Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-801

Microsoft AZ-801 Exam Questions
Configuring Windows Server Hybrid Advanced Services (Page 8 )

Updated On: 19-Feb-2026
Page 8 of 57
PDF with 313 Questions

HOTSPOT (Drag and Drop is not supported)

You have a generation 1 Azure virtual machine named VM1 that runs Windows Server and is joined to an Active Directory domain.

You plan to enable BitLocker Drive Encryption (Bit-Locker) on volume C of VM1.

You need to ensure that the BitLocker recovery key for VM1 is stored in Active Directory.

Which two Group Policy settings should you configure first? To answer, select the settings in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: Enforce drive encryption type on operating system drives


Reference:

Enforce drive encryption type on operating system drives This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress.

Box 2: Choose how BitLocker-protected operating system drives can be recovered Choose how BitLocker-protected operating system drives can be recovered This policy setting is used to configure recovery methods for operating system drives.

Note: How to save BitLocker keys in AD (Active Directory)

Create and configure a GPO (Group Policy Object)
Create a separate Group policy, go to the GPO section listed in the example below and enable the "Store BitLocker recovery information in AD policy".



Next, go to the "Operating system Drives" section and activate the "Choose how BitLocker-protected operating system drives can be recovered" policy.



The last point in this option is used to prevent BitLocker from encrypting the disk until the PC sends the key to the domain.

Incorrect:
* Configure use of hardware-based encryption for operating system drives


Configure use of hardware-based encryption for operating system drives If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.



https://serverspace.io/support/help/bitlocker-active-directory/ https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-

settings



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have a server named Server1 that runs Windows Server.

You need to ensure that only specific applications can modify the data in protected folders on Server1.

Solution: From App & browser control, you configure Reputation-based protection.

Does this meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Instead: From Virus & threat protection, you configure Controlled folder access.
Incorrect:
* Reputation-based protection
Protect your PC from potentially unwanted applications.
Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which may be more harmful or annoying.
Windows Security has reputation-based protection that can help protect your PC from potentially unwanted applications. Potentially unwanted app blocking was first introduced in the Windows 10 May 2020 update and is turned on by default for enterprise customers, but off by default for consumers.
How do I configure it?
To configure potentially unwanted app blocking go to Start > Settings > Update & Security > Windows Security > App & browser control > Reputation-based protection settings.
There you'll find a control that lets you turn potentially unwanted app blocking off, and select if you want to block apps, downloads, or both.



We recommend that you leave this feature on, and that you enable both block apps and block downloads.
Block apps will detect PUA that you've already downloaded or installed, so if you're using a different browser Windows Security can still detect PUA after you've downloaded it.
Block downloads looks for PUA as it's being downloaded, but it only works with the new Microsoft Edge browser.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled- folders?view=o365-worldwide https://support.microsoft.com/en-us/windows/protect-your-pc-from-potentially-unwanted-applications-c7668a25- 174e-3b78-0191-faf0607f7a6e



DRAG DROP (Drag and Drop is not supported)

You have an Azure subscription that contains an Azure key vault named Vault1.

You plan to deploy a virtual machine named VM1 that will run Windows Server.

You need to enable encryption at host for VM1. The solution must use customer-managed keys.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Step 1: Enable a system-assigned managed identity on VM1.
You can use customer-managed keys to encrypt your disk caches. Setting up customer-managed keys for your disks requires you to create resources in a particular order, if you're doing it for the first time. First, you'll need to create and set up an Azure Key Vault.

Step 2: Assign the Virtual Machine Contributor role to the system-assigned managed identity of VM1.

Add an Azure RBAC role
Now that you've created the Azure key vault and a key, you must add an Azure RBAC role, so you can use your Azure key vault with your disk encryption set.

1. Select Access control (IAM) and add a role.
2. Add either the Key Vault Administrator, Owner, or Contributor roles.

Step 3: Create a disk encryption set and generate RSA keys


Reference:

https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal



HOTSPOT (Drag and Drop is not supported)

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server. All the servers are on the same network and have network connectivity.

On Server1, Windows Defender Firewall has a connection security rule that has the following settings:

Rule Type: Server-to-server

Endpoint 1: Any IP address

Endpoint 2: Any IP address

Requirements

: Require authentication for inbound connections and request authentication for outbound connections
Authentication Method: Computer (Kerberos V5)

Profile: Domain, Private, Public

Name: Rule1

Server2 has no connection security rules.

On Server3, Windows Defender Firewall has a connection security rule that has the following settings:

Rule Type: Server-to-server

Endpoint 1: Any IP address

Endpoint 2: Any IP address

Requirements

: Request authentication for inbound and outbound connections

Authentication Method: Computer (Kerberos V5)

Profile: Domain, Private, Public

Name: Rule1

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: No
On Server1 we see: request authentication for outbound connections Server2 has no connection security rules.
Authentication will not be required.

Box 2: Yes
Server2 has no connection security rules.

Server3 has request authentication for inbound.
A connection can be established.

Box 3: Yes
Server3 has request authentication for outbound connections.
Server1 require authentication for inbound connections.
Authentication will be required. The connection will be encrypted with Computer (Kerberos V5).


Reference:

https://www.sciencedirect.com/topics/computer-science/connection-security-rule



Your network contains an Active Directory Domain Services (AD DS) forest. The forest functional level is Windows Server 2012 R2. The forest contains the domains shown in the following table.



You create a user named Admin1.

You need to ensure that Admin1 can add a new domain controller that runs Windows Server 2022 to the east.contoso.com domain. The solution must follow the principle of least privilege.

To which groups should you add Admin1?

  1. EAST\Domain Admins only
  2. CONTOSO\Enterprise Admins only
  3. CONTOSO\Schema Admins and EAST\Domain Admins
  4. CONTOSO\Enterprise Admins and CONTOSO\Schema Admins

Answer(s): A

Explanation:

Domain Admins is the AD group that most people think of when discussing Active Directory administration. This group has full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory. It gains admin rights on domain-joined computers since when these systems are joined to AD, the Domain Admins group is added to the computer's Administrators group.
Incorrect:
Not C: Members of the Schema Admins group are allowed to make changes to the schema. The schema is the underlying definition of all objects and attributes that make up the forest. Membership in the Schema Admins group is not required for any purpose beyond making schema changes.
Not B, Not D: What is higher than domain admin?
"The enterprise admin... has more authority than domain admins... and has rights across the entire forest." An enterprise admin has full control over the entire forest and can do anything that would affect multiple domains, like linking group policies to a site that can span domain boundaries.


Reference:

https://adsecurity.org/?p=3700






Post your Comments and Discuss Microsoft AZ-801 exam dumps with other Community members:

Join the AZ-801 Discussion