Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Microsoft
  3. AZ-801

Microsoft AZ-801 Exam (page: 7)
Microsoft Configuring Windows Server Hybrid Advanced Services
Updated on: 31-Mar-2026

Viewing Page 7 of 36
AZ-801 PDF 313 Questions

You have a server named Server1 that runs Windows Server.

You install a custom app named App1 that is accessed by using TCP port 52310.

Users report that they cannot access App1.

You confirm that App1 is running on Server1.

You need to ensure that the users can access App1. The solution must only provide access to App1 on Server1.

What should you do in Windows Defender Firewall with Advanced Security?

  1. Create an isolation connection security rule.
  2. Create an outbound rule.
  3. Create an inbound rule.
  4. For the current profile, allow all inbound connections.

Answer(s): C

Explanation:

To provide secure access to an app using Windows Defender Firewall with Advanced Security, open the tool, select Inbound Rules, create a New Rule, choose Port as the rule type, select TCP, enter the app's specific port number in Specific local ports, choose to Allow the connection, and then select the appropriate network profiles.
Finally, give the rule a descriptive name and click Finish to apply it.


Reference:

https://learn.microsoft.com/en-us/sql/sql-server/install/configure-the-windows-firewall-to-allow-sql-server-access



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains an Azure key vault named Vault1.

You deploy Azure Disk Encryption.

You configure Vault1 to support Azure Disk Encryption.

You need to ensure that you can encrypt Azure Disk Encryption artifacts before they are written to Vault1. The solution must provide the highest level of encryption.

How should you complete the command? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: key
Create and configure a key vault for Azure Disk Encryption on a Windows VM

Set up a key encryption key (KEK)
If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault.
When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

Use the Azure CLI az keyvault key create command to generate a new KEK and store it in your key vault.

az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096

Box 2: RSA-HSM
For 4096-bit encryption choose RSA-HSM.

Note: Which to choose

For maximum key security: Always use an HSM (like EC-HSM or RSA-HSM) to protect your keys, regardless of the algorithm you choose.

Key types and protection methods
Key Vault Premium and Standard support RSA and EC keys. Managed HSM supports RSA, EC, and symmetric keys.

HSM-protected keys


Reference:

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys



HOTSPOT (Drag and Drop is not supported)

You plan to deploy an Azure confidential virtual machine named VM1.

You need to ensure that you can implement confidential disk encryption for VM1.

What should you do? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: DC
Use virtual machine series

Confidential VMs support the following VM sizes:

General Purpose without local disk: DCasv5-series, DCesv5-series General Purpose with local disk: DCadsv5-series, DCedsv5-series Memory Optimized without local disk: ECasv5-series, ECesv5-series Memory Optimized with local disk: ECadsv5-series, ECedsv5-series

NVIDIA H100 Tensor Core GPU powered NCCadsH100v5-series

Box 2: The operating system disk, data disks, and temporary disk Disks that can be encrypted

Confidential OS disk encryption
Azure confidential VMs offer a new and enhanced disk encryption scheme. This scheme protects all critical partitions of the disk.

Confidential temp disk encryption
You can also extend the protection of confidential disk encryption to the temp disk. We enable this by leveraging an in-VM symmetric key encryption technology, after the disk is attached to the CVM.


Reference:

https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview



HOTSPOT (Drag and Drop is not supported)

Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains the servers shown in the following table.



For each server, Windows Defender Firewall is configured to allow only communication between servers on the same segment.

Server1 has the following connection security rule:

Name: Rule1
Rule type: isolation
Requirement: Require authentication for inbound connections and request authentication for outbound connections
Authentication method: Computer (Kerberos V5)
Profile: Domain, Private, Public

Server2 does not have any connection security rules.

Server3 has the following connection security rule:

Name: Rule3
Rule type: Server-to-server
Endpoints
Computers in Endpoint 1: 192.168:5.0/24
Computers in Endpoint 2: 192.168.1.0/24
Requirement: Request authentication for inbound and outbound connections Authentication method: Computer (Kerberos V5)
Profile: Domain, Private, Public

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: Yes
Yes - Server1 can initiate communication with Server2 successfully.

Server1 and Server2 is in the same network segment.
The Server1 isolation connection security rule will allow communication between Server1 and Server2. Server1 has request authentication for outbound connections.
Server2 has no connection security rules.

Note: Windows Defender Firewall is configured to allow only communication between servers on the same segment.

Box 2: Yes
Yes - Server2 can initiate communication with Server3 successfully.

Server2 and Server3 are in different network segments.
Server2 has no connection security rules.
Server3 has connection rule, where Computers in Endpoint cover the Server2 and server3 network segments. The connection rule has request authentication for inbound and outbound connections.

Box 3: No
No - Server3 can initiate communication with Server1 successfully.

The Server1 isolation connection security rule will disallow communication between Server3 and Server1,

Note: A Windows Defender Firewall isolation rule restricts communication and prevents it from traversing between different network segments by design, as its primary function is to isolate computers by limiting connections based on credentials. Instead of allowing broad communication, isolation rules are configured to enforce authentication and restrict connections only to other members of the same isolated domain or specified authentication exemptions.


Reference:

https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows- firewall/rules



Your network contains an Active Directory Domain Services (AD DS) domain.

You need to configure a ticket-granting ticket (TGT) lifetime for specific user and computer accounts. The solution must meet the following requirements:

Minimize the impact on the other user and computer accounts in the domain.
Minimize administrative effort.

What should you configure?

  1. a dynamic access control policy
  2. a password policy
  3. an authentication policy and an authentication policy silo
  4. a fine-grained password policy

Answer(s): C

Explanation:

To configure a specific TGT lifetime for selected users and computers in an Active Directory Domain Services (AD DS) domain, use the Authentication Policies and Authentication Policy Silos feature by creating an Authentication Policy, configuring its TGT lifetime, and then assigning it to an Authentication Policy Silo that contains the target user and computer accounts. This provides more granular control than the domain-wide Kerberos Policy settings in Group Policy.
Here are the steps:
1. Open Active Directory Administrative Center (ADAC): Open ADAC and navigate to the Authentication Policy Silos container.
2. Create an Authentication Policy
3. Create an Authentication Policy Silo
4. Add Users and Computers to the Silo
5. Assign the Authentication Policy to the Silo:


Reference:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts



Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains five servers that run Windows Server. The network also contains two workgroup servers that run Windows Server.

You need to implement a connection security rule between the member servers and the workgroup servers.

Which authentication method should you use?

  1. User (Kerberos V5)
  2. Computer certificate
  3. Computer (Kerberos V5)
  4. Computer (NTLMv2)

Answer(s): C

Explanation:

For connection security rules between member servers and workgroup servers in an Active Directory (AD) domain, you should use Kerberos. The workgroup server needs to be able to authenticate with the domain, and the default and preferred protocol for this in an AD environment is Kerberos, which issues tickets for secure, ticket-based authentication.
User (Kerberos V5) authentication versus Computer (Kerberos V5) authentication The core difference is who or what is authenticating to the network: User authentication verifies a human user's identity, typically using their password, while Computer (or host) authentication verifies the identity of a machine on the network, using its machine account credentials instead of a password. Both rely on the same underlying Kerberos V5 protocol for ticket-based authentication to a Key Distribution Center (KDC), but they use different principal names--username@REALM


Reference:

https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview



HOTSPOT (Drag and Drop is not supported)

You have a server that runs Windows Server.

You need to enable the following security features:

Core isolation
Force randomization form images (Mandatory ASLR)

Which Windows Security tile should you use to enable each feature? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: Device Security
Core isolation

To enable Core isolation (Memory Integrity) in Windows Server, open the Windows Security app and navigate to Device Security > Core Isolation Details. Toggle Memory Integrity to the On position and restart your computer for the change to take effect. Ensure your system firmware supports virtualization (UEFI mode is required) and that there are no incompatible drivers causing conflicts.

Box 2: App & browser control
Force randomization form images (Mandatory ASLR)

To force Address Space Layout Randomization (ASLR) for all executables on Windows Server, navigate to Windows Security > App & browser control > Exploit protection settings, and then set "Force randomization for images (Mandatory ASLR)" to "On by default". This setting applies system-wide but may cause compatibility issues with older applications that don't fully support ASLR.


Reference:

https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of- code-integrity https://learn.microsoft.com/en-us/defender-endpoint/customize-exploit-protection



You have an Azure subscription that contains the Azure key vaults shown in the following table.



You create a virtual machine that has the following configurations:

Name: VM1
Resource group: RG1
Azure region: East US
Operating system: Windows Server

You need to enable Azure Disk Encryption for VM1.

Which key vault can you use to store the encryption key for VM1?

  1. Vault1 only
  2. Vault1 or Vault2 only
  3. Vault1 or Vault3 only
  4. Vault1, Vault2, Vault3, or Vault4

Answer(s): C

Explanation:

Vault1 and Vault2 are in the same region as VM1.
Note: When using Azure Disk Encryption (ADE), the Azure Key Vault that stores the encryption keys must be in the same Azure region and same Microsoft Entra tenant as the virtual machine (VM) to be encrypted. This is a requirement for ADE to control and manage the encryption keys for the VM's disks.


Reference:

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault



Viewing Page 7 of 36



Share your comments for Microsoft AZ-801 exam with other users:

Philippe 1/22/2023 10:24:00 AM

iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use.
CANADA