Microsoft AZ-801 Configuring Windows Server Hybrid Advanced Services Exam Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full Microsoft AZ-801 exam dumps and practice test questions.

Question 121

You manage Windows Server 2022 Hyper-V hosts running Shielded VMs. You need to allow encrypted VMs to migrate between hosts while ensuring virtual TPM keys remain protected. What should you implement?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough allows a virtual machine to directly access the host’s Trusted Platform Module (TPM). While this ensures that the VM’s encryption keys are tightly bound to the physical host and provides strong security, it introduces a significant limitation: the VM cannot migrate to another host without exposing the TPM keys. This makes node-level TPM passthrough unsuitable for environments where encrypted virtual machines need to move between hosts for load balancing, maintenance, or disaster recovery. It is excellent for single-host security but lacks flexibility for larger clusters or dynamic operations.

Cluster Shared Volume (CSV) redirected mode is designed to enhance storage availability and resilience during failures or disruptions in a cluster. It allows VMs to continue accessing storage even if the direct path is unavailable. However, CSV redirected mode is purely focused on storage continuity and does not address security of encryption keys, including virtual TPM keys. While it ensures VMs remain operational, it does nothing to secure sensitive information during live migration, so it cannot meet the requirement of protecting vTPM keys during VM mobility.

Migrating virtual machines without encryption removes all the security protections that BitLocker and virtual TPM provide. This approach leaves workloads fully exposed, which can result in unauthorized access to sensitive data. Although migration might succeed, the security posture is compromised, making this option inappropriate for environments with strict compliance and data protection requirements. Removing encryption entirely is counterproductive for secure VM mobility.

Shielded VMs with Host Guardian Service (HGS) are specifically designed to secure encrypted workloads and allow them to move safely between authorized hosts. HGS performs attestation to ensure that only trusted hosts can run these VMs, and it securely manages virtual TPM keys. During migration, keys are never exposed to untrusted hosts or transmitted insecurely. This approach maintains both operational flexibility and security. It is the only solution among the options that simultaneously supports encrypted VM mobility and protects virtual TPM keys.

Question 122 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. You need to prevent multiple critical VMs from running on the same node and support automatic rebalancing. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

VM start order controls the sequence in which virtual machines start during cluster boot. While it is useful for ensuring dependent services start in the correct order, it does not prevent multiple critical virtual machines from running on the same node at the same time. Start order ensures proper initialization but does not enforce policies regarding placement, affinity, or rebalancing across cluster nodes.

Preferred owners allow administrators to specify preferred nodes for hosting particular virtual machines. This guidance can influence initial placement, helping to distribute workloads according to administrative preferences. However, preferred owners do not guarantee separation of critical VMs during dynamic operations such as load balancing or failover. If the preferred node becomes unavailable or overloaded, multiple critical VMs may still end up co-located, increasing the risk of service disruption.

Anti-affinity rules with dynamic optimization provide a comprehensive solution for isolating critical VMs across cluster nodes. These rules instruct the cluster to avoid placing certain virtual machines together on the same node. Dynamic optimization continuously monitors cluster resource usage and workload distribution, automatically rebalancing VMs when necessary. This ensures critical workloads are isolated and mitigates the risk of multiple failures affecting high-value VMs. It also allows seamless scaling and operational flexibility without manual intervention.

Cluster quorum settings determine the minimum number of nodes required for the cluster to function properly. While critical for overall cluster availability and fault tolerance, quorum configuration does not influence the placement of virtual machines or enforce separation policies. Quorum ensures the cluster remains operational but does not address workload isolation or load balancing.

Question 123 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, leading to network congestion. You need to prioritize critical files and reduce bandwidth usage. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Cloud tiering minimum file age controls how long a file remains on a local server before it becomes eligible for tiering to the cloud. By delaying when new files are tiered, this feature reduces unnecessary recalls for recently created files. However, this configuration does not provide prioritization for critical files. It affects only the timing of tiering and does not address which files should be retrieved first during high-demand scenarios, leaving bandwidth management and workload prioritization unaddressed.

Offline files mode ensures that certain files are cached locally and remain accessible when the server or network is unavailable. While offline files improve availability and allow users to work without interruptions, this feature does not prioritize which files are recalled first or manage bandwidth usage. It addresses resilience and accessibility rather than network optimization or file recall scheduling.

Background tiering deferral allows administrators to schedule when files are offloaded to the cloud, reducing the impact of background data transfers during peak business hours. While this can help prevent network congestion, it does not control the order in which recalled files are processed. Critical files may still experience delays if multiple files are being recalled simultaneously, which could affect business-critical operations.

Recall priority policies provide a targeted solution for these challenges. By assigning priority levels to files or directories, administrators can ensure that critical files are retrieved first when multiple recall requests occur. Lower-priority files are queued, reducing congestion and ensuring essential workloads remain responsive. This approach directly addresses the problem of network bandwidth optimization while supporting operational priorities, ensuring that high-value files are available promptly without overwhelming the network.

Question 124 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures due to delayed MFA responses. You must reduce authentication failures without compromising MFA security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

Reducing session persistence shortens the duration of authenticated sessions. While this may help reduce stale connections, it does not address the underlying cause of authentication failures in multi-factor authentication (MFA) scenarios. Shorter sessions may actually increase authentication frequency, potentially exacerbating the problem of delayed MFA responses instead of mitigating it.

Disabling conditional access would bypass MFA entirely, eliminating delays caused by additional verification. However, this significantly reduces security and violates organizational compliance policies. It exposes systems to potential attacks, undermining the core objective of enforcing strong authentication. While it might temporarily resolve login failures, it is not an acceptable or secure solution.

Enabling persistent cookies reduces the frequency of MFA prompts by allowing users to remain authenticated across sessions or devices. While this improves convenience and user experience, it does not solve delays that occur during the initial MFA verification process. If the multi-factor authentication service is slow or experiencing latency, login failures will still occur regardless of cookie persistence.

Increasing the NPS (Network Policy Server) extension timeout directly addresses the root cause of delayed MFA responses. The NPS extension communicates with the MFA provider to verify user credentials, and network delays, service latency, or high-load conditions can result in timeouts. By increasing the timeout, the system allows additional time for verification to complete successfully, ensuring users can authenticate without compromising security. This approach maintains MFA enforcement while reducing failed login attempts, providing a balanced solution that optimizes reliability and security.

Thus, among the available options, the correct approach to reduce login failures caused by delayed MFA responses is to increase the NPS extension timeout, ensuring secure and successful authentication while maintaining compliance and user accessibility.

Question 125 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys remain protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation:

Node-level TPM passthrough secures virtual TPM keys by binding them to a specific physical host. While this method provides strong security on that host, it introduces a significant limitation: the virtual machine cannot migrate to another host without exposing its encryption keys. This makes node-level TPM passthrough unsuitable for environments that require encrypted VM mobility, load balancing, or failover between multiple hosts.

Cluster Shared Volume redirected mode enhances storage resiliency by allowing VMs to continue accessing storage during path or node failures. It ensures that VMs remain operational in case of storage disruptions. However, CSV redirected mode does not provide security for virtual TPM keys or manage encrypted VM migration. It focuses solely on storage availability and does not meet requirements for protecting sensitive keys during VM mobility.

Migrating VMs without encryption eliminates the security provided by BitLocker and virtual TPM, leaving sensitive workloads exposed. While migration may succeed, the VM and its data are vulnerable to compromise. This approach does not satisfy compliance or security requirements, making it inappropriate for environments where protecting sensitive information is critical.

Shielded VMs with Host Guardian Service provide a comprehensive solution to secure encrypted virtual machines during migration. HGS ensures that only authorized hosts can access the virtual TPM keys and manages key distribution securely. This prevents exposure of encryption keys during live migration, maintaining both security and compliance. By integrating attestation and encryption key management, this approach allows operational flexibility while ensuring the highest level of data protection.

Question 126 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical VMs must not reside on the same node, and automatic load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation:

VM start order is a feature in failover clusters that specifies the sequence in which virtual machines boot after a cluster or node restart. While this ensures that dependent services come online in the proper sequence—for example, bringing up domain controllers before application servers—it does not prevent critical workloads from residing on the same cluster node. During normal cluster operation or dynamic load balancing, multiple critical VMs could still co-locate on a single host, increasing the risk of downtime if that host experiences a failure.

Preferred owners allow administrators to define which nodes are the primary choice for hosting a specific virtual machine. This is useful for managing initial placement and distributing workloads according to performance or hardware characteristics. However, preferred owners do not enforce strict isolation between critical workloads. During cluster balancing, failovers, or maintenance activities, critical VMs may still end up on the same node, leaving the cluster vulnerable to single-node failures.

Anti-affinity rules with dynamic optimization are designed to enforce separation of workloads across cluster nodes. Anti-affinity rules specifically prevent two or more critical VMs from running on the same host simultaneously, ensuring redundancy and resilience. Dynamic optimization continuously monitors cluster conditions and automatically rebalances VMs to maintain the separation of critical workloads while optimizing resource usage. This feature ensures that high-priority workloads are not compromised by hardware failures and that cluster resources are used efficiently. It addresses both the isolation requirement and the need for automated load balancing, which cannot be achieved with simple start order or preferred owner settings.

Cluster quorum settings define how many nodes must be online to maintain cluster functionality. Quorum is essential for determining cluster availability during node failures and for preventing split-brain scenarios. However, quorum settings do not influence VM placement, load balancing, or workload separation.

In conclusion, to prevent critical SQL Server VMs from residing on the same host while enabling automatic load balancing, anti-affinity rules with dynamic optimization are required. This ensures continuous monitoring and adjustment of VM placement to maintain high availability, redundancy, and optimal cluster performance. Therefore, the correct answer is C.

Question 127 

You manage Windows Server 2022 with Azure File Sync. Branch servers recall large files frequently, causing network congestion. You need to prioritize essential files while reducing bandwidth usage. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Cloud tiering minimum file age is a configuration in Azure File Sync that delays the caching of recently added files on branch servers. This can prevent unnecessary storage of transient files but does not allow prioritization of essential files when multiple files are recalled simultaneously. Critical files could still be delayed behind less important data, which does not solve the bandwidth issue during frequent recalls.

Offline files mode ensures that files remain available locally on the branch server even when disconnected from the network. While this supports uninterrupted access, it does not control the order in which files are recalled from the cloud. Network congestion can still occur if large non-essential files are accessed frequently, as offline files mode does not provide prioritization or bandwidth optimization mechanisms.

Background tiering deferral allows administrators to delay the offloading of infrequently accessed files to the cloud to reduce network activity. However, it only affects the offloading process, not the recall process. High-priority files may still be delayed during heavy recall activity because this setting does not influence which files are retrieved first.

Recall priority policies enable administrators to assign importance levels to specific files or directories. When multiple recall requests occur, the system processes higher-priority files first, ensuring that essential workloads are retrieved promptly. This prioritization helps optimize bandwidth by preventing non-critical file transfers from blocking important operations. Recall priority policies also support predictable performance for critical applications by ensuring that large or frequently accessed files that are necessary for business operations are delivered without unnecessary delays.

Question 128 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures caused by delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

Reducing session persistence decreases the duration of active sessions on Remote Desktop Services (RDS). While this might force users to re-authenticate more frequently, it does not address the root cause of delayed MFA responses. In fact, shorter session durations may exacerbate the problem by increasing the frequency of MFA prompts, potentially leading to more authentication failures.

Disabling conditional access bypasses multi-factor authentication entirely, which would eliminate authentication delays but compromises security. This approach is not acceptable for environments where MFA is required to protect sensitive resources and maintain compliance with organizational security policies.

Persistent cookies allow users to avoid repeated MFA prompts for the same device within a defined period. While they improve convenience, they do not resolve authentication failures caused by slow responses from the MFA system or network latency. The problem described is specifically related to delayed verification during the authentication handshake, which persistent cookies alone cannot mitigate.

Increasing the NPS extension timeout provides more time for the Network Policy Server (NPS) extension to communicate with Azure MFA during the authentication process. By extending this timeout, the system accommodates temporary delays due to network latency, high authentication loads, or temporary MFA service slowness. This ensures that authentication attempts are less likely to fail due to timeout errors while preserving full security enforcement. This approach directly targets the cause of failed logins, allowing RDS users to authenticate successfully without reducing security.

Question 129

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys are protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough binds the virtual TPM (vTPM) of a virtual machine to the physical TPM of a specific host. This approach ensures that sensitive keys remain protected on that host. However, it prevents the VM from migrating to other hosts without exposing the keys, making it unsuitable for environments requiring encrypted VM mobility across multiple Hyper-V hosts.

Cluster Shared Volume (CSV) redirected mode ensures high availability of storage by redirecting I/O through an alternative node in the event of failures. While CSV redirected mode provides storage continuity, it does not address the protection of vTPM keys during migration. Encrypted VMs remain vulnerable if moved without additional security measures.

VM live migration without encryption allows virtual machines to move between hosts but removes encryption protections. This exposes sensitive workloads, including vTPM keys, to potential interception during transit, which violates security best practices and compliance requirements.

Shielded VMs with Host Guardian Service (HGS) provide a comprehensive solution for securing sensitive VMs. HGS centrally manages the encryption keys and attests hosts before allowing access to vTPM keys. This ensures that only authorized Hyper-V hosts can run the shielded VM and protects the keys during live migration. This approach allows encrypted workloads to move between hosts without exposing secrets, providing both mobility and security simultaneously.

To ensure encrypted VMs maintain protection for vTPM keys while supporting secure migration, implementing Shielded VMs with Host Guardian Service is required. Therefore, the correct answer is B.

Question 130 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automatic load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

VM start order defines the sequence in which virtual machines boot during cluster startup. It is useful when dependencies exist between VMs, such as ensuring database servers start before application servers. However, it does not prevent multiple critical VMs from co-locating on the same host during normal operations or cluster-driven rebalancing, leaving high-value workloads exposed to single-node failures.

Preferred owners guide initial VM placement within a cluster, allowing administrators to designate which nodes should host specific workloads. This can help balance resources initially but does not enforce strict isolation. During automatic load balancing or failover events, critical VMs could still end up on the same node, increasing potential downtime risk.

Anti-affinity rules with dynamic optimization are designed specifically to prevent co-location of critical workloads on the same cluster node. Anti-affinity rules enforce separation, ensuring critical SQL Server VMs are distributed across multiple nodes. Dynamic optimization continuously monitors the cluster and automatically rebalances workloads in response to changes such as node maintenance, failures, or fluctuating resource demands. This guarantees both isolation and efficient use of resources, minimizing the risk of service disruption while maintaining high availability for critical workloads.

Cluster quorum settings determine how many nodes must be online to maintain cluster functionality. Quorum is crucial for resiliency and preventing split-brain scenarios but does not influence the placement or balancing of workloads. It ensures cluster stability but does not address co-location or load distribution concerns.

To automatically balance workloads and prevent co-location of critical VMs, anti-affinity rules with dynamic optimization must be configured. This solution combines isolation enforcement with proactive workload balancing to maintain performance and reliability. Therefore, the correct answer is C.

Question 131 

You manage Windows Server 2022 Hyper-V hosts running Shielded VMs. You need to migrate encrypted VMs between hosts while ensuring virtual TPM keys remain protected. What should you implement?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Shielded VMs in Windows Server 2022 provide a robust mechanism for protecting sensitive workloads, particularly those that leverage virtual Trusted Platform Module (vTPM) keys for encryption. In environments where virtual machines need to be moved between hosts—such as during maintenance, load balancing, or disaster recovery scenarios—ensuring the security of these keys is paramount. 

 

Node-level TPM passthrough is an option that binds a VM’s virtual TPM to a single physical host, providing strong local security. However, this configuration prevents secure migration because the keys are tied to one host. Migrating the VM would require exposing or exporting keys, which introduces significant security risks. Similarly, Cluster Shared Volume (CSV) redirected mode is designed for storage resiliency and failover scenarios, allowing cluster nodes to access storage during node failures. While CSV redirected mode maintains availability, it does not manage encryption keys, nor does it provide mechanisms to secure the vTPM during migration. 

 

Live migration without encryption would allow VMs to move freely between hosts but removes all protections provided by vTPM and BitLocker, leaving sensitive workloads exposed and noncompliant with enterprise security standards. In contrast, implementing Shielded VMs with Host Guardian Service (HGS) provides a centralized and secure solution for managing encryption keys. HGS performs attestation of Hyper-V hosts, ensuring that only trusted, compliant hosts can access vTPM keys. When a VM is migrated, the keys are securely transmitted only to authorized hosts, preventing key leakage and maintaining compliance with organizational security policies. 

 

This approach combines operational flexibility with strong security controls, allowing encrypted VMs to move between hosts without compromising their integrity. It also integrates seamlessly with other Windows Server features such as BitLocker and guarded fabric management, providing a holistic security model for hybrid and on-premises environments. Therefore, for secure migration of encrypted VMs while protecting virtual TPM keys, Shielded VMs with Host Guardian Service must be implemented, ensuring both compliance and operational continuity.

Question 132 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical VMs must not reside on the same host and automatic balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

In a Windows Server 2022 failover cluster hosting SQL Server VMs, maintaining high availability and workload isolation is critical. When multiple critical VMs reside on the same host, a single node failure could result in simultaneous downtime of all critical workloads, creating a significant business risk. Configuring VM start order determines the sequence in which VMs start during a failover or cluster boot event. While this can ensure that dependencies between VMs are honored, it does not prevent multiple critical VMs from being placed on the same node. Preferred owners allow administrators to influence which cluster nodes are initially assigned certain VMs, but this configuration is static and does not account for dynamic changes in cluster load or automatic rebalancing. Without active monitoring, preferred owners cannot prevent critical workloads from being co-located during node failures or migrations. 

 

Cluster quorum settings determine the minimum number of nodes that must be online for the cluster to operate, safeguarding against split-brain scenarios and maintaining cluster resiliency, but they have no influence on VM placement or workload separation. Anti-affinity rules with dynamic optimization provide a more sophisticated and automated approach. Anti-affinity rules explicitly prevent specified VMs from running on the same node, ensuring that critical workloads are isolated. When combined with dynamic optimization, the cluster continuously evaluates node load and VM placement. If two critical VMs are co-located due to a failover, the cluster will automatically migrate one to another node to restore isolation and balance the workload. 

 

This automation minimizes administrative overhead, reduces the risk of downtime, and ensures consistent application performance. Dynamic optimization also adapts to real-time conditions, considering node utilization, CPU, memory, and storage constraints. This combination provides a proactive, resilient strategy for managing critical SQL Server VMs in high-availability clusters, preventing co-location and enabling continuous, automated balancing of workloads across cluster nodes. Therefore, anti-affinity rules with dynamic optimization are required to maintain high availability, workload isolation, and operational efficiency in a failover cluster.

Question 133 

You manage Windows Server 2022 with Azure File Sync. Branch servers recall large files frequently, causing network congestion. You must ensure critical files are prioritized. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Azure File Sync enables centralization of file services in the cloud while maintaining local access performance on branch servers. In large environments, branch servers may frequently recall files from the cloud, particularly when cloud tiering is enabled. This can cause network congestion, especially when multiple users or applications request large files simultaneously. 

 

Cloud tiering minimum file age is a configuration that delays caching of recently created files, ensuring that only files older than a specified period are tied to the cloud. While this can reduce immediate network traffic, it does not prioritize critical files over less important ones, meaning essential workloads may still experience delays. Offline files mode allows files to be available locally even when disconnected from the network, but it does not influence which files are recalled first during periods of network load, nor does it optimize bandwidth consumption. 

 

Background tiering deferral schedules offloading of files to the cloud to reduce network congestion, but it is focused on storage management rather than recall prioritization. Recall priority policies, on the other hand, are explicitly designed to assign importance to specific files or directories. Administrators can designate certain files or folders as high-priority, ensuring that when multiple files are requested, critical files are retrieved first. This reduces latency for essential workloads, improves application responsiveness, and minimizes the impact of high-volume file recalls on network performance. 

 

Prioritizing critical files in this manner ensures that business-critical processes are not disrupted while less important files can be recalled on a lower-priority basis. Implementing recall priority policies enhances operational efficiency, supports compliance with service level objectives, and provides administrators with control over resource usage during peak demand periods. By directing network and storage resources toward high-value data, recall priority policies optimize both user experience and overall system performance. Therefore, to reduce network congestion while ensuring essential files are retrieved promptly, configuring recall priority policies is the correct approach.

Question 134 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures due to delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation:

Windows Server 2022 Remote Desktop Services (RDS) integrated with Azure Multi-Factor Authentication (MFA) adds a strong layer of security by requiring users to verify identity through additional factors beyond username and password. However, network latency, MFA service delays, or high authentication traffic can lead to users experiencing login failures, even when credentials and verification devices are correct. Reducing session persistence only shortens the session lifespan, which does not address the underlying issue of delayed MFA responses. 

 

Disabling conditional access would bypass MFA entirely, significantly compromising security and violating organizational compliance policies. Enabling persistent cookies can reduce the number of MFA prompts for returning users but does not resolve initial authentication delays caused by network or service latency. Increasing the Network Policy Server (NPS) extension timeout, however, addresses the root cause. The NPS extension communicates with Azure MFA to verify user credentials during the authentication process. If the timeout period is too short, delayed responses from Azure MFA may result in login failures, even when the user provides valid input. By increasing the NPS extension timeout, administrators allow additional time for the authentication handshake between the on-premises RDS environment and Azure MFA service to complete. 

 

This adjustment accommodates temporary delays due to network congestion, MFA service latency, or high authentication load, improving the success rate of user logins without compromising the security benefits of MFA. Extending the timeout ensures that critical users maintain access to resources while preserving compliance with multifactor authentication policies. It provides a balance between usability and security, reducing support tickets and enhancing user experience. Therefore, to minimize authentication failures in RDS environments while maintaining MFA enforcement, increasing the NPS extension timeout is the appropriate configuration.

Question 135 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys are protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Hyper-V in Windows Server 2022 provides several security features for virtual machines, particularly when handling sensitive workloads that require encryption. Shielded VMs are designed to prevent unauthorized access to virtual machines, including protection against tampering and access to vTPM keys. Node-level TPM passthrough allows a VM to access the host’s TPM directly. While this secures keys locally, it ties the VM to a single physical host. Migration to another host would require moving the TPM key, potentially exposing it and violating security policies. 

 

Cluster Shared Volume redirected mode ensures storage resiliency and continuity in the event of node failure, but it does not provide mechanisms for protecting encryption keys or secure migration of Shielded VMs. Live migration without encryption removes the security protections of vTPM and BitLocker entirely, leaving workloads vulnerable during migration. Shielded VMs with Host Guardian Service (HGS) offer a comprehensive solution by centralizing key management and enforcing host attestation. 

 

HGS ensures that only authorized Hyper-V hosts can access the VM’s vTPM keys. When a Shielded VM is migrated, HGS provides the necessary keys only to hosts that meet security and compliance requirements, maintaining encryption integrity and preventing unauthorized access. This method allows for operational flexibility while preserving data confidentiality and compliance with enterprise security standards. Implementing Shielded VMs with HGS ensures that critical workloads remain protected during migrations, balancing security requirements with the practical need for VM mobility and high availability. Therefore, to secure virtual TPM keys and support encrypted VM migration, Shielded VMs with Host Guardian Service must be deployed.

Question 136 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical VMs must not reside on the same node, and automatic balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

In a Windows Server 2022 failover cluster hosting SQL Server VMs, maintaining high availability and operational continuity is critical, especially for critical workloads. Clusters distribute workloads across multiple nodes to ensure resilience against hardware or software failures. One key concern is the placement of critical virtual machines (VMs) so that multiple critical workloads are not running on the same node. If two or more critical VMs reside on the same node, a single node failure could cause simultaneous outages, potentially leading to significant business impact. 

 

Configuring VM start order allows administrators to control the sequence in which VMs start during a cluster boot or failover, which ensures dependency relationships are honored but does not prevent co-location of critical VMs. Preferred owners specify which cluster nodes are initially considered for running certain VMs, influencing placement during startup. While useful for directing initial placement, this setting does not enforce strict separation and cannot automatically rebalance workloads if node conditions change. Cluster quorum settings are essential for maintaining cluster resiliency and determining the minimum number of nodes required for cluster operations. While vital for overall availability, quorum settings have no influence on VM placement or isolation of critical workloads. 

 

Anti-affinity rules with dynamic optimization provide the necessary mechanism to enforce separation policies and maintain load balance automatically. Anti-affinity rules explicitly instruct the cluster not to place specified VMs on the same node. Dynamic optimization continuously monitors cluster conditions such as CPU, memory, and storage utilization. If critical VMs are found to be co-located due to failover events or resource constraints, the cluster automatically moves one or more VMs to restore isolation. This proactive balancing minimizes downtime risks and ensures business continuity. Additionally, dynamic optimization adapts in real time to cluster changes, maintaining optimal performance and preventing resource contention. 

 

By combining anti-affinity rules with dynamic optimization, administrators achieve both high availability and operational efficiency without manual intervention. This configuration not only isolates critical workloads but also ensures that the cluster intelligently redistributes resources to avoid bottlenecks or overutilization. Therefore, for failover clusters hosting critical SQL Server VMs where co-location must be avoided and automatic balancing is required, configuring anti-affinity rules with dynamic optimization is the most effective and reliable solution.

Question 137 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, causing network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Cloud tiering minimum file age delays caching of new files but does not prioritize essential files.

Offline files mode allows local availability when disconnected but does not affect recall order or bandwidth optimization.

Background tiering deferral schedules offloading to reduce network traffic but does not guarantee critical files are retrieved first.

Recall priority policies allow assigning importance to specific files or directories. High-priority files are recalled first, ensuring essential workloads remain responsive while reducing network congestion.

To prioritize essential files and optimize bandwidth, recall priority policies must be configured. Therefore, the correct answer is B.

Question 138 

You manage a Windows Server 2022 RDS deployment with Azure MFA. Users report login failures caused by delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

Reducing session persistence shortens session duration but does not fix delayed MFA responses, potentially increasing login failures.

Disabling conditional access bypasses MFA, compromising security.

Persistent cookies reduce repeated MFA prompts but do not resolve handshake delays causing login failures.

Increasing the NPS extension timeout allows extra time for MFA verification, accommodating temporary network or service latency. This ensures authentication succeeds reliably without compromising security.

Extending the NPS extension timeout ensures successful login while maintaining MFA enforcement. Therefore, the correct answer is B.

Question 139 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys remain protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough secures keys on a single host but does not allow migration without exposing them.

Cluster Shared Volume redirected mode ensures storage resiliency but does not protect virtual TPM keys or encrypted VMs during migration.

Migrating VMs without encryption removes protections, exposing sensitive workloads.

Shielded VMs with Host Guardian Service manage encryption keys securely and enable migration across authorized hosts while protecting virtual TPM keys. This ensures workloads remain compliant and secure during migration.

To secure virtual TPM keys while enabling migration, Shielded VMs with Host Guardian Service must be implemented. Therefore, the correct answer is B.

Question 140 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automatic load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation:

In a Windows Server 2022 failover cluster hosting SQL Server VMs, high availability and operational resilience are critical, especially for workloads deemed business-critical. Co-locating multiple critical workloads on the same node introduces significant risk: a single hardware or software failure could impact multiple critical services simultaneously. 

VM start order allows administrators to control the sequence in which VMs boot during cluster startup or failover but does not prevent critical workloads from sharing the same host. Preferred owners guide initial VM placement across nodes but are static; they cannot automatically enforce isolation if cluster conditions change or during dynamic balancing. Cluster quorum settings ensure the cluster maintains operational integrity during node failures but do not influence VM placement or workload isolation. 

Anti-affinity rules with dynamic optimization are designed to address precisely these concerns. Anti-affinity rules explicitly prevent certain VMs from running on the same host. Dynamic optimization monitors cluster resources—including CPU, memory, and storage utilization—and automatically rebalances workloads when required. If two critical VMs are inadvertently placed on the same node during a failover or resource reallocation, the cluster automatically migrates one to a different node to restore separation. This mechanism reduces the risk of simultaneous failures, improves availability, and ensures that critical workloads receive adequate resources. Dynamic optimization also considers overall node load to maintain balanced performance, reducing bottlenecks and contention. 

By combining anti-affinity rules with dynamic optimization, administrators achieve both workload isolation and automated resource distribution, minimizing manual intervention while maximizing reliability. This ensures continuous operation of critical SQL Server VMs and supports organizational requirements for high availability and business continuity. Therefore, to enforce separation of critical workloads and enable automatic balancing, configuring anti-affinity rules with dynamic optimization is the correct and most effective approach.