[Microsoft] AZ-801 - Windows Server Hybrid Admin Associate Exam Dumps & Study Guide

Free [Microsoft] AZ-801 - Windows Server Hybrid Admin Associate Practice Questions Preview

• Question 1

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
  You have a server named Server1 that runs Windows Server.
  You need to ensure that only specific applications can modify the data in protected folders on Server1.
  Solution: From Virus & threat protection, you configure Controlled folder access.
  Does this meet the goal?
  

  • A. Yes
  • B. No

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. Controlled folder access is specifically designed to prevent unauthorized or malicious applications from modifying files in protected directories.

  Reason

  The solution is correct because Controlled folder access (a feature of Microsoft Defender Antivirus) monitors apps that attempt to make changes to files in protected folders. By default, it blocks unknown or untrusted apps and allows only those on a specific allowed apps list, directly meeting the requirement to ensure only specific applications can modify the data.

  Why the other options are not as suitable

  • Option B is incorrect because the proposed solution Controlled folder access is the precise security mechanism within Windows Server and Windows 10/11 intended for this purpose. Selecting 'No' would imply that this feature does not perform the required task, which is factually inaccurate in the context of Windows Defender security capabilities.

  Citations

  • https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders?view=o365-worldwide
  • https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide

• Question 2

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
  You have a server named Server1 that runs Windows Server.
  You need to ensure that only specific applications can modify the data in protected folders on Server1.
  Solution: From Virus & threat protection, you configure Tamper Protection
  Does this meet the goal?
  

  • A. Yes
  • B. No

  Correct Answer: B

  Explanation:

  I agree with the suggested answer B (No) because Tamper Protection is designed to protect security settings from being disabled by unauthorized users or malware, rather than controlling application-level access to specific data folders.

  Reason

  The correct answer is B (No) because the scenario describes a need for Controlled folder access. Controlled folder access is a feature within Microsoft Defender Antivirus that monitors applications for attempts to modify files in protected folders and blocks those that are not on an approved list. This is the specific mechanism intended to protect data folders from ransomware and unauthorized modification.

  Why the other options are not as suitable

  • Option A is incorrect because Tamper Protection focuses on locking down Microsoft Defender Antivirus configuration settings (such as real-time protection, cloud-delivered protection, and security intelligence updates). It prevents malicious apps or local users from turning off your antivirus, but it does not manage or restrict which applications can write data to specific disk directories or user folders.

  Citations

  • https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders
  • https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection

• Question 3

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
  You have a server named Server1 that runs Windows Server.
  You need to ensure that only specific applications can modify the data in protected folders on Server1.
  Solution: From App & browser control, you configure the Exploit protection settings.
  Does this meet the goal?
  

  • A. Yes
  • B. No

  Correct Answer: B

  Explanation:

  I agree with the suggested answer B. The proposed solution is incorrect because Exploit protection is designed to mitigate memory-based attacks and system vulnerabilities, not to manage folder access permissions for specific applications.

  Reason

  Option B is correct because the described solution fails to address the requirement. To ensure only specific applications can modify data in protected folders, you must use Controlled folder access, which is a feature found under Virus & threat protection settings in Windows Security, rather than Exploit protection.

  Why the other options are not as suitable

  • Option A is incorrect because Exploit protection (found in App & browser control) focuses on techniques like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). It does not provide the Controlled folder access functionality required to whitelist specific applications for data modification in protected directories.

  Citations

  • https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders
  • https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection

• Question 4

  DRAG DROP -
  You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.
  The AD DS domain contains a domain controller named DC1. DC1 does NOT have internet access.
  You need to configure password security for on-premises users. The solution must meet the following requirements:
  ✑ Prevent the users from using known weak passwords.
  ✑ Prevent the users from using the company name in passwords.
  What should you do? To answer, drag the appropriate configurations to the correct targets. Each configuration may be used once, more than once, or not at all.
  You may need to drag the split bar between panes or scroll to view content.
  NOTE: Each correct selection is worth one point.
  Select and Place:
  
  

  Correct Answer: See interactive view.

  Explanation:

  I agree with the suggested answer. The configuration correctly maps the components of Azure AD Password Protection (now Microsoft Entra Password Protection) to their required locations to protect on-premises AD DS environments.

  Reason

  Install the Azure AD Password Protection DC agent on DC1 is correct because the DC agent must be installed on every Domain Controller that needs to validate password changes against the banned password list. Install the Azure AD Password Protection proxy service on a member server is correct because DC1 lacks internet access; the proxy service acts as a gateway between the internal DC agents and the Azure service. Configure Azure AD Password Protection in Azure is correct because the global settings, including the Custom banned password list (for the company name) and Enforce password protection on Active Directory Domain Services, are managed centrally in the Azure portal.

  Why the other options are not as suitable

  Configure Azure AD Identity Protection is incorrect because Identity Protection focuses on risk-based conditional access and identity compromise detection (like leaked credentials or sign-in risk) rather than enforcing specific password string policies. Install the Azure AD Pass-through Authentication Agent is incorrect because Pass-through Authentication is a sign-on method that validates passwords against on-premises AD, but it does not provide the mechanism to enforce banned or custom password lists during password changes.

  Citations

  • https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises

• Question 5

  HOTSPOT -
  The Default Domain Policy Group Policy Object (GPO) is shown in the GPO exhibit. (Click the GPO tab.)
  
  The members of a group named Service Accounts are shown in the Group exhibit. (Click the Group tab.)
  
  An organizational unit (OU) named ServiceAccounts is shown in the OU exhibit. (Click the OU tab.)
  
  You create a Password Settings Object (PSO) as shown in the PSO exhibit. (Click the PSO tab.)
  
  For each of the following statements, select Yes if the statement is true. Otherwise, select No.
  NOTE: Each correct selection is worth one point.
  Hot Area:
  
  

  Correct Answer: See interactive view.

  Explanation:

  I agree with the suggested answer and the majority of the community discussion. The logic hinges on how Password Settings Objects (PSOs), which provide Fine-Grained Password Policies, are applied directly to users or groups and override the Default Domain Policy GPO settings.

  Reason

  The first statement is Yes because ServiceAccount1 is a member of the Service Accounts security group. Since the Service Accounts Policy (PSO) is applied directly to that group and specifies a Minimum password length of 16, it overrides the domain-wide policy of 7. The second statement is No because ServiceAccount2 is not a member of the Service Accounts group; it only resides in the ServiceAccounts OU. PSOs cannot be applied to OUs, so ServiceAccount2 falls back to the Default Domain Policy which only requires 7 characters. The third statement is No because the password P@$$w0rd1 is only 10 characters long, which fails the 16-character minimum requirement set in the Service Accounts Policy.

  Why the other options are not as suitable

  Statement 2 is incorrect as 'Yes' because ServiceAccount2 is not a member of the group targeted by the PSO, and PSOs do not inherit through OU membership. Statement 3 is incorrect as 'Yes' because while the password P@$$w0rd1 meets complexity requirements, it fails the length requirement of 16 characters defined in the PSO exhibit.

  Citations

  • https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-#fine_grained_pswd_policy_mgmt
  • https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy

• Question 6

  DRAG DROP -
  Your network contains an Active Directory Domain Services (AD DS) domain.
  You need to implement a solution that meets the following requirements:
  ✑ Ensures that the members of the Domain Admins group are allowed to sign in only to domain controllers
  ✑ Ensures that the lifetime of Kerberos Ticket Granting Ticket (TGT) for the members of the Domain Admins group is limited to one hour
  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
  Select and Place:
  
  

  Correct Answer: See interactive view.

  Explanation:

  I agree with the suggested answer shown in the second image. To implement Authentication Policies and Authentication Policy Silos, the domain must first support Claims, which requires a specific KDC configuration in Group Policy. Furthermore, Active Directory Administrative Center requires a policy to exist before it can be assigned to a silo.

  Reason

  Create an authentication policy is the necessary first step because a policy defines the TGT lifetime (1 hour) and must exist before it can be associated with a silo. Create an authentication policy silo comes next to provide the container that will enforce the relationship between the restricted users (Domain Admins) and the target hosts (Domain Controllers). Assign the authentication policy silo to user and computer accounts is the final step to bind the specific AD DS objects to the silo, ensuring the restrictions are active for those specific accounts.

  Why the other options are not as suitable

  Configure the Kerberos Policy settings for the Default Domain Policy Group Policy Object (GPO) is incorrect because while it can set a TGT lifetime, it applies domain-wide and cannot restrict sign-ins to specific hosts like Authentication Policy Silos can. Create a Dynamic Access Control claim type is a prerequisite step that occurs within the AD schema/configuration, but in the context of this specific sequence for silos, the core workflow focuses on the policy and silo objects themselves. Create a Dynamic Access Control central access policy is used for file system permissions and File Server Resource Manager, not for restricting Kerberos interactive sign-in locations or TGT lifetimes.

  Citations

  • https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts
  • https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos

• Question 7

  You have an Azure virtual machine named VM1 that runs Windows Server.
  You plan to deploy a new line-of-business (LOB) application to VM1.
  You need to ensure that the application can create child processes.
  What should you configure on VM1?
  

  • A. Microsoft Defender Credential Guard
  • B. Microsoft Defender Application Control
  • C. Microsoft Defender SmartScreen
  • D. Exploit protection

  Correct Answer: D

  Explanation:

  I agree with the suggested answer D. Exploit protection is a feature within Microsoft Defender for Endpoint that specifically includes a mitigation rule to prevent an application from creating child processes.

  Reason

  Option D is correct because Exploit protection provides a granular set of mitigations for both the operating system and individual applications. One of these specific application-level settings is Disallow child processes, which prevents an app from spawning new processes—a common technique used by malware to escalate privileges or maintain persistence.

  Why the other options are not as suitable

  • Option A is incorrect because Microsoft Defender Credential Guard uses virtualization-based security to isolate secrets (like NTLM password hashes and Kerberos Ticket Granting Tickets) to prevent pass-the-hash attacks, but it does not control process spawning.
  • Option B is incorrect because Microsoft Defender Application Control (WDAC) is a policy-based mechanism that determines which drivers and applications are allowed to run on a system based on digital signatures; it does not manage child process behavior for a running application.
  • Option C is incorrect because Microsoft Defender SmartScreen is a cloud-based anti-phishing and anti-malware component that checks URLs and files against a reputation list, primarily protecting users from downloading or running malicious files from the web.

  Citations

  • https://learn.microsoft.com/en-us/defender-endpoint/customize-exploit-protection
  • https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection-reference

• Question 8

  HOTSPOT -
  Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the organizational units (OUs) shown in the following table.
  
  In the domain, you create the Group Policy Objects (GPOs) shown in the following table.
  
  You need to implement IPsec authentication to ensure that only authenticated computer accounts can connect to the members in the domain. The solution must minimize administrative effort.
  Which GPOs should you apply to the Domain Controllers OU and the Domain Servers OU? To answer, select the appropriate options in the answer area.
  NOTE: Each correct selection is worth one point.
  Hot Area:
  
  

  Correct Answer: See interactive view.

  Explanation:

  I agree with the suggested answer. To ensure that only authenticated computer accounts can connect to the members in the domain while minimizing administrative effort, GPO1 should be applied to both the Domain Controllers and Domain Servers OUs.

  Reason

  The requirement is to ensure authentication (require it) for computer accounts. GPO1 uses Kerberos V5, which is the native and most efficient authentication method for Active Directory Domain Services (AD DS) environments. By selecting 'Require authentication', you ensure that only accounts capable of authenticating can establish a connection. Since all components (Domain Controllers, Servers, and Client Computers) are part of the contoso.com domain, they all support Kerberos V5 natively, making this the solution with the least administrative overhead.

  Why the other options are not as suitable

  GPO2 is incorrect because it only 'Requests' authentication; if a connection cannot authenticate, it will still be allowed to fall back to an unauthenticated state, failing the requirement to ensure only authenticated accounts connect. GPO3 is incorrect because it 'Requires' X.509 certificates, which involves significant administrative effort to deploy and manage a Public Key Infrastructure (PKI) compared to using existing Kerberos tickets. GPO4 is incorrect because it both 'Requests' (allowing unauthenticated fallback) and uses the more complex X.509 certificate method.

  Citations

  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-authentication-methods
  • https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/server-certificate-deployment

• Question 9

  You have 100 Azure virtual machines that run Windows Server. The virtual machines are onboarded to Microsoft Defender for Cloud.
  You need to shut down a virtual machine automatically if Microsoft Defender for Cloud generates the "Antimalware disabled in the virtual machine" alert for the virtual machine.
  What should you use in Microsoft Defender for Cloud?
  

  • A. a logic app
  • B. a workbook
  • C. a security policy
  • D. adaptive network hardening

  Correct Answer: A

  Explanation:

  I agree with the suggested answer. Logic Apps are the standard mechanism for automated remediation in Microsoft Defender for Cloud through the Workflow automation feature.

  Reason

  Option A is correct because Microsoft Defender for Cloud uses Workflow automation to trigger Azure Logic Apps in response to security alerts. A Logic App can be designed with a connector to perform actions such as shutting down an Azure Virtual Machine when a specific alert, like "Antimalware disabled in the virtual machine," is detected.

  Why the other options are not as suitable

  • Option B is incorrect because a workbook is used for data visualization, reporting, and monitoring within the Azure portal, not for triggering automated remediation actions.
  • Option C is incorrect because a security policy defines the desired configuration and compliance requirements, but it does not contain the logic to execute operational tasks like shutting down a VM.
  • Option D is incorrect because adaptive network hardening is a feature that provides recommendations to restrict Network Security Group (NSG) traffic based on machine learning patterns; it is not a general-purpose automation tool for responding to antimalware alerts.

  Citations

  • https://learn.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation

• Question 10

  You have a Microsoft Sentinel deployment and 100 Azure Arc-enabled on-premises servers. All the Azure Arc-enabled resources are in the same resource group.
  You need to onboard the servers to Microsoft Sentinel. The solution must minimize administrative effort.
  What should you use to onboard the servers to Microsoft Sentinel?
  

  • A. Azure Automation
  • B. Azure Policy
  • C. Azure virtual machine extensions
  • D. Microsoft Defender for Cloud

  Correct Answer: B

  Explanation:

  I agree with the suggested answer, Option B. Using Azure Policy is the most efficient way to onboard multiple Azure Arc-enabled servers at scale with minimal administrative effort.

  Reason

  Azure Policy allows you to assign a definition (such as 'Configure Azure Arc-enabled Windows machines to run Microsoft Sentinel') to a resource group or subscription. By using the deployIfNotExists effect, the policy automatically installs the required Log Analytics agent or Azure Monitor Agent and connects them to the workspace, ensuring all 100 servers are onboarded and remain compliant automatically.

  Why the other options are not as suitable

  • Option A is incorrect because while Azure Automation can run scripts to install agents, it requires more manual setup and maintenance of Runbooks compared to the native governance provided by policy.
  • Option C is incorrect because manually applying Azure virtual machine extensions to 100 individual servers would involve significant administrative effort and does not provide an automated way to ensure future servers are also onboarded.
  • Option D is incorrect because while Microsoft Defender for Cloud can assist with security posture, it typically uses Azure Policy under the hood for large-scale agent deployment; choosing Policy directly is the more fundamental and precise tool for the specific task of resource-wide onboarding.

  Citations

  • https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions-portal
  • https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard