BenchMark Quizzes by MDFT Pro

Deploy Encrypted Medical Records Application to Azure VM

You work as a Healthcare IT Specialist for MDFT Pro, a well-known training agency that delivers medical certification courses to healthcare professionals worldwide. Mark, the Compliance Officer, has tasked you with deploying a Student Medical Records Management application to an Azure virtual machine. The application stores sensitive student health information required for clinical training programs, including vaccination records, health clearances, and medical accommodations. Due to HIPAA compliance requirements, all data must be encrypted both during transit to Azure and when at rest on the VM disk. You’ve prepared a VHD containing the application and related data using an on-premises build server. The deployment must ensure that the VHD is encrypted before upload, properly configured as an encrypted OS disk, and maintains encryption after the VM is deployed in Azure.

Which three actions should you perform in sequence to ensure both the application and related data are encrypted during and after deployment?

Choose the correct answer from the options below.

Explanations for each answer:

1. Encrypt the on-premises VHD by using Bit Locker without a TPM. Upload the VM to Azure Storage. 2. Run the Azure PowerShell command Set-AzVMOSDisk. 3. Run the Azure PowerShell command Set-AzVMDiskEncryptionExtension is correct. This sequence encrypts the VHD with BitLocker before upload (ensuring data is encrypted during transit), uses Set-AzVMOSDisk to attach the encrypted disk to the VM configuration, and then applies Set-AzVMDiskEncryptionExtension to enable Azure Disk Encryption for ongoing protection. TPM is not available in Azure VMs, so encryption without TPM is correct.
1. Encrypt the on-premises VHD by using BitLocker with a TPM. Upload the VM to Azure Storage. 2. Run the Azure PowerShell command Set-AzVMOSDisk. 3. Run the Azure PowerShell command Set-AzVMDiskEncryptionExtension is incorrect. TPM (Trusted Platform Module) hardware is not available in Azure VMs, so encrypting with TPM before upload would cause issues. Azure uses software-based encryption through BitLocker or Azure Disk Encryption Extension. Attempting to use TPM-encrypted VHDs in Azure will result in deployment failures.
1. Encrypt the on-premises VHD without using BitLocker. Upload the VM to Azure Storage. 2. Run the Azure PowerShell command Set-AzVMOSDisk. 3. Run the Azure PowerShell command Set-AzVMDiskEncryptionExtension is incorrect. Not encrypting before upload leaves the VHD unprotected during the upload process to Azure Storage. While Set-AzVMDiskEncryptionExtension would encrypt the disk after deployment, there's a window where the data is vulnerable during transit. Pre-encryption with BitLocker ensures end-to-end protection.
1. Encrypt the on-premises VHD by using BitLocker without a TPM. Upload the VM to Azure Storage. 2. Run the Azure PowerShell command New-AzVM. 3. Run the Azure PowerShell command Set-AzVMDiskEncryptionExtension is incorrect. Skipping Set-AzVMOSDisk and directly running New-AzVM doesn't properly configure the VM to use the encrypted OS disk. Set-AzVMOSDisk is necessary to specify the encrypted VHD as the operating system disk before creating the VM with New-AzVM.

Learn more about Azure Disk Encryption:

VM Disk Encryption

Practice Exam

Deploy Encrypted Medical Records Application to Azure VM

Discuss this question on social media: