Microsoft AZ-801 Configuring Windows Server Hybrid Advanced Services Exam Dumps and Practice Test Questions Set 9 Q161-180

Visit here for our full Microsoft AZ-801 exam dumps and practice test questions.

Question 161 

You manage Windows Server 2022 Hyper-V hosts running Shielded VMs. You need to migrate encrypted VMs between hosts while ensuring virtual TPM keys remain secure. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough allows a virtual machine to access the host’s physical TPM for securing keys. While this approach provides strong security for a VM on a single host, it does not support secure migration to other hosts. Migrating the VM would require exposing sensitive encryption keys, which violates security and compliance requirements. Therefore, this option is not suitable when encrypted VMs need mobility across hosts.

Cluster Shared Volume (CSV) redirected mode is a storage-level feature that ensures resiliency if the storage path fails. This mode redirects I/O to another node when a path is unavailable. While CSV redirected mode helps maintain VM availability and continuity of storage access, it does not provide any mechanism to protect virtual TPM keys during migration. Encrypted workloads remain vulnerable if VM keys are not properly managed.

VM live migration without encryption is the least secure option. It allows VMs to move between hosts without encrypting the live migration traffic. While it ensures mobility, it exposes sensitive workloads, including virtual TPM keys and encrypted data, to potential interception or compromise during transit. This approach is unsuitable for regulatory-compliant environments or workloads that require strong security guarantees.

Shielded VMs with Host Guardian Service (HGS) provide a secure mechanism to protect virtual TPM keys and encrypt VM data. HGS performs host attestation, verifying that only trusted Hyper-V hosts can start or receive the Shielded VM. During migration, keys are never exposed outside authorized hosts, allowing encrypted workloads to move safely while maintaining compliance. This solution provides both operational flexibility and robust security for sensitive workloads.

Implementing Shielded VMs with HGS ensures secure migration, maintains encryption protections, and prevents unauthorized access to virtual TPM keys. Because it addresses the limitations of all other options while providing the required security and operational flexibility, the correct answer is B.

Question 162 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical VMs must not reside on the same node, and automated rebalancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

VM start order allows administrators to control the sequence in which VMs boot within a cluster. While useful for ensuring dependencies are met during startup, it does not control where VMs are placed across nodes. Multiple critical VMs could still reside on the same node, creating a single point of failure and increasing operational risk. Therefore, it does not meet the requirement for separation and automated rebalancing.

Preferred owners guide VM placement by suggesting specific nodes where VMs should initially run. This feature can improve predictability in VM placement but cannot enforce strict separation between critical workloads. During cluster dynamic balancing or maintenance events, VMs may still be moved in ways that result in multiple critical workloads residing on the same node.

Anti-affinity rules combined with dynamic optimization enforce VM placement policies by preventing certain VMs from being located on the same node. The cluster continuously monitors workloads and automatically rebalances them to meet separation requirements. This ensures critical VMs do not co-locate, reducing the risk of simultaneous failure if a node becomes unavailable. Dynamic optimization allows the cluster to make these adjustments without administrator intervention, providing automated load balancing while maintaining high availability.

Cluster quorum settings define the minimum number of nodes that must be online for the cluster to remain functional. Quorum ensures cluster resiliency and prevents split-brain scenarios but has no influence on VM placement or separation policies.

Given the requirements for workload separation and automated rebalancing, anti-affinity rules with dynamic optimization address both concerns. They ensure that critical VMs are never co-located on the same node and automatically adjust placement to maintain high availability, making the correct answer C.

Question 163 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, causing network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Cloud tiering minimum file age controls how long newly created files remain in the cloud before being cached locally. While this helps reduce unnecessary caching of transient files, it does not allow prioritization of essential files during simultaneous recall requests. Network congestion may still occur if multiple large files are recalled at once, including high-priority workloads.

Offline files mode ensures files are available locally when disconnected from the network. While improving accessibility and reducing dependency on connectivity, this mode does not prioritize which files are recalled first when multiple files are requested, nor does it manage network bandwidth usage efficiently for essential files.

Background tiering deferral schedules the offloading of files from local storage to the cloud to minimize impact on network traffic during peak usage times. While this is useful for bandwidth management, it does not directly control which files are recalled first when multiple requests occur simultaneously. Critical files may still be delayed behind less important files.

Recall priority policies allow administrators to assign priority levels to files or directories. High-priority files are recalled first, ensuring critical workloads are serviced promptly while lower-priority files are deferred. This reduces network congestion, improves performance for essential workloads, and provides predictable file access in branch office environments.

To ensure essential files are prioritized and network congestion is minimized, recall priority policies must be configured. This approach directly addresses both performance and business continuity concerns, making the correct answer B.

Question 164 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures due to delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

Reducing session persistence shortens session duration, forcing more frequent re-authentication. This does not address delays in MFA verification and may actually increase login failures because users must authenticate more often, leading to additional MFA prompts that may time out.

Disabling conditional access bypasses MFA enforcement entirely. While this may eliminate login failures temporarily, it removes security controls, potentially violating compliance requirements and exposing the environment to unauthorized access. This is not a viable solution for reducing failures while maintaining security.

Persistent cookies improve user experience by allowing users to skip repeated MFA prompts within a defined period. While convenient, they do not address initial delays in MFA verification, particularly when network latency or service delays occur. Users may still experience authentication failures before the cookie can take effect.

Increasing the NPS extension timeout allows the network policy server (NPS) to wait longer for Azure MFA to respond during the authentication process. This accommodates network delays or temporary service slowness, ensuring that users’ authentication attempts succeed reliably. It addresses the root cause of login failures caused by delayed MFA responses while maintaining full security enforcement.

By increasing the NPS extension timeout, administrators ensure that MFA can complete successfully even under high-latency conditions. This approach balances security and operational reliability, making the correct answer B.

Question 165 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys are protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough allows a virtual machine to use the physical TPM of a single host. While this provides strong security for a VM operating on one host, it does not support secure migration. Moving the VM to another host would require exposing sensitive encryption keys, which creates a security risk and violates compliance requirements for sensitive workloads.

Cluster Shared Volume (CSV) redirected mode ensures continuity of storage access in the event of storage path failures. It provides high availability for VMs by redirecting I/O to a functional path. However, CSV does not protect virtual TPM keys or manage encryption during migration. Therefore, it cannot ensure secure movement of encrypted VMs between hosts.

Migrating VMs without encryption is inherently insecure. While live migration without encryption ensures operational mobility, it exposes sensitive workloads—including virtual TPM keys and BitLocker-protected data—during transfer. This option fails to meet security policies or regulatory compliance requirements for handling sensitive data.

Shielded VMs with Host Guardian Service (HGS) offer a secure, centrally managed solution. HGS performs attestation on Hyper-V hosts to confirm they are trusted before allowing encrypted VMs to run or migrate there. Virtual TPM keys are never exposed to untrusted hosts, and the VMs maintain encryption throughout migration. This method ensures compliance, security, and operational flexibility, allowing encrypted VMs to move safely across multiple hosts.

Implementing Shielded VMs with HGS protects virtual TPM keys, maintains encryption during migration, and ensures workloads remain compliant with organizational and regulatory security standards. All other options either expose keys or fail to provide secure migration. Therefore, the correct answer is B.

Question 166 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automated load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

VM start order controls the sequence in which VMs boot within the cluster. While useful for ensuring that dependencies are honored during startup, it does not enforce workload separation. Multiple critical VMs could still reside on a single node, creating a single point of failure.

Preferred owners guide VM placement by suggesting nodes where VMs should initially run. This improves placement predictability but cannot enforce strict separation when dynamic cluster balancing or maintenance occurs. Critical workloads might still co-locate if preferred nodes are unavailable.

Anti-affinity rules with dynamic optimization enforce strict separation of VMs across nodes. The cluster continuously monitors placement and automatically migrates VMs as needed to prevent critical workloads from running on the same node. This ensures that node failure does not simultaneously impact multiple critical workloads while maintaining high availability. Dynamic optimization handles the automated rebalancing process without manual intervention.

Cluster quorum settings define the minimum number of nodes required for cluster operation. Quorum ensures cluster resiliency and prevents split-brain scenarios but does not affect VM placement or separation.

Anti-affinity rules combined with dynamic optimization meet both requirements: separating critical VMs and maintaining automated load balancing. They reduce operational risk and ensure high availability, making the correct answer C.

Question 167 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, causing network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Cloud tiering minimum file age determines how long new files remain in the cloud before being cached locally. This delays caching for new files, helping reduce unnecessary network activity. However, it does not allow administrators to prioritize specific essential files during concurrent recall requests. Critical files may still experience delays if recalled alongside less important files.

Offline files mode makes files available locally when disconnected from the network. This improves user accessibility, but it does not manage the order in which files are recalled from the cloud or reduce congestion when multiple large files are requested simultaneously.

Background tiering deferral schedules offloading of files to the cloud to reduce network traffic at peak times. While it helps optimize bandwidth usage, it does not prioritize essential files for retrieval, leaving critical workloads potentially delayed.

Recall priority policies enable administrators to assign priority levels to files or directories. High-priority files are retrieved first during simultaneous recall requests, ensuring that essential workloads remain responsive. Lower-priority files are deferred, reducing congestion and improving overall performance for critical operations.

Implementing recall priority policies addresses network performance and ensures important files are available promptly. Therefore, the correct answer is B.

Question 168 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures caused by delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

Reducing session persistence shortens the duration of user sessions, forcing frequent re-authentication. This does not address delays in MFA verification and can increase login failures, as users are prompted more often for authentication that may time out before completion.

Disabling conditional access bypasses MFA entirely. While this might temporarily reduce login failures, it removes critical security enforcement and may violate compliance requirements.

Persistent cookies improve user convenience by remembering previous MFA validation for a defined period. However, they do not solve initial authentication delays caused by network latency or service slowness. Failures can still occur before cookies take effect.

Increasing the NPS extension timeout provides additional time for the Network Policy Server to wait for MFA responses from Azure. This accommodates network or service delays, ensuring authentication completes successfully. It maintains full security enforcement without compromising usability or compliance.

Increasing the NPS extension timeout directly addresses delayed MFA response issues, providing a balance between reliability and security. Therefore, the correct answer is B.

Question 169 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys remain protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough secures the VM’s virtual TPM on a single host. While this is secure for stationary VMs, it does not allow safe migration to other hosts. Keys would need to be exposed, which violates security policies for sensitive workloads.

Cluster Shared Volume redirected mode ensures storage resiliency but does not protect virtual TPM keys or enable secure migration of encrypted VMs. Without key protection, migration cannot safely occur.

VM live migration without encryption exposes all VM data, including virtual TPM keys, during transfer. This option fails to meet security and compliance requirements.

Shielded VMs with Host Guardian Service provide a managed solution for protecting virtual TPM keys. HGS attests Hyper-V hosts to ensure only authorized hosts can run or receive the VM. Keys are never exposed during migration, allowing encrypted workloads to move safely while maintaining compliance and security.

This solution ensures operational flexibility, secure migration, and protection of virtual TPM keys. Therefore, the correct answer is B.

Question 170 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automatic load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

VM start order is a feature in Windows Server failover clusters that controls the sequence in which virtual machines boot during cluster startup. This can be useful when certain workloads have dependencies on others, ensuring that critical services are available in the correct order. However, while start order dictates the timing of VM initialization, it does not influence where VMs are placed within the cluster. Multiple critical virtual machines could still reside on the same node. If that node experiences a failure, all co-located critical VMs could become unavailable simultaneously, creating a significant risk to business continuity. Start order alone, therefore, does not provide isolation or load balancing between critical workloads, which is a key requirement in high-availability environments.

Preferred owners offer guidance for VM placement by specifying which nodes a VM should initially run on. This helps ensure that workloads are distributed according to administrator intent during initial placement or after a node failure. However, preferred owners do not guarantee strict separation during ongoing cluster operations. During dynamic optimization or maintenance events, workloads may be automatically moved by the cluster to other nodes. If the preferred node is unavailable or rebalancing is triggered, critical VMs could still end up co-located on the same node, failing to meet separation requirements.

Anti-affinity rules combined with dynamic optimization address both placement and availability concerns. These rules explicitly prevent certain VMs from being placed on the same node. The cluster continuously monitors VM placement and automatically migrates workloads as needed to maintain separation. This ensures high availability, minimizes operational risk, and supports automated load balancing without manual intervention. Cluster quorum settings, while essential for overall cluster health by determining how many nodes must be operational to maintain functionality, do not influence VM placement or separation.

For scenarios requiring automated load balancing and prevention of co-location of critical workloads, anti-affinity rules with dynamic optimization provide the most effective solution, making them the correct choice.

Question 171 

You manage Windows Server 2022 Hyper-V hosts running Shielded VMs. You need to migrate encrypted VMs between hosts while ensuring virtual TPM keys remain secure. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough allows a virtual machine to directly access the host’s physical TPM. This provides strong local security by ensuring that the virtual TPM keys are tightly bound to a single host. However, this approach is limited because if you try to migrate the VM to another host, the keys cannot move securely. Exposing or transferring the keys would violate security and compliance standards, making it unsuitable for environments where encrypted VM mobility is required.

Cluster Shared Volume (CSV) redirected mode improves storage resiliency by allowing a cluster to continue operating if the primary storage path fails. It provides continuous access to VM storage even during network or storage interruptions. While CSV redirected mode enhances availability, it does not manage encryption keys or virtual TPMs, so it cannot ensure the secure migration of encrypted VMs.

Migrating VMs without encryption removes the protections provided by both the virtual TPM and VM shielding. While this may allow migration to proceed, it exposes sensitive workloads and encryption keys to potential compromise. Regulatory compliance could be violated, and the confidentiality, integrity, and security of critical workloads would be at risk. This approach is not recommended when maintaining secure virtual TPMs is a requirement.

Shielded VMs with Host Guardian Service (HGS) are designed specifically to protect sensitive workloads while enabling mobility. HGS ensures that only authorized hosts can run shielded VMs. Virtual TPM keys remain secure and cannot be extracted during migration, as HGS manages keys centrally and enforces attestation of hosts. This configuration allows encrypted VMs to migrate freely without compromising key security or compliance requirements.

Therefore, considering the need for both encrypted VM migration and protection of virtual TPM keys, Shielded VMs with Host Guardian Service is the correct solution. It uniquely combines secure key management, host attestation, and operational flexibility, ensuring both compliance and business continuity. The correct answer is B.

Question 172 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical VMs must not reside on the same node, and automatic rebalancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

VM start order in a cluster specifies the sequence in which virtual machines boot after a failover or host restart. While this ensures proper initialization of dependent workloads, it does not enforce any policies regarding the distribution of critical VMs across nodes. Multiple critical VMs could still reside on a single node, creating a single point of failure.

Preferred owners allow administrators to designate nodes where VMs are primarily placed during initial deployment or failover. This guides VM placement but does not dynamically prevent co-location during maintenance, cluster balancing, or automated optimization. Critical workloads may still end up on the same node, violating separation requirements.

Anti-affinity rules with dynamic optimization actively monitor the cluster and enforce workload separation. These rules ensure that critical VMs do not reside on the same node. Dynamic optimization continuously rebalances workloads as cluster conditions change, automatically migrating VMs to maintain separation and reduce the risk of simultaneous node failures. This combination ensures both isolation of critical workloads and efficient resource utilization.

Cluster quorum settings define how many nodes must be operational for the cluster to remain functional. While this is crucial for cluster resiliency, it does not influence VM placement, workload distribution, or automated rebalancing.

Question 173 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, causing network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

Cloud tiering minimum file age controls the minimum duration a file remains on the server before it is eligible to be tiered to the cloud. This can help reduce unnecessary recalls for new files but does not prioritize which files should be recalled first. Essential files may still be delayed if many lower-priority files are being requested simultaneously.

Offline files mode enables files to remain available locally even when disconnected from the network. While useful for branch offices with intermittent connectivity, this feature does not manage network prioritization or dictate which files are recalled first during heavy access periods.

Background tiering deferral allows administrators to schedule file tiering to occur during off-peak hours to reduce network congestion. While it helps with general network load, it does not specifically prioritize important or critical files over others, meaning high-priority workloads may still be delayed.

Recall priority policies allow administrators to assign priority levels to files or directories. Files marked as high priority are recalled first when multiple recall requests occur simultaneously. This ensures that essential workloads are available promptly, reduces latency for critical operations, and optimizes network bandwidth usage during periods of high file recall activity.

Given the requirement to prioritize essential files while reducing network congestion, recall priority policies directly address the problem by enforcing prioritization rules and ensuring network efficiency. The correct answer is B.

Question 174 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures due to delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

Reducing session persistence decreases the lifespan of user sessions. While this may indirectly affect authentication behavior, it does not address the underlying issue of MFA response delays. Users would still encounter login failures if MFA verification takes longer than expected.

Disabling conditional access bypasses Azure MFA entirely. While this may reduce authentication failures, it would compromise security and violate compliance requirements, leaving critical systems unprotected. This approach is not acceptable in environments requiring multi-factor authentication enforcement.

Enabling persistent cookies allows a device or browser to remember successful MFA authentication, reducing the frequency of repeated prompts. While this improves user experience, it does not address failures caused by delayed MFA verification, such as slow network responses or service latency.

Increasing the NPS (Network Policy Server) extension timeout provides additional time for MFA responses to complete. This setting accommodates delays in Azure MFA, network latency, or temporary service issues, ensuring that users have sufficient time to authenticate successfully without reducing security. By extending the timeout, authentication reliability improves while maintaining compliance with MFA policies.

Therefore, to reduce login failures caused by delayed MFA responses, the correct configuration is to increase the NPS extension timeout, ensuring secure and reliable authentication. The correct answer is B.

Question 175 

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys are protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

Node-level TPM passthrough secures virtual TPM keys on a specific host. This provides strong local security but prevents migration without exposing keys, which violates security requirements for workloads that need mobility.

Cluster Shared Volume redirected mode ensures storage resiliency during path failures. Although useful for maintaining access to VM data, it does not provide encryption key management or secure virtual TPM migration. The VM may be available, but sensitive keys could be exposed during migration.

Migrating VMs without encryption removes protection mechanisms entirely. While migration may succeed, encryption and virtual TPM keys are not protected, exposing critical workloads to potential compromise and non-compliance with security regulations.

Shielded VMs with Host Guardian Service protect virtual TPM keys while allowing migration across authorized hosts. HGS validates that only trusted hosts run the VM, ensuring that encryption keys remain secure throughout the process. This allows both secure migration and compliance with regulatory requirements while maintaining operational flexibility.

To ensure secure migration of encrypted VMs with virtual TPM protection, Shielded VMs with Host Guardian Service must be implemented. The correct answer is B.

Question 176 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automated load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

In a Windows Server failover cluster environment, ensuring that critical virtual machines (VMs) are properly distributed across cluster nodes is essential for maintaining high availability and minimizing the risk of simultaneous failures. One of the mechanisms administrators might consider is VM start order, which determines the sequence in which virtual machines are powered on during cluster startup. While VM start order can ensure that certain dependencies are met—for example, ensuring that a database server boots before an application server—it does not provide any control over where the VMs are placed within the cluster. Consequently, multiple critical VMs could still end up running on the same physical node, leaving them vulnerable to a single point of failure.

Another option often considered is preferred owners. This feature allows administrators to designate preferred nodes for specific VMs, guiding the cluster to attempt placing the VM on the chosen nodes whenever possible. However, preferred owners do not guarantee strict separation, especially during dynamic cluster events such as maintenance mode, live migrations, or load balancing. If the preferred nodes are unavailable or if the cluster’s dynamic optimization process deems it necessary, multiple critical VMs can still co-locate on a single node, creating potential risks.

To address these limitations, anti-affinity rules combined with dynamic optimization are the recommended approach for enforcing workload separation. Anti-affinity rules explicitly instruct the cluster to avoid placing certain VMs on the same node, ensuring that critical workloads are distributed across different hosts. When paired with dynamic optimization, the cluster continuously monitors the placement of VMs and automatically moves them as needed to maintain compliance with the anti-affinity rules. This automated rebalancing significantly reduces the risk of simultaneous failures, as it prevents multiple critical VMs from being impacted by a single node outage.

While cluster quorum settings are vital for maintaining the overall resiliency and operational stability of the cluster—ensuring that the cluster can continue functioning even if some nodes fail—they do not influence VM placement or enforce workload separation. Quorum settings primarily determine how many nodes must be online to maintain cluster control, but they have no mechanism to prevent co-location of critical VMs on a single host.

For scenarios that require automated load balancing while preventing the co-location of critical workloads, anti-affinity rules with dynamic optimization provide the most robust solution. They not only enforce separation policies but also ensure that the cluster continuously monitors and dynamically adjusts VM placement to maintain high availability and minimize operational risk. Therefore, in this context, the correct solution is option C.

Question 177 

You manage Windows Server 2022 with Azure File Sync. Branch servers frequently recall large files, causing network congestion. You need to prioritize essential files. What should you configure?

A) Cloud tiering minimum file age
B) Recall priority policies
C) Offline files mode
D) Background tiering deferral

Answer: B

Explanation: 

In environments using cloud tiering with Windows Server or Azure Files, managing how and when files are cached locally or recalled from the cloud is critical to maintaining performance, especially for workloads with varying importance levels. One feature often considered is the minimum file age setting in cloud tiering. This setting defines how long a newly created or modified file must remain in the local cache before it becomes eligible for offloading to the cloud. While this feature helps prevent frequent uploads of transient files and reduces unnecessary network traffic, it does not influence the order in which files are recalled. Therefore, it cannot prioritize critical files over less important ones during high-demand periods.

Similarly, offline files mode ensures that files are available locally when a client is disconnected from the network. This is particularly useful for laptops or mobile devices that need consistent access to essential documents. However, offline files mode primarily addresses availability and resiliency—it does not manage the sequence in which files are recalled from the cloud or optimize performance when multiple file requests occur simultaneously. As a result, it cannot guarantee that critical workloads receive preferential treatment.

Another feature, background tiering deferral, allows administrators to schedule cloud tiering activities such as file offloading during off-peak hours to reduce network load. While this approach improves overall network efficiency, it is essentially a timing mechanism. Background tiering deferral does not dynamically prioritize which files are recalled first when multiple requests are made concurrently. Therefore, relying on deferral alone does not ensure that mission-critical files are available immediately when needed.

The solution for prioritizing essential files is recall priority policies. These policies allow administrators to assign specific importance levels to individual files, folders, or directories. When multiple recall requests occur simultaneously, the system first retrieves high-priority files, ensuring that critical workloads remain responsive. By defining recall priorities, administrators can optimize both performance and bandwidth usage, avoiding delays for essential operations while still offloading less important data to the cloud. This approach not only maintains application responsiveness but also reduces network congestion by preventing all files from being recalled at once.

To ensure that critical files are retrieved promptly and network performance is optimized, recall priority policies must be implemented. Features like minimum file age, offline files mode, and background tiering deferral provide valuable functionality for caching, availability, and scheduling, but they do not control file retrieval priority. Therefore, in scenarios where the goal is to prioritize essential files, the correct configuration is option B.

Question 178 

You manage a Windows Server 2022 RDS deployment integrated with Azure MFA. Users report login failures caused by delayed MFA responses. You must reduce authentication failures without compromising security. What should you configure?

A) Reduce session persistence
B) Increase NPS extension timeout
C) Disable conditional access
D) Enable persistent cookies

Answer: B

Explanation: 

In environments where Multi-Factor Authentication (MFA) is enforced, users sometimes experience login failures due to delayed responses from the MFA provider or network latency. When troubleshooting these failures, several potential solutions may be considered, but not all of them effectively address the root cause of delayed MFA verification.

One approach administrators might consider is reducing session persistence. Session persistence determines how long an authentication session remains active before requiring re-authentication. While reducing session persistence can shorten the duration of a user’s session, forcing more frequent re-authentication, it does not address the underlying delay in MFA verification. Users may still fail to log in if the MFA response from the authentication provider is slow or times out during the handshake process. Therefore, reducing session persistence does not reliably solve MFA-related login failures.

Another option sometimes suggested is disabling conditional access policies. Conditional access policies enforce MFA, location-based restrictions, device compliance, and other security controls. Disabling these policies might temporarily prevent MFA prompts and allow users to log in without completing the secondary verification. However, this approach significantly compromises security and compliance, exposing sensitive resources to potential unauthorized access. It is therefore not a viable solution in most enterprise environments, especially when regulatory compliance and security best practices are mandatory.

Persistent cookies are also used to reduce the number of repeated login prompts. By storing authentication tokens in a cookie, users can avoid being prompted for MFA multiple times during frequent access sessions. While this improves the user experience in scenarios where logins are frequent, persistent cookies do not resolve delays during the initial handshake with the MFA provider. If the MFA verification itself is slow, login failures can still occur despite the presence of persistent cookies.

The most effective solution in cases of delayed MFA verification is to increase the NPS (Network Policy Server) extension timeout. The NPS extension communicates with the MFA provider during the authentication process, and if the default timeout period is insufficient, authentication requests may fail before the verification is completed. By increasing the timeout, administrators provide additional time for MFA responses to be processed, accommodating temporary network latency, service delays, or high system load. This adjustment ensures that legitimate authentication attempts succeed reliably without compromising existing security policies or disabling MFA enforcement.

To reduce login failures caused by delayed MFA responses, the correct and secure approach is to increase the NPS extension timeout. Options like reducing session persistence, disabling conditional access, or relying solely on persistent cookies do not address the root cause and either fail to resolve login issues or weaken security. Therefore, the correct solution is option B.

Question 179

You manage Windows Server 2022 Hyper-V hosts. Certain VMs require encryption and secure migration. You need to ensure virtual TPM keys remain protected. What should you configure?

A) Node-level TPM passthrough
B) Shielded VMs with Host Guardian Service
C) Cluster Shared Volume redirected mode
D) VM live migration without encryption

Answer: B

Explanation: 

When managing Windows Server 2022 Hyper-V environments, particularly those hosting sensitive workloads, ensuring the security of virtual Trusted Platform Module (vTPM) keys during virtual machine (VM) migrations is critical. Multiple configuration options exist, but not all of them provide the level of security required for moving VMs between hosts.

One option is node-level TPM passthrough, which allows a VM to access the physical TPM on a single host. While this ensures that encryption keys are securely bound to the host, it does not support migrating the VM to another host without exposing the keys. Any attempt to move such a VM would either fail or require potentially unsafe key transfer, which could compromise security. Therefore, node-level TPM passthrough alone is insufficient for scenarios requiring secure VM mobility.

Another consideration is Cluster Shared Volume (CSV) redirected mode, which provides resiliency for storage by redirecting IO through a different node in the event of a failure. While this ensures that VMs continue to access their storage during host outages, it does not protect virtual TPM keys during VM migration. CSV redirected mode is primarily a storage availability feature and offers no mechanism for securely handling encryption keys across multiple hosts.

Some might think of simply migrating VMs without encryption as a solution. While this approach removes barriers to VM mobility, it completely exposes sensitive workloads, including any data protected by the virtual TPM. Removing encryption undermines both compliance and security requirements and is not suitable for production environments where confidentiality and integrity must be maintained.

The correct and secure solution is to use Shielded VMs in combination with the Host Guardian Service (HGS). Shielded VMs are designed specifically to protect VMs from unauthorized access and tampering. When integrated with HGS, the virtual TPM keys and other encryption secrets are centrally managed and only released to authorized Hyper-V hosts. This allows administrators to safely migrate encrypted VMs between hosts without ever exposing the keys, ensuring that the confidentiality of sensitive workloads is maintained. Additionally, this approach supports compliance with regulatory and organizational security policies while providing operational flexibility in a clustered or multi-host environment.

Question 180 

You manage a Windows Server 2022 failover cluster hosting SQL Server VMs. Critical workloads must not co-locate, and automated load balancing is required. What should you configure?

A) VM start order
B) Preferred owners
C) Anti-affinity rules with dynamic optimization
D) Cluster quorum settings

Answer: C

Explanation: 

In a Windows Server failover cluster, ensuring high availability for critical workloads requires not only proper VM boot sequencing but also careful control over VM placement. One mechanism administrators often consider is VM start order, which defines the sequence in which virtual machines are powered on during cluster startup. While this ensures that dependencies are met—for instance, that database servers start before dependent application servers—it does not enforce separation of critical workloads. Multiple important VMs could still end up on the same node, creating a single point of failure.

Another feature is preferred owners, which allows administrators to specify nodes where a VM should preferably run. This guides the cluster’s initial placement decisions. However, preferred owners do not guarantee strict separation, particularly during dynamic cluster operations such as live migrations or automatic load balancing. Critical VMs may still co-locate if preferred nodes are unavailable or if the cluster deems another node more suitable based on resource utilization.

The most effective approach for enforcing workload separation is anti-affinity rules combined with dynamic optimization. Anti-affinity rules instruct the cluster to avoid placing specified VMs on the same node. When paired with dynamic optimization, the cluster continuously monitors VM placement and automatically rebalances workloads as needed. This ensures that critical VMs remain distributed across multiple hosts, reducing the risk of simultaneous failures and maintaining high availability for essential services.

While cluster quorum settings are crucial for overall cluster resiliency, they do not influence VM placement or enforce separation policies. Therefore, for automated balancing and preventing co-location of critical workloads, the correct solution is anti-affinity rules with dynamic optimization, making option C the appropriate choice.