Microsoft AZ-801 Configuring Windows Server Hybrid Advanced Services Exam Dumps and Practice Test Questions Set 8 Q141-160

Visit here for our full Microsoft AZ-801 exam dumps and practice test questions.

Question 141 

You manage Windows Server 2022 Hyper-V hosts with Shielded VMs. You need to ensure encrypted VMs can migrate between hosts while keeping virtual TPM keys secure. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

When managing Windows Server 2022 Hyper-V hosts that run Shielded VMs, the protection of virtual TPM keys is critical to ensure the integrity and confidentiality of encrypted workloads. Node-level TPM passthrough is a mechanism that binds the virtual TPM to the physical TPM of a single host. While this ensures that the VM remains secure on the host, it does not support mobility across multiple hosts. Migrating a VM protected by node-level TPM to another host requires exposing its encryption keys or reinitializing the TPM, which violates security policies and exposes sensitive data during the migration process. 

 

Therefore, this option is unsuitable for environments requiring secure VM mobility. Cluster Shared Volume redirected mode is designed to provide storage resiliency by redirecting I/O to alternate storage locations in the event of a storage path failure. While this helps maintain VM availability and storage continuity, it does not manage encryption keys or provide secure migration for Shielded VMs. Similarly, migrating VMs without encryption removes all protections offered by BitLocker and virtual TPM, leaving workloads vulnerable to interception or compromise. 

 

Shielded VMs with Host Guardian Service, however, provide a secure solution for encrypted VM migration. The Host Guardian Service is responsible for attesting Hyper-V hosts and distributing keys in a secure manner. Only hosts that pass attestation can receive the encryption keys necessary to start or migrate Shielded VMs. This ensures that virtual TPM keys are never exposed during migration and that compliance requirements for sensitive workloads are met. 

 

Additionally, this method enables operational flexibility by allowing administrators to migrate encrypted workloads between authorized hosts without compromising security. It provides a central management point for encryption keys and enforces policies that ensure only trusted hosts can run or receive Shielded VMs. By implementing Shielded VMs with Host Guardian Service, organizations can maintain high security standards while supporting operational requirements such as live migration, disaster recovery, or maintenance activities. This approach effectively balances security and flexibility, making it the recommended solution for protecting virtual TPM keys during VM mobility. Therefore, the correct answer is B.

Question 142 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical VMs must not be placed on the same node and automated rebalancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation:

In a Windows Server 2022 failover cluster hosting SQL Server VMs, workload distribution and isolation of critical VMs are essential for high availability and risk mitigation. VM start order allows administrators to define the sequence in which virtual machines boot during cluster startup. While this ensures that dependencies between applications are met, it does not prevent multiple critical VMs from running on the same node during normal operation or dynamic cluster rebalancing. 

Preferred owners specify the nodes where a VM should initially run. Although this can guide VM placement, it does not enforce strict rules preventing co-location during cluster maintenance, failover events, or dynamic optimization cycles. Cluster quorum settings define the minimum number of nodes required for cluster operation, which protects cluster availability but does not control VM placement. Anti-affinity rules combined with dynamic optimization are the key configuration for ensuring critical VMs do not reside on the same node while enabling automatic balancing of workloads. 

Anti-affinity rules define VMs that should not run together on the same host, thereby reducing the risk of multiple critical workloads being affected by a single node failure. Dynamic optimization continuously monitors cluster workloads and automatically migrates VMs to maintain compliance with the defined anti-affinity rules. This ensures that critical workloads remain isolated, maintaining resilience and minimizing the risk of service disruption. The cluster constantly evaluates resource usage, and if it detects a violation of anti-affinity rules, it proactively moves VMs to compliant hosts. 

This approach eliminates manual intervention and ensures continuous compliance with separation policies. Anti-affinity rules with dynamic optimization also improve resource utilization by distributing workloads evenly across cluster nodes, reducing hotspots and ensuring that no single node becomes overloaded while maintaining strict separation for critical workloads. By combining these features, administrators achieve both high availability and operational efficiency, ensuring that SQL Server VMs remain resilient and perform optimally while critical workloads are never co-located. Therefore, the correct answer is C.

Question 143 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, resulting in network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Azure File Sync allows organizations to centralize file data in Azure while keeping frequently used files local on branch servers. Cloud tiering helps manage storage usage by offloading files to Azure while keeping placeholders locally, but the recall process can create network congestion when multiple users simultaneously request large files. Cloud tiering minimum file age determines how long a file must exist locally before it is eligible to be tiered to the cloud. While this setting helps reduce unnecessary recall traffic for newly created files, it does not allow administrators to prioritize which files are more important during high-demand periods. Offline files mode ensures local availability when a device is disconnected from the network, but it does not manage recall priority or prevent congestion when multiple requests occur simultaneously. 

 

Background tiering deferral schedules the upload of files to the cloud during low-usage periods, which reduces outbound network usage, but this setting does not influence the order in which recalled files are retrieved. Recall priority policies, on the other hand, allow administrators to assign priority levels to files or directories. High-priority files are recalled first, ensuring that mission-critical workloads are accessible immediately while lower-priority files may experience slight delays. This approach provides predictable performance for essential files, reduces user frustration, and prevents network congestion from overwhelming branch servers. 

 

By implementing recall priority policies, organizations can ensure that the most critical business data is retrieved efficiently during peak demand, optimizing bandwidth usage and improving user productivity. This strategy also provides granular control over file access patterns, allowing administrators to balance performance, cost, and operational requirements effectively. In environments with frequent large file recalls, configuring recall priority policies is essential for ensuring that critical files are always available promptly and that network resources are not saturated by lower-priority requests. Therefore, the correct answer is B.

Question 144 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures due to delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

Remote Desktop Services (RDS) deployments integrated with Azure Multi-Factor Authentication (MFA) provide an additional security layer by requiring users to complete a secondary verification step. When users experience login failures caused by delayed MFA responses, the root cause often involves network latency, MFA service delays, or timeout constraints imposed by the Network Policy Server (NPS) extension. Reducing session persistence shortens active session duration, increasing the frequency of authentication prompts, which can worsen login failures rather than resolve them. 

 

Disabling conditional access bypasses MFA entirely, which removes a critical security control and violates organizational compliance requirements. Enabling persistent cookies improves user convenience by reducing repeated MFA prompts for ongoing sessions but does not resolve the underlying issue of delayed MFA responses during the initial authentication process. Increasing the NPS extension timeout is the most appropriate solution because it provides additional time for the Azure MFA verification process to complete successfully. This setting accommodates temporary delays due to network latency, MFA server response times, or other transient issues without compromising security. 

 

The NPS extension timeout determines how long the system waits for a response from the MFA provider before failing the authentication request. By increasing this timeout, the system allows legitimate users to complete the MFA process successfully, thereby reducing authentication failures while maintaining full compliance with security policies. This approach ensures both security and usability, minimizing user frustration and preventing disruptions to business operations. Extending the NPS extension timeout is a controlled, secure, and practical method to address login failures caused by delayed MFA responses, making it the correct configuration for environments where timely MFA verification is critical to access continuity. Therefore, the correct answer is B.

Question 145 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys are protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Protecting virtual TPM keys is crucial for encrypted virtual machines (VMs) in Windows Server 2022 Hyper-V environments. Node-level TPM passthrough allows a VM to utilize the TPM of the host it runs on. While this ensures the VM is secure on that host, the virtual TPM keys are bound to the specific hardware, making migration to another host impossible without exposing the keys or reinitializing the TPM, both of which compromise security. Cluster Shared Volume (CSV) redirected mode is a feature that improves storage resiliency by redirecting input/output operations during storage failures. 

 

Although this ensures VM availability in case of storage disruptions, it does not provide mechanisms to protect virtual TPM keys or manage encrypted VM migration. Migrating VMs without encryption removes all protections, leaving sensitive data exposed during transit. Shielded VMs, when combined with Host Guardian Service (HGS), provide a robust security solution for these scenarios. HGS centralizes key management and performs host attestation, verifying that a VM is running on a trusted host before releasing the encryption keys. This allows VMs to migrate securely between authorized hosts while the virtual TPM keys remain encrypted and inaccessible to unauthorized systems. 

 

The process ensures that only compliant and trusted hosts can run or migrate Shielded VMs. This method satisfies both operational flexibility and stringent security requirements, enabling secure mobility of encrypted workloads without compromising confidentiality or compliance standards. Implementing Shielded VMs with HGS provides administrators with centralized management, secure migration, and enhanced protection against potential attacks targeting the VM encryption keys. By using HGS, organizations ensure that critical workloads can be moved seamlessly across the infrastructure while maintaining end-to-end encryption and regulatory compliance. Therefore, the correct answer is B.

Question 146

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automatic load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

In a Windows Server 2022 failover cluster, managing placement of SQL Server VMs is critical to ensure both high availability and risk mitigation. Critical workloads, such as SQL Server databases, must not be co-located on the same node because if a single host fails, all VMs on that node could be impacted simultaneously, causing significant service disruption. VM start order allows administrators to define the sequence in which VMs boot during cluster startup. While useful for dependency management, start order does not prevent multiple critical workloads from running on the same node during normal operation or dynamic rebalancing. 

Preferred owners guide the initial placement of VMs by suggesting which nodes they should reside on, but they are advisory rather than mandatory. This means that during failover events or dynamic cluster optimization, VMs can still end up co-located on the same host, potentially violating isolation requirements. Cluster quorum settings define the minimum number of operational nodes required for the cluster to function and provide resiliency in the event of node failures, but they do not influence VM placement or enforce separation policies. Anti-affinity rules with dynamic optimization are specifically designed to address these concerns. 

Anti-affinity rules define which VMs must not run together on the same node, ensuring that critical workloads are distributed across multiple hosts to reduce the risk of simultaneous downtime. Dynamic optimization continuously monitors the cluster and automatically migrates VMs as needed to maintain compliance with anti-affinity rules. This automated balancing ensures optimal resource utilization while adhering to strict isolation policies for high-priority workloads. By combining anti-affinity rules with dynamic optimization, administrators can achieve both operational efficiency and strong fault tolerance. 

The cluster actively rebalances workloads to prevent hotspots, avoids performance degradation, and ensures that critical VMs remain protected from co-location risks. In environments running mission-critical applications like SQL Server, this combination of features guarantees both high availability and compliance with organizational policies. Therefore, the correct answer is C.

Question 147 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, causing network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Azure File Sync enables organizations to centralize their file data in Azure while keeping local caches on branch servers for rapid access. One common challenge with branch deployments is the frequent recall of large files, which can saturate WAN links and degrade user experience. Cloud tiering minimum file age controls how long newly created files remain on the local server before tiering to the cloud. This setting reduces unnecessary recalls for recently created files but does not prioritize files based on importance. Offline files mode ensures local file availability when the network connection is unavailable, but it does not impact which files are recalled first or how bandwidth is allocated. 

Background tiering deferral allows the system to offload files to the cloud during low-activity periods to conserve bandwidth. While helpful for reducing outbound traffic, this feature does not prioritize critical files during recall operations. Recall priority policies address this specific problem. Administrators can assign high, medium, or low priority to files or directories. When multiple files are requested simultaneously, the system ensures that high-priority files are recalled first, minimizing the impact on essential business operations. 

This prioritization reduces network congestion and ensures that mission-critical files remain responsive even during periods of high activity. By implementing recall priority policies, administrators gain granular control over which data is delivered first, balancing performance, network usage, and user experience. This approach is especially important in organizations where bandwidth is limited or where large datasets are frequently accessed by multiple users. Recall priority policies provide both predictable performance for essential workloads and efficient use of network resources. Therefore, the correct answer is B.

Question 148

You manage a Windows Server 2022 RDS deployment with Azure MFA. Users report login failures caused by delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

Remote Desktop Services (RDS) integrated with Azure Multi-Factor Authentication (MFA) enhances security by requiring an additional verification step during login. Delays in MFA response, however, can lead to authentication failures, frustrating users and impacting productivity. Reducing session persistence shortens session duration and increases the frequency of login prompts, which could exacerbate the issue rather than resolve it. Disabling conditional access would bypass MFA entirely, eliminating critical security controls and violating compliance requirements. 

 

Persistent cookies allow users to avoid repeated MFA prompts after a successful authentication, improving convenience, but they do not address delays in the initial MFA handshake, which is the source of login failures. Increasing the NPS extension timeout provides more time for the MFA verification process to complete successfully. The Network Policy Server (NPS) extension communicates with Azure MFA to validate the second factor. If the response takes longer than the timeout, authentication fails. Extending the timeout accommodates transient network latency, temporary service delays, or high-load conditions, allowing legitimate users to complete MFA verification without failure. 

 

This configuration maintains security while improving reliability, as it ensures that authentication is not prematurely terminated due to delays outside the user’s control. By implementing a longer NPS extension timeout, organizations can reduce failed login attempts, minimize support calls, and maintain a seamless and secure RDS user experience. This approach balances usability and security effectively, addressing the root cause of failures without weakening authentication controls. Therefore, the correct answer is B.

Question 149 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys remain protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Virtual TPM keys are essential for the security of encrypted VMs in Hyper-V environments. Node-level TPM passthrough binds the VM to the host’s physical TPM, which provides security on a single host but prevents secure migration because the keys cannot move safely to another host without exposure. Cluster Shared Volume (CSV) redirected mode ensures storage resiliency during path failures, but it does not secure encryption keys or virtual TPMs during migration. Migrating VMs without encryption removes protections entirely, putting sensitive workloads at risk and violating compliance policies. 

 

Shielded VMs with Host Guardian Service (HGS) offer a secure mechanism for protecting virtual TPM keys while enabling migration across authorized hosts. HGS performs attestation of Hyper-V hosts and securely releases encryption keys only to trusted hosts, ensuring that virtual TPM keys are never exposed during migration. This approach allows encrypted VMs to move freely while maintaining confidentiality, integrity, and compliance. 

 

Additionally, HGS provides centralized management of encryption keys, simplifies operational procedures, and ensures that only authorized hosts can run Shielded VMs. By implementing Shielded VMs with HGS, administrators achieve both security and flexibility, enabling live migration, maintenance, and disaster recovery scenarios without compromising the protection of sensitive workloads. Therefore, the correct answer is B.

Question 150 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automatic load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

High availability and operational resilience in failover clusters require careful management of VM placement, particularly for mission-critical workloads like SQL Server. VM start order defines boot sequences but does not enforce separation policies. Preferred owners influence initial placement but are advisory, allowing co-location during maintenance or dynamic balancing. Cluster quorum ensures cluster survivability but does not control workload placement. 

Anti-affinity rules combined with dynamic optimization are designed to enforce separation of critical VMs across cluster nodes. Anti-affinity rules specify which VMs cannot run together, preventing simultaneous failure if a node goes down. Dynamic optimization continuously evaluates cluster workloads and automatically migrates VMs to maintain anti-affinity compliance. This approach ensures even distribution of workloads, reduces the risk of downtime, and maintains resource efficiency. 

The cluster actively monitors node utilization, and if any rules are violated, VMs are automatically rebalanced to comply with isolation requirements. For SQL Server VMs and other critical workloads, this ensures that failures on a single node do not impact multiple essential services. Additionally, anti-affinity rules with dynamic optimization reduce manual intervention, streamline operations, and improve overall reliability. By implementing these features, administrators achieve high availability, predictable performance, and compliance with workload isolation policies. Therefore, the correct answer is C.

Question 151 

You manage Windows Server 2022 Hyper-V hosts running Shielded VMs. You need to migrate encrypted VMs between hosts while ensuring virtual TPM keys remain secure. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough binds the virtual TPM to a single host, providing security while the VM resides on that host. However, it prevents secure migration because the keys would need to be exposed to move the VM to another host, which is unacceptable for compliance and security policies.

Cluster Shared Volume redirected mode ensures storage resiliency, allowing VMs to maintain access during storage path failures. It does not manage encryption or secure virtual TPM keys, so it cannot provide safe migration for encrypted workloads.

Migrating VMs without encryption exposes sensitive data by removing protections provided by virtual TPM and BitLocker. This approach risks data compromise and violates security requirements.

Shielded VMs with Host Guardian Service manage encryption keys and attest hosts to ensure only authorized systems can host the VM. This method allows encrypted VMs to migrate securely between hosts without exposing virtual TPM keys, maintaining both security and operational flexibility.

For secure migration of encrypted VMs while protecting virtual TPM keys, Shielded VMs with Host Guardian Service must be implemented. Therefore, the correct answer is B.

Question 152 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical VMs must not reside on the same node and automatic balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

In a Windows Server 2022 failover cluster hosting SQL Server VMs, workload placement is a critical aspect of ensuring high availability and operational efficiency. Certain workloads are designated as critical, meaning they must remain highly available and resilient to node failures. Co-locating critical VMs on the same cluster node increases the risk of simultaneous downtime during hardware or host failures, so mechanisms must be in place to enforce separation.

VM start order is a feature that ensures VMs boot in a predefined sequence when the cluster starts or when nodes are rebooted. While this is useful for managing dependencies—like ensuring domain controllers start before application servers—it does not control dynamic placement during normal operations. Multiple critical VMs could still reside on the same node after migrations triggered by maintenance or load balancing.

Preferred owners define which nodes are preferred for hosting specific VMs. Administrators can influence initial VM placement, but preferred owners are not a strict enforcement mechanism. If a node fails or cluster optimization triggers VM movement, critical VMs could still co-locate on the same node. This means preferred owners alone cannot guarantee separation or prevent risk during dynamic rebalancing.

Cluster quorum settings maintain cluster availability by determining the minimum number of nodes required for operational health. While quorum ensures that the cluster can tolerate node failures without downtime, it does not influence where VMs are placed within the cluster. It ensures resiliency but does not enforce anti-affinity policies or workload distribution.

Anti-affinity rules, combined with dynamic optimization, provide the appropriate solution. Anti-affinity rules explicitly prevent specified VMs from running on the same host. Dynamic optimization continuously evaluates cluster conditions—CPU, memory usage, and VM placement—and can automatically move VMs to maintain balance and enforce anti-affinity policies. This ensures that critical workloads are distributed across multiple nodes, reducing single points of failure and maintaining high availability. By combining strict separation with automatic rebalancing, clusters can optimize resource utilization while maintaining compliance with operational and risk management requirements.

Question 153 

You manage Windows Server 2022 with Azure File Sync. Branch servers recall large files frequently, resulting in network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

When managing Windows Server 2022 with Azure File Sync in branch environments, network congestion can become a critical issue, particularly when large files are frequently recalled from the cloud. Azure File Sync enables cloud tiering, where frequently accessed files are cached locally on branch servers, while less frequently used files remain in the cloud to save storage. However, when multiple users simultaneously request large files, the network can be overwhelmed, leading to performance degradation.

Cloud tiering minimum file age is a setting that determines how long new files must remain in the cache before being eligible for offloading. While this reduces unnecessary caching and prevents churn, it does not prioritize which files are recalled first during periods of high network utilization. Essential files could still be delayed, leading to operational inefficiencies.

Offline files mode allows local access to files even when a server is disconnected from the network. While this improves user experience for disconnected scenarios, it does not control the order in which files are recalled or how network bandwidth is allocated during high-demand periods.

Background tiering deferral schedules the offloading of files to cloud storage during periods of low activity. This reduces network load during peak times but does not actively prioritize critical files during recalls. Important business-critical files may still experience delays if multiple files are requested simultaneously.

Recall priority policies directly address the problem of network congestion while ensuring critical workflows remain efficient. Administrators can assign priority levels to specific files or directories. When multiple recall requests occur, high-priority files are retrieved first, while lower-priority files wait their turn. This ensures essential business operations continue without delay and reduces bandwidth consumption by avoiding unnecessary recalls of non-essential files.

By implementing recall priority policies, organizations gain granular control over file retrieval behavior. This ensures that critical workloads remain responsive, improves user experience, and optimizes network utilization. It is a proactive approach that addresses both performance and operational efficiency, rather than simply deferring operations or delaying caching.

Question 154 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures due to delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

In a Windows Server 2022 Remote Desktop Services (RDS) deployment integrated with Azure Multi-Factor Authentication (MFA), login failures due to delayed MFA responses are a common operational challenge. Azure MFA introduces an additional verification step to authenticate users, such as a push notification, SMS code, or phone call. While this enhances security, any network latency, service delays, or authentication server load can result in users being unable to complete the MFA verification within the default timeout window, causing login failures.

Reducing session persistence affects how long a user session remains active. While shorter sessions can improve resource utilization, it does not address the issue of MFA handshake delays. In fact, it may increase the likelihood of repeated logins and further expose users to timeout errors if MFA responses are slow.

Disabling conditional access might remove MFA requirements entirely, bypassing the problem. However, this approach compromises security, violating organizational policies, compliance standards, and best practices for protecting sensitive systems. It is not a viable solution in regulated or security-conscious environments.

Enabling persistent cookies allows users to remain authenticated across sessions, reducing repeated MFA prompts. While this improves usability, it does not address the root cause of the delayed MFA response during the initial login attempt. Users would still encounter failures if the verification process takes longer than the allowed timeout.

The correct approach is to increase the NPS (Network Policy Server) extension timeout. The NPS extension is responsible for processing Azure MFA responses during authentication. By extending the timeout, administrators provide additional time for the MFA server to respond to verification requests. This accommodates temporary network congestion, service latency, or delays in the MFA verification process. Increasing the timeout ensures that legitimate users are not blocked due to transient delays, maintaining a balance between usability and security.

Implementing this change is straightforward and can significantly reduce failed login attempts without disabling MFA or weakening security controls. It ensures users can complete authentication even under non-ideal conditions, while the organization maintains compliance with security policies. It also avoids introducing workarounds that might expose sensitive resources.

Question 155 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys are protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

In Windows Server 2022 Hyper-V environments, virtual TPM (vTPM) keys are crucial for encrypting sensitive virtual machines (VMs). These keys enable Shielded VMs, ensuring that BitLocker and other encryption technologies function correctly. For certain VMs that require encryption, it is essential that vTPM keys remain protected, especially during migrations between hosts.

Node-level TPM passthrough binds a VM to the physical TPM of a single Hyper-V host. While this approach provides strong encryption while the VM resides on that host, it introduces a significant limitation. If the VM must migrate to another host, the vTPM keys must either be transferred or exposed, which is a security risk. This violates compliance policies and exposes sensitive workloads to potential compromise, making it unsuitable for environments requiring VM mobility.

Cluster Shared Volume (CSV) redirected mode addresses storage resiliency, allowing VMs to maintain continuous access to storage during node failures. However, it does not manage vTPM keys or enable secure migration of encrypted VMs. While CSV ensures operational continuity, it does not protect encrypted data in motion.

Migrating VMs without encryption would remove all protections provided by the vTPM. Although technically possible, this approach exposes sensitive workloads to data breaches and compromises the security posture of the organization. For compliance-driven workloads, this is not acceptable.

The optimal solution is implementing Shielded VMs with Host Guardian Service (HGS). HGS provides a centralized service that attests Hyper-V hosts and securely manages vTPM keys. Only authorized, attested hosts can decrypt and run Shielded VMs. During migration, vTPM keys are never exposed; they are transferred securely under the control of HGS. This allows encrypted VMs to move seamlessly between hosts while ensuring compliance with organizational security policies. Shielded VMs with HGS not only protect sensitive data but also provide operational flexibility, enabling live migration, disaster recovery, and load balancing without compromising security.

Question 156 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automatic load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

In Windows Server 2022 failover clusters hosting SQL Server VMs, maintaining workload separation and automatic load balancing is critical for high availability. Certain workloads are classified as critical, meaning they require continuous operation and minimal risk of simultaneous downtime. If multiple critical VMs reside on the same node, a single node failure could cause multiple workloads to fail at once, resulting in significant operational impact.

VM start order controls the sequence in which VMs boot during cluster startup. While it ensures that dependencies, such as database servers starting before applications, are respected, it does not prevent co-location of VMs during normal operations. Critical workloads could still end up on the same node after dynamic load balancing or maintenance migrations.

Preferred owners influence initial placement by suggesting which nodes should host specific VMs. Although this can guide VM placement, it does not enforce strict separation. If cluster optimization or node failures occur, critical VMs may still be placed on the same node, increasing risk.

Cluster quorum settings maintain cluster resiliency by defining the number of nodes required for operational health. While quorum ensures availability in case of node failures, it does not affect VM placement or enforce separation policies.

Anti-affinity rules combined with dynamic optimization address these challenges. Anti-affinity rules explicitly prevent specified VMs from running on the same host, ensuring critical workloads are isolated. Dynamic optimization continuously monitors cluster conditions, including CPU and memory utilization, and automatically rebalances VMs to enforce anti-affinity rules. This proactive approach reduces the risk of simultaneous failure, optimizes resource usage, and maintains high availability for critical workloads. By continuously enforcing separation and automatically adjusting placement, anti-affinity with dynamic optimization ensures both operational efficiency and resilience.

Question 157 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, causing network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

When managing Windows Server 2022 with Azure File Sync, branch servers may frequently recall large files from the cloud, causing network congestion and reduced performance. Azure File Sync enables cloud tiering, which keeps frequently accessed files cached locally while offloading less-used files to the cloud. However, in high-demand environments, large file recalls can saturate network bandwidth, affecting critical workloads.

Cloud tiering minimum file age controls how long new files remain in the cache before offloading. While this reduces unnecessary caching churn, it does not prioritize which files are recalled first when multiple requests occur. Essential files may be delayed, impacting operations.

Offline files mode allows local access when disconnected from the network. While this improves usability, it does not prioritize network traffic or manage recall order. Users may still experience delays when accessing critical files.

Background tiering deferral schedules the offloading of files during low-usage periods to reduce network load. While effective for bandwidth management, it does not ensure that essential files are retrieved promptly when requested, leaving critical workloads potentially stalled.

Recall priority policies directly address this challenge. Administrators can assign priority levels to files or directories, ensuring high-priority files are retrieved first during simultaneous recall requests. This mechanism allows critical business processes to continue without delay while preventing unnecessary bandwidth consumption for lower-priority files. By implementing recall priority policies, organizations can optimize network usage, maintain responsive user experiences, and ensure that essential workloads are prioritized during high-demand scenarios.

Question 158 

You manage a Windows Server 2022 RDS deployment with Azure MFA. Users report login failures caused by delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

In a Windows Server 2022 RDS deployment integrated with Azure MFA, users may experience login failures due to delayed MFA responses. Azure MFA introduces an extra verification step, such as a push notification, phone call, or text message, which ensures that only authorized users can access resources. However, temporary network latency, service delays, or high load on the MFA server can prevent timely responses, leading to failed authentication attempts.

Reducing session persistence decreases the duration of user sessions but does not resolve delays in MFA verification. It could worsen user experience by forcing repeated logins while the underlying issue remains unresolved.

Disabling conditional access would bypass MFA entirely, allowing users to log in without completing multi-factor authentication. While this approach may reduce failures, it compromises security and violates compliance standards, making it unacceptable for organizations with regulatory obligations.

Persistent cookies allow users to remain authenticated across multiple sessions, reducing repeated MFA prompts. While this improves convenience, it does not address the initial MFA handshake delays that are causing login failures.

The most effective solution is to increase the NPS (Network Policy Server) extension timeout. The NPS extension interacts with Azure MFA during the authentication process. By extending the timeout, administrators allow additional time for MFA verification to complete, accommodating network delays or temporary MFA service latencies. This ensures that legitimate users can authenticate successfully without reducing security standards. Implementing a longer NPS timeout maintains both operational efficiency and compliance, providing a balance between usability and security.

Question 159 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys remain protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

In Windows Server 2022 Hyper-V environments, securing virtual TPM (vTPM) keys is critical for protecting sensitive VMs. VMs requiring encryption must ensure that vTPM keys remain secure, especially during migrations between hosts.

Node-level TPM passthrough allows a VM to use a physical TPM on a specific host. While this provides security for the VM on that host, migration to another host would require exposing the keys, which violates security policies and compliance requirements. Therefore, node-level TPM passthrough is not suitable for encrypted VMs requiring mobility.

Cluster Shared Volume (CSV) redirected mode ensures storage availability during node failures but does not protect vTPM keys or encrypted workloads during migration. It only addresses storage continuity.

Migrating VMs without encryption removes protections and exposes sensitive workloads to potential compromise. This approach is not acceptable in environments with compliance or data protection requirements.

The correct solution is Shielded VMs with Host Guardian Service (HGS). HGS provides a secure service that attests Hyper-V hosts and manages encryption keys for Shielded VMs. Only authorized hosts can decrypt and run these VMs. During migration, vTPM keys are never exposed; they are securely managed by HGS, allowing safe movement across hosts while maintaining encryption. This approach ensures compliance and operational flexibility, enabling live migration and disaster recovery without compromising security.

Question 160 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automatic load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

In a Windows Server 2022 failover cluster hosting SQL Server VMs, isolating critical workloads and enabling automatic load balancing is essential. Critical workloads must not co-locate, as placing multiple important VMs on the same node increases risk of simultaneous failure in case of node downtime or maintenance.

VM start order controls boot sequencing during cluster startup but does not prevent co-location during normal operations. Critical VMs may still end up on the same node.

Preferred owners influence initial placement but do not enforce strict isolation. When nodes fail or dynamic optimization occurs, critical VMs may still be placed together, increasing risk.

Cluster quorum settings ensure cluster resiliency but do not influence VM placement or enforce workload separation. Quorum is necessary for cluster availability but not workload distribution.

Anti-affinity rules combined with dynamic optimization prevent specified VMs from residing on the same node. Dynamic optimization continuously monitors cluster utilization and automatically moves VMs as needed to enforce separation. This ensures that critical workloads remain isolated, reducing risk of simultaneous failures while maintaining high availability. Anti-affinity rules also optimize resource usage, ensuring efficient load balancing across all cluster nodes.