You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains the resources shown in the following table.Sub1 has Microsoft Defender for Servers enabled. You are assigned the Contributor role for Sub1.You need to implement just-in-time (JIT) VM access for VM1.What should you do first?
Answer(s): A
HOTSPOT (Drag and Drop is not supported)Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains an organizational unit (OU) named OU1. OU1 contains servers that run sensitive workloads.You plan to add connection security rules that meet the following requirements:The servers in OU1 must only accept connections from domain-joinedThe servers in OU1 must only be able to communicate with domain-joinedYou create a Group Policy Object (GPO) named GPO1 and link GPO1 to contoso.com.You need to configure a connection security rule in GPO1 by using Windows Defender Firewall with Advanced Security.How should you configure the rule? To answer, select the appropriate options in the answer area.Note: Each correct selection is worth one point.Hot Area:
Box 1: IsolationRule TypeThere are five different types of connection security rules that you can create:* Isolation--allows you to restrict communication to only those hosts that can authenticate using specific credentials. For example, you can allow communications only to computers that are joined to an Active Directory domain.Incorrect:* Authentication exemption--allows you to configure exemptions to the isolation rules, such as an exemption that would allow connections to a DNS server without the requirement to authenticate.* Tunnel--allows you to create rules that work in the same way as server-to-server rules but are implemented through tunnels (site-to-site connections).Box 2: Require authentication for inbound and outbound connections Requirements:Box 3: Computer (Kerberos V5)Authentication method:You have four choices here:* You can choose Default and use the authentication methods that are defined in the IPsec settings.* You can choose Computer and User to use Kerberos v5 and restrict communications to connections from domain-joined users and computers only.*-> You can choose Computer to use Kerberos v5 and restrict communications to connections from domain- joined computers only.* You can choose the Advanced option and specify custom settings for first and second authentication methods.
https://www.sciencedirect.com/topics/computer-science/connection-security-rule
DRAG DROP (Drag and Drop is not supported)You have a Windows Server failover cluster named Cluster1 that contains the Cluster Shared Volumes (CSV) shown in the following table.All the nodes in Cluster1 have BitLocker Drive Encryption (BitLocker) installed.You need to use PowerShell to enable BitLocker on Volume1.In which order should you run the commands? To answer, drag the appropriate commands to the correct order. You may need to drag the split bar between panes or scroll to view content.Note: Each correct selection is worth one point.Select and Place:
Step 1: Get-ClusterSharedVolume -Name "Volume1" | Suspend-ClusterResourceUse BitLocker with Cluster Shared Volumes (CSV)Encrypt using a recovery keyEncrypting the drives using a recovery key will allow a BitLocker recovery key to be created and added into the Cluster database. As the drive is coming online, it only needs to consult the local cluster hive for the recovery key.(Move the disk resource to the node where BitLocker encryption will be enabled:Get-ClusterSharedVolume -Name "Cluster Disk 1" | Move-ClusterSharedVolume Resource -Node Node1)Put the disk resource into Maintenance Mode:Get-ClusterSharedVolume -Name "Cluster Disk 1" | Suspend-ClusterResource [Step 1]A dialog box will pop up that says:Suspend-ClusterResourceAre you sure that you want to turn on maintenance for Cluster Shared Volume `Cluster Disk 1'? Turning on maintenance will stop all clustered roles that use this volume and will interrupt client access.Step 2: Enable-BitLocker -MountPoint "C:\\ClusterStorage\\Volume1" -RecoveryPasswordProtectorTo enable BitLocker encryption, run:Enable-BitLocker -MountPoint "C:\\ClusterStorage\\Volume1" -RecoveryPasswordProtectorOnce entering the command, a warning appears and provides a numeric recovery password. Save the password in a secure location as it is also needed in an upcoming step. The warning looks similar to this:Step 3 $KeyProtectorID = (Get-BitlockerVolume - MountPoint .. To get the BitLocker protector information for the volume, the following command can be run:(Get-BitlockerVolume -MountPoint "C:\\ClusterStorage\\Volume1").KeyProtectorStep 4: Get-ClusterSharedVolume "Volume1" | Set-ClusterParameter -Name BitLockerProtectorInfo -Value ...-CreateThe key protector ID and recovery password will be needed and saved into a new physical disk private property called BitLockerProtectorInfo. This new property will be used when the resource comes out of Maintenance Mode. The format of the protector will be a string where the protector ID and the password are separated by a":".Get-ClusterSharedVolume "Cluster Disk 1" | Set-ClusterParameter -Name BitLockerProtectorInfo -Value "{26935AC3-8B17-482D-BA3F-D373C7954D29}:271733-258533-688985-480293-713394-034012-061963- 682044" -CreateStep 5: Get-ClusterSharedVolume -Name "Volume1" Resume-ClusterResource Now that the information is present, the disk can be brought out of maintenance mode once the encryption process is completed.Get-ClusterSharedVolume -Name "Cluster Disk 1" | Resume-ClusterResourceIf the resource fails to come online, it could be a storage issue, an incorrect recovery password, or some issue. Verify the BitlockerProtectorInfo key has the proper information. If it doesn't, the commands previously given should be run again. If the problem isn't with this key, we recommended getting with the proper group within your organization or the storage vendor to resolve the issue.
https://learn.microsoft.com/en-us/windows-server/failover-clustering/bitlocker-on-csv-in-ws-2022
You have an on-premises server named Server1 that runs Windows Server 2022 Standard.You have an Azure subscription that contains the virtual machines shown in the following table.The subscription contains a Microsoft Sentinel instance named Sentinel1 in the Central US Azure region.You need to implement the Windows Firewall connector.Which servers can send Windows Firewall logs to Sentinel1?
Answer(s): E
VM1 and VM2 are located in Azure regions (West US and Central US), and since Microsoft Sentinel (Sentinel1) is in the Central US region, both of these virtual machines can send their Windows Firewall logs to Sentinel1. This includes VM1 with Windows Server 2022 Datacenter: Azure Edition and VM2 with WindowsServer 2019 Datacenter.Server1, which runs Windows Server 2022 Standard on-premises, can also send logs to Sentinel1 since it can be connected to Microsoft Sentinel through agents that enable on-premises servers to integrate with Azure Sentinel.VM3, although located in the Central US region, runs Windows Server 2016 Datacenter, which may not support some of the required integration features out of the box without additional configuration or updates.Therefore, it is less likely to send logs to Sentinel1 unless further steps are taken.
HOTSPOT (Drag and Drop is not supported)Your network contains an on-premises Active Directory Domain Services (AD DS) domain.The domain contains the servers shown in the following table.Server1 has the connection security rule as shown in the Server exhibit. (Click the Server1 tab.)Server2 has the connection security rule as shown in the Server2 exhibit. (Click the Server2 tab.)Server1 has the inbound firewall rules as shown in the Server1 inbound rules exhibit. (Click the Server1 inbound rules tab.)For each of the following statements, select Yes if the statement is true. Otherwise, select No.Hot Area:
Server2 can ping Server1 successfully: Yes.The inbound firewall rules on Server1 allow ICMP traffic for both ICMPv4 and ICMPv6 (the protocols used for ping). This means that Server2 should be able to ping Server1 successfully.Server2 can connect to a file share on Server1: Yes.The inbound rules on Server1 allow SMB (Server Message Block) traffic, which is used for file sharing, so Server2 can connect to file shares on Server1.Server3 can connect to a file share on Server1: Yes.The same inbound rules on Server1 that allow file sharing via SMB apply to Server3 as well, meaning Server3 should be able to connect to file shares on Server1.
Post your Comments and Discuss Microsoft AZ-801 exam dumps with other Community members:
Ernest Commented on October 27, 2025 some answers seem to be wrong. students are advised to review any questions that they are unsure of using MS Learn. Anonymous
Mav Commented on June 10, 2025 Question 29 is missing the answers in the reveal answers section. Anonymous
BitShifter Commented on May 05, 2025 AZ-801 practice questions got updated, makin' studyin' way easier. Finland
Philippe Commented on January 22, 2023 Iam impressed with the quality of these dumps. They questions and answers were easy to understand and the Xengine App was very helpful to use. CANADA
Philippe Commented on January 22, 2023 iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use. CANADA