determining Required Subscription Capacity" – 16-core minimum licensing rule
During a recent audit, it was determined that a group of users may have been compromised. These users should not have access to any VMware vCenter resources while an investigation is underway. All the affected users have been placed into a SUSPECT_USERS group.
Which step is required to ensure that the suspect users will never have access to resources in vCenter?
A. Assign the SUSPECT_USERS group the No access role to the vCenter Object and check propagate.
B. Assign the SUSPECT_USERS group the Administrator role to the vCenter Object and uncheck propagate.
C. Disconnect the vCenter from Active Directory.
D. Assign the SUSPECT_USERS group the Read-only role to the vCenter Object and check propagate.
Explanation:
✅ Why Option A is Correct
In vCenter Server, permissions are granted using roles (privilege sets) assigned to users or groups on inventory objects (e.g., vCenter root folder, clusters, VMs). To deny access completely, you assign the No access role. This role explicitly revokes all privileges .
❌ Why Other Options Are Incorrect
Option B (Assign Administrator role, uncheck propagate)
– This grants full administrative access, which is the opposite of what is required. Unchecking propagate only restricts the permission to the top vCenter object itself, which would still grant excessive access .
Option C (Disconnect vCenter from Active Directory)
– This would block authentication for all AD users, not just the suspect group, causing widespread service disruption. It also does not meet the requirement of "never have access" when AD is reconnected later .
Option D (Assign Read-only role, check propagate)
– This grants read access to all objects, allowing users to view VM names, configurations, and performance data. This violates the security requirement that they should have "no access" during the investigation .
📚 References
VMware TechDocs: "Managing vCenter Server Permissions" – Explains No access role and permission propagation
VMware Security Configuration Guide: "Assignment of No Access Permission" – Recommended method for immediate user access revocation
An administrator has been tasked to share resources in the cluster between the Quality Assurance (QA) Department and Marketing Department. The following information has been provided:
In the case of contention, the QA Department must not lose any performance.
When the QA Department is not using all of its allocated resources, the Marketing Department requires the ability to consume them.
The administrator has set up resource pools for the QA Department (RP-QA) and Marketing Department (RP-MKT).
How should the resource shares be configured for each pool?
A. Set both Resource Pools to Fixed.
B. Set RP-QA to Fixed and RP-MKT to Scalable.
C. Set RP-QA to Scalable and RP-MKT to Fixed.
D. It is not possible to satisfy the requirements of both departments.
Explanation:
✅ Why Option B is Correct
The requirement states that Marketing must consume QA's idle resources. In vSphere resource pools, the Expandable Reservation setting controls borrowing behavior. Setting RP-MKT to Scalable (Expandable Reservation = True) allows it to borrow unreserved resources from its parent (the cluster) when needed . Since QA's idle resources return to the parent, Marketing can consume them via scalability. Setting RP-QA to Fixed (Expandable Reservation = False) ensures QA's reservation is protected—it cannot be borrowed away, guaranteeing QA's performance under contention . The default Expandable Reservation is True (Scalable) .
❌ Why Other Options Are Incorrect
A. Both Fixed
– Marketing cannot borrow idle QA resources because Fixed prevents upward expansion . This violates requirement 2.
C. QA Scalable, MKT Fixed
– QA Scalable allows QA to borrow from parent, but MKT Fixed prevents Marketing from expanding upward to consume idle QA resources. This fails requirement 2.
D. Impossible
– Incorrect; the combination in B satisfies both requirements through proper Expandable Reservation configuration.
📚 References
VMware vSphere Resource Management: Expandable Reservation allows resource pools to borrow from parent when set to True (Scalable)
VMware API Documentation: expandableReservation property controls dynamic reservation growth
An administrator is tasked with deploying a VMware Cloud Foundation (VCF) Operations for Logs appliance into vSphere Foundation.
After downloading the .ova, which component does the administrator use to deploy the file?
A. VCF Fleet Management
B. vSphere Client
C. VCF Automation
D. VCF Operations
Explanation:
✅ Why Option B is Correct
After downloading the VCF Operations for Logs appliance as an .ova file, the administrator deploys it using the vSphere Client. VMware documentation explicitly states: "Deploy the VCF Operations for logs virtual appliance for VMware vSphere Foundation (VVF) by using the vSphere Client". The deployment process involves navigating to File → Deploy OVF Template in the vSphere Client and following the wizard prompts. For VVF environments specifically, manual OVA deployment via vSphere Client is the standard method because Fleet Management-based deployment is not available.
❌ Why Other Options Are Incorrect
A. VCF Operations
– VCF Operations is the monitoring and analytics platform that collects data from deployed components. It is used to configure integration with the Logs appliance after deployment, not to deploy the .ova file itself.
C. VCF Fleet Management
– While VCF Fleet Management can deploy VCF Operations for Logs in full VCF environments, it is not available for VMware vSphere Foundation (VVF) deployments. The question specifies deploying into vSphere Foundation, making this option invalid.
D. VCF Automation
– VCF Automation is an orchestration component for managing workloads and lifecycle operations, not a tool for manual .ova deployment.
📚 References
Broadcom TechDocs: "Deploying the VCF Operations for logs Appliance for VMware vSphere Foundation"
Broadcom KB 421584: "Manual deployment of VCF Operations for Logs using OVA"
An administrator has licensed vSphere components in Connected mode and then switched to Disconnected mode to meet the company security restrictions, which cannot be violated.
What must the administrator do to ensure the VMware vSphere Foundation license remains valid?
A. Switch to Connected mode, validate that VCF Operations has downloaded a new license file from VCF Business Services console, and then switch to Disconnected mode at least once every 365 days.
B. Manually exchange a registration and license file between the VCF Operations instance and the VCF Business Services console at least once every 180 days.
C. Nothing. The license is perpetual.
D. Provide an internet connection to VCF Operations, then download a new license file from the VCF Business Services console at least once every 180 days.
Explanation:
✅ Why Option B is Correct
When a VCF Operations instance operates in Disconnected mode (no internet connection), it cannot automatically communicate with the VCF Business Services console . To maintain license validity, the administrator must manually perform a file-based exchange:
Generate a usage file from the VCF Operations instance
Transfer the file to an internet-connected computer
Upload the usage file to the VCF Business Services console
Download the new license file from the console
Import the license file back into the VCF Operations instance
The 180‑day requirement is critical: VMware mandates that license usage data must be submitted and licenses updated at least once every 6 months (180 days) . If the license update is not performed within this timeframe, the licenses are treated as expired, hosts become disconnected from vCenter, and new workload operations cannot be started . The 180‑day cycle applies specifically to the manual file exchange process in Disconnected mode .
❌ Why Other Options Are Incorrect
A. Switch to Connected mode every 365 days – Incorrect.
The requirements specify security restrictions "cannot be violated," meaning the environment permanently remains in Disconnected mode. Periodically switching to Connected mode would violate these security restrictions. The license update requirement is 180 days, not 365 days .
C. Nothing; the license is perpetual – Incorrect.
VMware discontinued perpetual licenses in 2024; all new licensing is subscription-based . Subscription licenses in Disconnected mode require regular manual validation to remain valid. There is no perpetual license option in VVF 9.0.
D. Provide an internet connection every 180 days – Incorrect.
This directly contradicts the security restriction that the environment cannot violate disconnected mode requirements. The whole reason for Disconnected mode is to avoid any internet connectivity . Manual file exchange is the prescribed method for air‑gapped environments.
📚 References
Broadcom TechDocs: "Report License Usage and Update Licenses in Disconnected Mode" – Details the 180‑day manual exchange requirement
Broadcom TechDocs: "High-Level Licensing Workflow" – Confirms the 6‑month update mandate
An administrator is tasked with developing an automated, repeatable process to:
Connect to the corporate Active Directory and create a Windows computer object in a defined Organizational Unit.
Connect to the target vCenter and create a Windows VM from a template.
Power on the VM and join it to the corporate domain.
Which VMware vSphere Foundation (VVF) component is best suited for this task?
A. vSphere Supervisor
B. VCF Operations
C. VCF CLI
D. VCF Operations Orchestrator
Explanation:
The scenario describes a complex automation task that spans multiple disparate systems: Active Directory (an external third-party service) and vCenter (the infrastructure layer). To perform these actions in a single, repeatable "workflow," a tool with extensible plug-ins and multi-platform support is required.
Why Other Options are Incorrect
Option A (vSphere Supervisor):
While the Supervisor (part of the vSphere Kubernetes Service) can deploy VMs via the VM Service, its primary focus is on declarative, Kubernetes-style resource management. It is not designed to natively reach out to an external Active Directory to create computer objects as part of its standard VM lifecycle.
Option B (VCF Operations):
This component (formerly vRealize Operations) is an observability and analytics tool. While VCF 9.0 has expanded its management capabilities, it is used for monitoring health, performance, and capacity rather than executing multi-step infrastructure provisioning workflows.
Option C (VCF CLI):
The Command Line Interface is a tool for interacting with the environment but does not provide the stateful workflow engine or the library of third-party plug-ins needed to automate a complex process like AD object creation alongside VM provisioning.
Reference
Broadcom TechDocs: Managing VMware Cloud Foundation Operations Orchestrator – VCF Orchestrator Overview.
VMware vSphere 9.0 Documentation: vSphere Automation and Orchestration Guide
An administrator is tasked to install a new VMware ESX host to an existing cluster. When the installation is completed, the host is not able to be reached from the vCenter.
When testing the host's management network, the default gateway, primary DNS, and secondary DNS are all unreachable, and the host name cannot be resolved. The VLAN for the management network is set correctly and the adapters are all connected.
What is the first step in troubleshooting this connectivity issue?
A. Verify the correct TCP/IP information is configured.
B. Verify the DVS configuration in vCenter.
C. Reinstall ESX on the host.
D. Disconnect and reconnect the physical network cable.
Explanation:
✅ Why Option A is Correct
The host cannot reach its default gateway, DNS servers, nor resolve its own hostname—all symptoms of a Layer 3 configuration issue. Before investigating physical cabling or vCenter integration, the administrator must verify the ESXi host's basic TCP/IP settings (IP address, subnet mask, default gateway, DNS) via the Direct Console User Interface (DCUI). An incorrect IP, wrong subnet, or invalid gateway would cause exactly these unreachable symptoms even with correct VLAN and physical connectivity. This is the standard first troubleshooting step per VMware best practices.
❌ Why Other Options Are Incorrect
B. Verify the DVS configuration in vCenter
– The host cannot be reached by vCenter at all, making DVS verification impossible. TCP/IP must be functional before vCenter can manage the host.
C. Reinstall ESX on the host
– Reinstallation is an extreme, time-consuming action. TCP/IP misconfiguration can be corrected in minutes via DCUI without reinstalling.
D. Disconnect and reconnect the physical network cable
– The adapters show as "connected," VLAN is set correctly, and there is no indication of link-flapping. A physical cable issue would typically cause complete loss of link, not selective unreachability of gateway and DNS while showing link up.
📚 References
VMware KB 1004048: "Troubleshooting ESXi host connectivity issues" – First step: Verify IP, subnet, gateway in DCUI
VMware TechDocs: "Verifying ESXi Host Network Configuration" – Basic TCP/IP validation before vCenter integration
A virtual machine (VM) owner has requested to move a VM from one cluster to another.
The following information has been provided:
The VM cannot have downtime during the transfer.
The same network is present on both clusters.
The datastore that the VM is currently on is not present in the destination cluster.
What step should the administrator perform to move the VM?
A. Perform a vMotion of the VM to the new cluster.
B. Backup the VM and restore it to the new cluster.
C. Perform a vMotion with Storage vMotion to the new cluster.
D. Inform the owner the VM cannot be moved to the new cluster.
Explanation:
✅ Why Option C is Correct
The requirements create two simultaneous needs:
No downtime → Requires an active vMotion (live migration)
Datastore not present in destination cluster → Requires Storage vMotion (live storage migration)
A combined vMotion + Storage vMotion operation moves both the VM's compute (CPU/memory state) and its virtual disks to the destination cluster in a single, zero‑downtime operation. The administrator initiates this by selecting the VM → Migrate → Change both compute resource and storage → Select the target cluster and a datastore within that cluster.
Because the same network is present on both clusters, network connectivity for the VM is preserved post‑migration.
❌ Why Other Options Are Incorrect
A. Perform a vMotion only to the new cluster
– vMotion alone moves compute resources (host/cluster) but leaves storage in place. The datastore is not accessible from the destination cluster, so the VM would have no access to its virtual disks after migration.
B. Backup and restore to the new cluster
– This would require downtime for the backup window and restore process, violating the “no downtime” requirement.
D. Inform the owner the VM cannot be moved
– Incorrect. VMware supports cross‑cluster live migration with combined vMotion + Storage vMotion when networks are compatible, as stated in the requirement.
📚 References
VMware TechDocs: “Migrate Virtual Machines with vMotion” – Combined compute and storage migration
VMware KB 1003113: “Requirements for vMotion and Storage vMotion” – Cross‑cluster compatibility
An administrator enables the VMware Cloud Foundation (VCF) Operations orchestrator Plug-in for VMware vSphere Web Client service on a VCF Operations orchestrator appliance.
How many vSphere instances can be integrated in the vSphere Client through the VCF Operations orchestrator plug-in?
A. 8
B. 15
C. 1
D. 10
Explanation:
When enabling the VCF Operations Orchestrator Plug-in (formerly known as the vRealize Orchestrator/Aria Automation Orchestrator plug-in) for the vSphere Web Client, a strict 1:1 relationship exists for the integration. A single instance of the Orchestrator appliance can only be integrated with one vCenter Server (or one vSphere Client instance) at a time using this specific plug-in mechanism.
While a VCF Operations Orchestrator appliance can manage and execute workflows against multiple vCenter instances by adding them as "vCenter endpoints" within the Orchestrator inventory, the vSphere Client Plug-in itself—which allows users to run workflows directly from the vSphere UI—only supports a single vSphere instance registration per Orchestrator server.
Why Other Options are Incorrect:
Options A, B, and D: These numbers (8, 10, 15) do not align with the architectural limitations of the Orchestrator plug-in for vSphere. These are often confused with maximums for other VCF components, such as the number of vCenter instances supported by a single SDDC Manager in specific early versions, or maximums for Linked Mode, but they do not apply to the Orchestrator UI integration.
Reference
VMware vSphere 9.0 Documentation: vSphere Automation and Orchestration Guide – "Registering Orchestrator as a vCenter Server Extension."
Broadcom TechDocs: VCF Operations Orchestrator Installation and Configuration Guide – "Configuring the vSphere Web Client Plug-in."
| Page 1 out of 5 Pages |
| 12 |
Real-World Scenario Mastery: Our 2V0-16.25 practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before VMware vSphere Foundation 9.0 Administrator exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive 2V0-16.25 practice exam questions pool covering all topics, the real exam feels like just another practice session.
Copyright © All Rights Reserved