Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
MuleSoft
Okta
Palo Alto Networks
Salesforce
SAP
All Vendors
  1. Home
  2. Microsoft
  3. AZ-801

Microsoft AZ-801 Exam (page: 4)
Microsoft Configuring Windows Server Hybrid Advanced Services
Updated on: 28-Jul-2025

Viewing Page 4 of 24
AZ-801 PDF 178 Questions

Case Study:
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview:
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with a Microsoft Entra tenant. The AD DS domain contains the domain controllers shown in the following table.


Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012. The functional level of the domain is Windows Server 2012 R2. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.


The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.


The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.



Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.


By using Windows Defender Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.


Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.


Server4 has the disk configurations shown in the following exhibit.



Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.



Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault. Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin. Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault. Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4. Whenever possible, use the principle of least privilege.

You have a server that runs Windows Server. The server is configured to encrypt all incoming traffic by using a connection security rule.
You need to ensure that Server1 can respond to the unencrypted tracert commands initiated from computers on the same network.
What should you do from Windows Defender Firewall with Advanced Security?

  1. From the IPsec Settings, configure IPsec defaults.
  2. Create a new custom outbound rule that allows ICMPv4 protocol connections for all profiles.
  3. Change the Firewall state of the Private profile to Off.
  4. From the IPsec Settings, configure IPsec exemptions.

Answer(s): D




Case Study:
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview:
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with a Microsoft Entra tenant. The AD DS domain contains the domain controllers shown in the following table.


Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012. The functional level of the domain is Windows Server 2012 R2. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.


The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.


The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.



Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.


By using Windows Defender Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.


Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.


Server4 has the disk configurations shown in the following exhibit.



Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.



Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault. Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin. Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault. Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4. Whenever possible, use the principle of least privilege.

You have an Azure virtual machine named VM1.
You enable Microsoft Defender SmartScreen on VM1.
You need to ensure that the SmartScreen messages displayed to users are logged. What should you do?

  1. From a command prompt, run WinRM quickconfig.
  2. From the local Group Policy, modify the Advanced Audit Policy Configuration settings.
  3. From Event Viewer, enable the Debug log.
  4. From the Windows Security app, configure the Virus & threat protection settings.

Answer(s): C


Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft- defender-smartscreen-overview




Case Study:
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview:
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with a Microsoft Entra tenant. The AD DS domain contains the domain controllers shown in the following table.


Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012. The functional level of the domain is Windows Server 2012 R2. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.


The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.


The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.



Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.


By using Windows Defender Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.


Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.


Server4 has the disk configurations shown in the following exhibit.



Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.



Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault. Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin. Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault. Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4. Whenever possible, use the principle of least privilege.

HOTSPOT (Drag and Drop is not supported)
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that runs Windows Server.
You run Get-BitLockerVolume -MountPoint C,D | fl *, which generates the following output.




You need to ensure that volume D will be unlocked automatically when Server1 restarts.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Add-BitLockerKeyProtector
From the exhibit we see for volume D that AutoUnlockEnabled is False, and AutoUnlockKeyStored is empty.
The Add-BitLockerKeyProtector cmdlet adds a protector for the volume key of the volume protected with BitLocker Drive Encryption.
Example: The following example adds an ADAccountOrGroup protector to the previously encrypted operating system volume using the SID of the account:
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348- 8937238915-291003330-500
Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. Box 2: Service
The -Service parameter indicates that the system account for this computer unlocks the encrypted volume.
Add-BitLockerKeyProtector syntax with use of the ADAccountOrGroupProtector parameter:
Add-BitLockerKeyProtector [-MountPoint] <String[]>
[-ADAccountOrGroupProtector] [-ADAccountOrGroup] <String> [-Service]
[-WhatIf]
[-Confirm] [<CommonParameters>]
Incorrect:
* Enable-BitLockerAutoUnlock
The Enable-BitLockerAutoUnlock cmdlet enables automatic unlocking for a volume protected by BitLocker Disk Encryption.
The command has no -ADAccountOrGroupProtector parameter. Syntax:
Enable-BitLockerAutoUnlock [-MountPoint] <String[]> [-WhatIf]
[-Confirm] [<CommonParameters>]
* The Clear-BitLockerAutoUnlock cmdlet removes all automatic unlocking keys used by BitLocker Drive Encryption. BitLocker stores these keys for the fixed data drives of a system on a volume that hosts a BitLocker-enabled operating system volume so that it can automatically unlock the fixed and removable data volumes in a system. This makes it easier for users to access data volumes.
Syntax: Clear-BitLockerAutoUnlock []


Reference:

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use- bitlocker-drive-encryption-tools-to-manage-bitlocker
https://docs.microsoft.com/en-us/powershell/module/bitlocker/add-bitlockerkeyprotector




Case Study:
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview:
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with a Microsoft Entra tenant. The AD DS domain contains the domain controllers shown in the following table.


Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012. The functional level of the domain is Windows Server 2012 R2. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.


The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.


The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.



Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.


By using Windows Defender Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.


Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.


Server4 has the disk configurations shown in the following exhibit.



Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.



Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault. Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin. Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault. Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4. Whenever possible, use the principle of least privilege.

HOTSPOT (Drag and Drop is not supported)
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the accounts shown in the following table.


The domain is configured to store BitLocker recovery keys in Active Directory. Admin1 and Admin2 perform the following configurations:
1. Admin1 turns on BitLocker Drive Encryption (BitLocker) for volume C on Server1.
2. Admin1 moves Server1 to OU1.
3. Admin2 turns on BitLocker for removable volume E on Server2.
4. Admin2 moves removable volume E from Server2 to Server1 and unlocks the volume.
On which Active Directory object can you view each BitLocker recovery key? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Server1
You can configure Group Policies in your domain so that when encrypting any drive with BitLocker, the computer will save the recovery key in its computer object account in AD (like storing a local computer administrator password generated using LAPS).
Box 2: Server2


Reference:

http://woshub.com/store-bitlocker-recovery-keys-active-directory/




Case Study:
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview:
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with a Microsoft Entra tenant. The AD DS domain contains the domain controllers shown in the following table.


Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012. The functional level of the domain is Windows Server 2012 R2. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.


The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.


The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.



Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.


By using Windows Defender Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.


Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.


Server4 has the disk configurations shown in the following exhibit.



Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.



Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault. Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin. Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault. Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4. Whenever possible, use the principle of least privilege.

HOTSPOT (Drag and Drop is not supported)
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains servers that run Windows Server as shown in the following table.


Server1 has the connection security rules shown in the following table.


Server2 has the connection security rules shown in the following table.


Server3 has the connection security rules shown in the following table.


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/change-rules- from-request-to-require-mode




Case Study:
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview:
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with a Microsoft Entra tenant. The AD DS domain contains the domain controllers shown in the following table.


Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012. The functional level of the domain is Windows Server 2012 R2. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.


The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.


The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.



Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.


By using Windows Defender Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.


Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.


Server4 has the disk configurations shown in the following exhibit.



Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.



Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault. Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin. Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault. Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4. Whenever possible, use the principle of least privilege.

You have an Azure subscription that contains a user named User1 and the resources shown in the following table.


User1 has a computer named Computer1 that runs Windows 11. User1 works from home and establishes a Point-to-Site (P2S) connection to GW1 to access AppSvr1.
You deploy the resources shown in the following table.


User1 cannot access AppSvr2.
You need to ensure that User1 can access AppSvr2. What should you do?

  1. On Computer1, download and reinstall the VPN client.
  2. Create a route table and associate the table with GatewaySubnet on VNet1.
  3. On Computer1, modify the Windows Defender Firewall settings.
  4. Add a service endpoint to VNet2.

Answer(s): A




Case Study:
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview:
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with a Microsoft Entra tenant. The AD DS domain contains the domain controllers shown in the following table.


Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012. The functional level of the domain is Windows Server 2012 R2. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.


The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.


The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.



Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.


By using Windows Defender Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.


Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.


Server4 has the disk configurations shown in the following exhibit.



Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.



Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault. Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin. Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault. Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4. Whenever possible, use the principle of least privilege.

HOTSPOT (Drag and Drop is not supported)
You have a generation 1 Azure virtual machine named VM1 that runs Windows Server and is joined to an Active Directory domain.
You plan to enable BitLocker Drive Encryption (Bit-Locker) on volume C of VM1.
You need to ensure that the BitLocker recovery key for VM1 is stored in Active Directory.
Which two Group Policy settings should you configure first? To answer, select the settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Enforce drive encryption type on operating system drives


Reference:

Enforce drive encryption type on operating system drives
This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress.
Box 2: Choose how BitLocker-protected operating system drives can be recovered Choose how BitLocker-protected operating system drives can be recovered
This policy setting is used to configure recovery methods for operating system drives. Note: How to save BitLocker keys in AD (Active Directory)
Create and configure a GPO (Group Policy Object)
Create a separate Group policy, go to the GPO section listed in the example below and enable the “Store BitLocker recovery information in AD policy”.


Next, go to the "Operating system Drives" section and activate the "Choose how BitLocker-protected operating system drives can be recovered" policy.


The last point in this option is used to prevent BitLocker from encrypting the disk until the PC sends the key to the domain.
Incorrect:
* Configure use of hardware-based encryption for operating system drives
Configure use of hardware-based encryption for operating system drives
If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.


https://serverspace.io/support/help/bitlocker-active-directory/
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-
settings




Case Study:
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview:
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with a Microsoft Entra tenant. The AD DS domain contains the domain controllers shown in the following table.


Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012. The functional level of the domain is Windows Server 2012 R2. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.


The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.


The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.



Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.


By using Windows Defender Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.


Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.


Server4 has the disk configurations shown in the following exhibit.



Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.



Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault. Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin. Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault. Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4. Whenever possible, use the principle of least privilege.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1. Solution: From App & browser control, you configure Reputation-based protection.
Does this meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Instead: From Virus & threat protection, you configure Controlled folder access.
Incorrect:
* Reputation-based protection
Protect your PC from potentially unwanted applications.
Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which may be more harmful or annoying.
Windows Security has reputation-based protection that can help protect your PC from potentially unwanted applications. Potentially unwanted app blocking was first introduced in the Windows 10 May 2020 update and is turned on by default for enterprise customers, but off by default for consumers.
How do I configure it?
To configure potentially unwanted app blocking go to Start > Settings > Update & Security > Windows Security > App & browser control > Reputation-based protection settings.
There you'll find a control that lets you turn potentially unwanted app blocking off, and select if you want to block apps, downloads, or both.


We recommend that you leave this feature on, and that you enable both block apps and block downloads.
Block apps will detect PUA that you've already downloaded or installed, so if you're using a different browser Windows Security can still detect PUA after you've downloaded it.
Block downloads looks for PUA as it's being downloaded, but it only works with the new Microsoft Edge browser.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled- folders?view=o365-worldwide
https://support.microsoft.com/en-us/windows/protect-your-pc-from-potentially-unwanted-applications- c7668a25-174e-3b78-0191-faf0607f7a6e



Viewing Page 4 of 24



Share your comments for Microsoft AZ-801 exam with other users:

Philippe 1/22/2023 10:24:00 AM

iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use.
CANADA