Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-100

Free Microsoft SC-100 Exam Braindumps (page: 12)

Page 12 of 70
PDF with 303 Questions

You have a Microsoft Entra tenant that contains 10 Windows 11 devices and two groups named Group1 and Group2. The Windows 11 devices are joined to the Microsoft Entra tenant and are managed by using Microsoft Intune.
You are designing a privileged access strategy based on the rapid modernization plan (RaMP). The strategy will include the following configurations:
Each user in Group1 will be assigned a Windows 11 device that will be configured as a privileged access device.
The Security Administrator role will be mapped to the privileged access security level. The users in Group1 will be assigned the Security Administrator role.
The users in Group2 will manage the privileged access devices.
You need to configure the local Administrators group for each privileged access device. The solution must follow the principle of least privilege.
What should you include in the solution?

  1. Only add Group2 to the local Administrators group.
  2. Configure Windows Local Administrator Password Solution (Windows LAPS) in legacy Microsoft LAPS emulation mode.
  3. Add Group2 to the local Administrators group. Add the user that is assigned the Security Administrator role to the local Administrators group of the user's assigned privileged access device.

Answer(s): C

Explanation:

Separate and manage privileged accounts Emergency access accounts
What: Ensure that you are not accidentally locked out of your Microsoft Entra organization in an emergency
situation.
Why: Emergency access accounts rarely used and highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required. Ensure you have a plan for continuity of access that accommodates both expected and unexpected events.


Reference:

https://learn.microsoft.com/en-us/security/privileged-access-workstations/security-rapid-modernization-plan



You have an Azure subscription.
You plan to deploy enterprise-scale landing zones based on the Microsoft Cloud Adoption Framework for Azure. The deployment will include a single-platform landing zone for all shared services and three application landing zones that will each host a different Azure application.
You need to recommend which resource to deploy to each landing zone. The solution must meet the Cloud Adoption Framework best-practice recommendations for enterprise-scale landing zones.
What should you recommend?

  1. an Azure firewall
  2. an Azure virtual network gateway
  3. an Azure Private DNS zone
  4. an Azure key vault

Answer(s): C

Explanation:

Landing zones and Azure regions
Azure landing zones consist of a set of resources and configuration. Some of these items, like management groups, policies, and role assignments, are stored at either a tenant or management group level within the Azure landing zone architecture. These resources aren't deployed to a particular region and instead are deployed globally. However, you still need to specify a deployment region because Azure tracks some of the resource metadata in a regional metadata store.
If you deploy a networking topology, you also need to select an Azure region to deploy the networking resources to. This region can be different from the region that you use for the resources listed in the preceding list. Depending on the topology you select, the networking resources that you deploy might include:
Azure Virtual WAN, including a Virtual WAN hub Azure virtual networks
VPN gateway
Azure ExpressRoute gateway Azure Firewall
Azure DDoS Protection plans
*-> Azure private DNS zones, including zones for Azure Private Link Resource groups, to contain the preceding resources


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions



HOTSPOT (Drag and Drop is not supported)
You have 1,000 on-premises servers that run Windows Server 2022 and 500 on-premises servers that run Linux.
You have an Azure subscription that contains the following resources:
A Log Analytics workspace
A Microsoft Defender Cloud Security Posture Management (CSPM) plan You need to deploy Update Management for the servers.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Microsoft Defender for Servers Plan 2
Azure resource
Incorrect:
An Azure Automation account
Update Manager offers many new features and provides enhanced and native functionalities. Following are some of the benefits:
* Provides native experience with zero on-boarding.No dependency on Log Analytics and Azure Automation.Etc.
* Etc.
Box 2: Azure connected machine agent Agent on the servers
For the Azure Update Manager, both AMA and MMA aren't a requirement to manage software update workflows as it relies on the Microsoft Azure VM Agent for Azure VMs and Azure connected machine agent for Arc-enabled servers.


Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan https://learn.microsoft.com/en-us/azure/update-manager/overview https://learn.microsoft.com/en-us/azure/update-manager/migration-overview



HOTSPOT (Drag and Drop is not supported)
You have an Active Directory Domain Services (AD DS) domain that contains a virtual desktop infrastructure (VDI). The VDI uses non-persistent images and cloned virtual machine templates. VDI devices are members of the domain.
You have an Azure subscription that contains an Azure Virtual Desktop environment. The environment contains host pools that use a custom golden image. All the Azure Virtual Desktop deployments are members of a single Microsoft Entra Domain Services domain.
You need to recommend a solution to deploy Microsoft Defender for Endpoint to the hosts. The solution must meet the following requirements:
Ensure that the hosts are onboarded to Defender for Endpoint during the first startup sequence. Ensure that the Microsoft Defender portal contains a single entry for each deployed VDI host.
Minimize administrative effort.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Add the Defender for Endpoint onboarding script to the virtual machine template. Ensure that the Microsoft Defender portal contains a single entry for each deployed VDI host.
Box 2: Deploy Defender for Endpoint using a custom Group Policy Object (GPO)
Ensure that the hosts are onboarded to Defender for Endpoint during the first startup sequence.
Microsoft Defender for Endpoint, Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR
Onboarding steps
Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the service onboarding wizard.
Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/primary image under the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup.
Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows Settings > Scripts > Startup.
Note
Domain Group Policy may also be used for onboarding non-persistent VDI devices.
Depending on the method you'd like to implement, follow the appropriate steps: 4a) For single entry for each device:
Select the PowerShell Scripts tab, then select Add (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script Onboard- NonPersistentMachine.ps1. There's no need to specify the other file, as it is triggered automatically.
4b) For multiple entries for each device:
Select the Scripts tab, then click Add (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script WindowsDefenderATPOnboardingScript.cmd.
Test your solution:
Create a pool with one device. Log on to device.
Log off from device.
Log on to device with another user.
Depending on the method you'd like to implement, follow the appropriate steps:
-For single entry for each device: Check only one entry in Microsoft Defender portal.
-For multiple entries for each device: Check multiple entries in Microsoft Defender portal.
Click Devices list on the Navigation pane.
7. Use the search function by entering the device name and select Device as search type.


Reference:

https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-vdi



Viewing page 12 of 70
Viewing questions 45 - 48 out of 303 questions



Post your Comments and Discuss Microsoft SC-100 exam prep with other Community members:

SC-100 Exam Discussions & Posts