Build a Learning Habit
Download Class Central's free printable study calendar
Download for Free
- Select and configure the right disk encryption approach for Azure virtual machines. Compare managed disk encryption options, configure encryption at host with customer-managed keys using Disk Encryption Sets, and apply confidential disk encryption to confidential virtual machines.
After completing this module, you can:
- Compare Azure managed disk encryption options and select the appropriate approach for new and existing VMs
- Configure encryption at host with customer-managed keys using a Disk Encryption Set and Azure Key Vault
- Apply confidential disk encryption to confidential virtual machines
- Enforce disk encryption compliance using Azure Policy
- Configure Trusted Launch security features for Azure virtual machines. Enable Secure Boot, vTPM, and integrity monitoring to protect against boot-level malware and rootkits. Then upgrade existing VMs to the Trusted Launch security type, and enforce adoption at scale using Azure Policy.
After completing this module, you can:
- Identify how Trusted Launch protects against boot-level threats using Secure Boot, vTPM, and integrity monitoring
- Enable Trusted Launch and configure its security components on new and existing Azure VMs
- Upgrade existing Gen1 VMs to Gen2 with Trusted Launch enabled
- Enforce Trusted Launch adoption using built-in Azure Policy
- Plan and deploy Azure Bastion to provide secure, browser-based RDP and SSH access to virtual machines without exposing public IP addresses or management ports. Select the right SKU, deploy and configure Bastion, and connect to VMs using portal and native client methods.
After completing this module, you can:
- Select the appropriate Azure Bastion SKU based on scale, feature, and cost requirements
- Deploy and configure Azure Bastion in an Azure virtual network
- Connect to Azure virtual machines through Azure Bastion using portal and native client methods
- Configure advanced Bastion features including native client support, shareable links, and session recording
- Manage security controls for Azure Arc-enabled hybrid servers. Configure RBAC and extension security to prevent unauthorized agent modifications. Then apply Azure Policy to enforce security baselines on Arc-enrolled machines. Finally, monitor hybrid server security posture in Microsoft Defender for Cloud.
After completing this module, you can:
- Configure RBAC and extension allow/block lists to protect Arc-enabled servers from unauthorized extension installation
- Assign and manage Azure Policy for Arc-enabled servers to enforce security baselines
- Monitor the security posture of Arc-enrolled servers in Microsoft Defender for Cloud
- Apply machine configuration policies to Arc-enrolled servers
- Onboard Azure virtual machines and Arc-connected hybrid servers to Microsoft Defender for Servers. Select Plan 1 or Plan 2, configure vulnerability scanning using agentless and agent-based approaches. Then integrate Microsoft Defender for Endpoint, manage agentless scanning, and enable File Integrity Monitoring.
After completing this module, you can:
- Select Defender for Servers Plan 1 or Plan 2 based on required capabilities, and onboard Azure VMs and Arc-connected servers
- Configure vulnerability scanning using agentless and agent-based Defender Vulnerability Management
- Manage the Microsoft Defender for Endpoint integration and configure agentless scanning and File Integrity Monitoring
- Enable and configure just-in-time VM access in Microsoft Defender for Cloud to eliminate permanently open RDP and SSH ports. Configure per-port access policies, request time-bound access, audit access activity, and enforce JIT adoption across your VM estate using Azure Policy.
After completing this module, you can:
- Examine how just-in-time VM access reduces the attack surface on management ports
- Enable JIT and configure per-port access policies on Azure VMs
- Request and approve JIT access and audit access activity
- Enforce JIT adoption across a VM estate using Azure Policy
- Audit and enforce OS security configuration on Azure virtual machines and Arc-enabled servers using Azure Machine Configuration. Apply built-in Windows and Linux security baseline policies, configure audit and enforce modes, and author custom machine configurations for organization-specific requirements.
After completing this module, you can:
- Explore how Azure Machine Configuration audits and enforces OS-level settings using Azure Policy
- Deploy the Azure Machine Configuration extension and configure required prerequisites
- Assign built-in Windows and Linux security baseline policies in audit and enforce modes
- Author and publish a custom machine configuration for organization-specific requirements
