Changed CPC-CDE-RECERT Exam Questions

CyberArk’s PSM hardening procedure for In Domain deployments explicitly recommends linking the hardening GPO to a dedicated OU and ensuring the CyberArk servers are located under that OU so the hardening GPO does not affect any other server.

This directly matches D.

In the Shared Services model, MFA enforcement is done in CyberArk Identity / Identity Administration using Core Services > Policies:

To enforce MFA broadly, CyberArk documents configuring MFA for all users by enabling authentication policy controls and creating/assigning an authentication profile (the mechanisms/challenges).

To require users to set up MFA factors, CyberArk documents the setting under User Security Policies > User Account Settings where you specify the minimum number of authentication factors users must configure upon login.

Option B is the only choice that correctly points you to the right place and activity (Identity Administration Policies to configure authentication/MFA requirements and enrollment requirements).

AllowedSafes is a regular expression and is case sensitive.

The regex Win (with no anchors) will match any Safe name that contains the exact substring “Win” with the same case:

WindowsPasswords → starts with Win ✅

SQL-Win-SA → contains Win ✅

win-ssh-keys → contains win (lowercase) ❌ (case sensitive)

CXD-WIN-ADMINS → contains WIN (all caps) ❌

WiNdOwS_Accts → mixed case, does not contain the exact substring Win ❌

Therefore the correct choices are A and D.

CyberArk’s official guidance for restricting a platform to specific Safes is to set the AllowedSafes platform parameter in the General section of the platform under Automatic Password Management.

AllowedSafes uses a regular expression to match Safe names, which is why a pattern such as (WINDEMEA)|(WINDEMEA_ADMIN) is used to allow exactly those two Safe names.