Free VMware 2V0-16.25 Practice Test Questions 2026

Explanation:

For VMware vSphere Foundation (VVF) 9.0 Confidential Computing, high-sensitivity workloads require hardware-enforced memory isolation and trusted host verification .

Option C - Enable AMD SEV-SNP or Intel TDX in host BIOS:
Confidential Computing relies on CPU-based memory encryption technologies (AMD SEV-SNP or Intel TDX). These must be enabled at the firmware level on each ESXi host and confirmed compatible in vSphere to provide isolation from the hypervisor and other tenants .

Option E - Enable vSphere Trust Authority and set Confidential Computing flag:
vSphere Trust Authority (vTA) provides attestation services to verify hosts are genuine and untampered. The Confidential Computing flag on the VM enables hardware-based memory isolation. Together, they ensure only trusted hosts run sensitive workloads .

Why other options are incorrect:

A (Hardware version 22):
While new features may require updated hardware versions, Confidential Computing specifically requires CPU features + vTA, not a specific version number .

B (TPM 2.0 guest attestation):
TPM 2.0 is for host-side attestation with vTA, not guest OS attestation for VM launch. Confidential Computing uses hardware-based attestation .

D (Encrypted vMotion):
Encrypted vMotion protects data in transit but does not provide memory isolation or trusted boot verification required for Confidential Computing .

Reference:
VMware vSphere 9.0 Confidential Computing Requirements; VMware Docs on AMD SEV-SNP and Intel TDX .

Explanation:

✅ Why Option D is Correct
In vSphere 9.0, the legacy Integrated Windows Authentication (IWA) method for joining vCenter directly to an Active Directory domain has been deprecated and removed. The supported method for authenticating AD users with domain credentials using the default AD protocol (LDAP) is to configure Active Directory over LDAP (or LDAPS for security) as an identity source within vCenter Single Sign-On.

The administrator navigates to Administration → Single Sign-On → Configuration → Identity Sources, clicks "Add," and selects "Active Directory over LDAP". This allows vCenter to query the AD domain controller using the LDAP protocol without requiring federation technologies.

❌ Why Other Options Are Incorrect

A. Add the domain controller certificate to the Trusted Root store in vCenter.
Uploading certificates is required only if you configure LDAPS (secure LDAP) to encrypt traffic. However, the question explicitly states authentication should use the "default Active Directory protocol, without federation"—referring to standard LDAP—and does not mandate SSL encryption. Certificate configuration is an optional security enhancement, not a required step for basic AD authentication.

B. Configure Identity Federation using SAML with corp.local.
SAML federation is used for external identity providers (e.g., AD FS, Microsoft Entra ID), not for native AD authentication. The question specifies "without federation," making this option invalid.

C. Configure a trusted identity provider using OpenID Connect (OIDC).
OIDC is another federation protocol for external IdPs, not for integrating directly with Active Directory over standard LDAP. This contradicts the requirement to avoid federation.

📚 References
Broadcom KB 433065: "Integrated Windows Authentication option missing in vCenter 9.0" – Confirms IWA removal and mandates AD over LDAP

Broadcom TechDocs: "Add or Edit a vCenter Single Sign-On Identity Source" – Official configuration steps for AD over LDAP

Explanation:

Why B is correct: Management requires the report to be sent every Monday morning. To satisfy this without manual intervention (minimizing overhead), the administrator must configure a scheduler. The requirement to send it "via e-mail" means the delivery method must be set up within the vCenter reporting tools.

Why D is correct: The report must include specific KPIs related to "cluster health, storage usage, and virtual machine (VM) growth trends." The standard built-in reports likely do not match this exact combination. Therefore, the administrator needs to create a custom View containing these specific KPIs, and then attach that View to a new Report Template. This template can then be used by the scheduler to generate the specific report required.

Why the other options are less effective:

Option A (Custom Dashboard):
While a dashboard visualizes KPIs, it is an interactive interface for real-time viewing, not a static report that can be scheduled for automated email delivery.

Option C (Export via FTP):
Exporting via FTP does not fulfill the "send via e-mail" requirement. Additionally, the "Cluster Summary report" is a standard report; it may not contain the specific VM growth trends requested, nor does it automate the email delivery.

Option E (Export to CSV):
While this extracts raw data, it does not generate a formatted, automated report. Relying on manual exports would violate the "minimize operational overhead" requirement.

Reference:
This approach follows standard vRealize Operations (vROps) or vCenter reporting logic, where "Report Templates" combine specific "Views" (KPIs), and "Scheduled Reports" manage automated delivery.

Explanation:

✅ Why Option C is Correct
In VMware vSphere Foundation (VVF) 9.0, licensing is managed centrally at the vCenter Server level using a subscription-based license file rather than per-host license keys . The license capacity is calculated based on the total number of physical CPU cores across all ESXi hosts, with a minimum of 16 cores per physical CPU .

In this scenario:
Licensed capacity = 1024 cores
Existing hosts consume 960 cores
Remaining available capacity = 64 cores
New host requires 96 cores → Insufficient license capacity

Because the license cannot cover the new host's cores, the host operates in evaluation mode (typically 60-90 days) upon addition to vCenter . If the administrator takes no action to add more license capacity before evaluation expires, the host becomes disconnected from vCenter. Powered-on VMs continue running, but the host cannot be managed and new VMs cannot be powered on .

❌ Why Other Options Are Incorrect

Option A (limit to 64 cores after evaluation)
– Incorrect. When an unlicensed ESXi host's evaluation period expires, it is disconnected from vCenter entirely; it is not "limited to 64 cores" .

Option B (operate in evaluation, then limited to 64 cores) – Incorrect. Same as A—core limitation is not a behavior of evaluation expiry. Disconnection occurs, not throttling.

Option D (no issue) – Incorrect. The license capacity is insufficient (960 used + 96 needed = 1056 > 1024), so the host cannot be properly licensed without adding capacity.

📚 References

VMware TechDocs:"Licensing for ESXi Hosts" – Evaluation mode and license expiry behavior

Broadcom KB 95927: "Determining Required Subscription Capacity" – 16-core minimum licensing rule

Explanation:

✅ Why Option A is Correct
In vCenter Server, permissions are granted using roles (privilege sets) assigned to users or groups on inventory objects (e.g., vCenter root folder, clusters, VMs). To deny access completely, you assign the No access role. This role explicitly revokes all privileges .

❌ Why Other Options Are Incorrect
Option B (Assign Administrator role, uncheck propagate)
– This grants full administrative access, which is the opposite of what is required. Unchecking propagate only restricts the permission to the top vCenter object itself, which would still grant excessive access .

Option C (Disconnect vCenter from Active Directory)
– This would block authentication for all AD users, not just the suspect group, causing widespread service disruption. It also does not meet the requirement of "never have access" when AD is reconnected later .

Option D (Assign Read-only role, check propagate)
– This grants read access to all objects, allowing users to view VM names, configurations, and performance data. This violates the security requirement that they should have "no access" during the investigation .

📚 References

VMware TechDocs: "Managing vCenter Server Permissions" – Explains No access role and permission propagation

VMware Security Configuration Guide: "Assignment of No Access Permission" – Recommended method for immediate user access revocation

Explanation:

✅ Why Option B is Correct
The requirement states that Marketing must consume QA's idle resources. In vSphere resource pools, the Expandable Reservation setting controls borrowing behavior. Setting RP-MKT to Scalable (Expandable Reservation = True) allows it to borrow unreserved resources from its parent (the cluster) when needed . Since QA's idle resources return to the parent, Marketing can consume them via scalability. Setting RP-QA to Fixed (Expandable Reservation = False) ensures QA's reservation is protected—it cannot be borrowed away, guaranteeing QA's performance under contention . The default Expandable Reservation is True (Scalable) .

❌ Why Other Options Are Incorrect

A. Both Fixed
– Marketing cannot borrow idle QA resources because Fixed prevents upward expansion . This violates requirement 2.

C. QA Scalable, MKT Fixed
– QA Scalable allows QA to borrow from parent, but MKT Fixed prevents Marketing from expanding upward to consume idle QA resources. This fails requirement 2.

D. Impossible
– Incorrect; the combination in B satisfies both requirements through proper Expandable Reservation configuration.

📚 References

VMware vSphere Resource Management: Expandable Reservation allows resource pools to borrow from parent when set to True (Scalable)

VMware API Documentation: expandableReservation property controls dynamic reservation growth

Explanation:

✅ Why Option B is Correct
After downloading the VCF Operations for Logs appliance as an .ova file, the administrator deploys it using the vSphere Client. VMware documentation explicitly states: "Deploy the VCF Operations for logs virtual appliance for VMware vSphere Foundation (VVF) by using the vSphere Client". The deployment process involves navigating to File → Deploy OVF Template in the vSphere Client and following the wizard prompts. For VVF environments specifically, manual OVA deployment via vSphere Client is the standard method because Fleet Management-based deployment is not available.

❌ Why Other Options Are Incorrect

A. VCF Operations
– VCF Operations is the monitoring and analytics platform that collects data from deployed components. It is used to configure integration with the Logs appliance after deployment, not to deploy the .ova file itself.

C. VCF Fleet Management
– While VCF Fleet Management can deploy VCF Operations for Logs in full VCF environments, it is not available for VMware vSphere Foundation (VVF) deployments. The question specifies deploying into vSphere Foundation, making this option invalid.

D. VCF Automation
– VCF Automation is an orchestration component for managing workloads and lifecycle operations, not a tool for manual .ova deployment.

📚 References

Broadcom TechDocs: "Deploying the VCF Operations for logs Appliance for VMware vSphere Foundation"

Broadcom KB 421584: "Manual deployment of VCF Operations for Logs using OVA"

Explanation:

✅ Why Option B is Correct
When a VCF Operations instance operates in Disconnected mode (no internet connection), it cannot automatically communicate with the VCF Business Services console . To maintain license validity, the administrator must manually perform a file-based exchange:

Generate a usage file from the VCF Operations instance
Transfer the file to an internet-connected computer
Upload the usage file to the VCF Business Services console
Download the new license file from the console
Import the license file back into the VCF Operations instance

The 180‑day requirement is critical: VMware mandates that license usage data must be submitted and licenses updated at least once every 6 months (180 days) . If the license update is not performed within this timeframe, the licenses are treated as expired, hosts become disconnected from vCenter, and new workload operations cannot be started . The 180‑day cycle applies specifically to the manual file exchange process in Disconnected mode .

❌ Why Other Options Are Incorrect

A. Switch to Connected mode every 365 days – Incorrect.
The requirements specify security restrictions "cannot be violated," meaning the environment permanently remains in Disconnected mode. Periodically switching to Connected mode would violate these security restrictions. The license update requirement is 180 days, not 365 days .

C. Nothing; the license is perpetual – Incorrect.
VMware discontinued perpetual licenses in 2024; all new licensing is subscription-based . Subscription licenses in Disconnected mode require regular manual validation to remain valid. There is no perpetual license option in VVF 9.0.

D. Provide an internet connection every 180 days – Incorrect.
This directly contradicts the security restriction that the environment cannot violate disconnected mode requirements. The whole reason for Disconnected mode is to avoid any internet connectivity . Manual file exchange is the prescribed method for air‑gapped environments.

📚 References

Broadcom TechDocs: "Report License Usage and Update Licenses in Disconnected Mode" – Details the 180‑day manual exchange requirement

Broadcom TechDocs: "High-Level Licensing Workflow" – Confirms the 6‑month update mandate