chap 9
You are using Azure Update Management, and the update will affect the hosted virtual machines. How many days do you have to determine the best time to manually apply the updates?
35
The system and user worker type is limited to how many machines?
4000
An Azure Connected Machine agent sends a heartbeat message to the Azure Arc service. Which port would need to be allowed through the firewall for the message to be received?
443
Which of the following BEST describes a Kubernetes cluster?
A group of containerized applications.
When Defender for Cloud detects potential threats, the threat is classified into different levels. Match the threat level on the left with the description on the right. (Each item may be used once, more than once, or not at all.)
A hybrid network resource has most likely been compromised. High Suspicious activity has been detected. Medium A potential minor threat has been detected. Low Additional information provided about a potential threat. Informational This threat needs to be addressed immediately. correct answer: Medium
When assigning a policy in the Azure portal, you are asked to specify the scope and any exclusions. Which of the following describes the scope?
Allows the policy to be limited to a particular resource group.
Which of the following Azure Monitor Insights resources lets you detect which features are being used in an application?
Application Insights
Defender for Cloud Recommendations is based on Azure security policies. What are the two main policy types that are utilized? (Select two.)
Audit Enforce
Once policies have been defined and configured, Azure Policy is used to audit network resources for compliance using the Guest Configuration policy. Which of the following ways can the policy be deployed? (Select two.)
Azure Arc servers have the client installed. Virtual machines use the Guest configuration VM extension.
In order to collect log data for Azure Monitor, you have installed the Azure Log Analytics Agent. Having this agent installed also makes it possible for the log data to be used by other services besides Azure Monitor. Which of the following are services that can use the log data when the Azure Log Analytics Agent is installed?
Azure Automation Microsoft Defender for Cloud
Which of the following allows the administrator to write, manage, and compile PowerShell Desired State Configuration (DSC) scripts?
Azure Automation State Configuration
You are using Azure Arc to monitor the health and performance of your network resources and gather and analyze log files. Which of the following Azure Arc tools are you using to perform these tasks?
Azure Monitor
Which of the following BEST describes shared capabilities?
Azure resources that can be integrated into Azure Automation runbooks to make them more useful and powerful.
When assigning a policy, a required field specifies the policy definition. What are the two ways to assign a policy definition? (Select two.)
Build-in policy definitions Custom policy definitions
Which of the following are container runtimes supported by Azure Monitor Container Insights?
CRI compatible Moby
Which of the following monitors Azure resources, including Azure virtual machines, on-premises machines, and cloud environments?
Change Tracking and Inventory
What are the main components of Azure's configuration management? (Select two.)
Change Tracking and Inventory Automation State Configuration
Azure Policy can be used to apply the Desired State Configuration (DSC) for all Azure VMs, and Azure Arc-enabled servers. The Desired State Configuration defines what software should be installed and what customizations should be applied to these resources. Using Azure Policy to define and apply the DSC ensures that these resources will remain in compliance and avoids which of the following?
Configuration drift
Which of the following BEST describes a runbook?
Consist of multiple scripts that make up a workflow to complete a task.
You have a PowerShell script that starts a remote session on server, and then attempts to connect to a second computer to pull some necessary files for the script to complete successfully. However, this prevents Kerberos from passing along your credentials to the second machine and the script fails. This is known as a Kerberos second hop issue. You want to resolve the issue by caching your credentials on the first server so they can be encrypted and sent to the second server. Which of the following second hop solutions meets your requirements?
Credential Security Support Provider (CredSSP)
A network administrator is configuring PowerShell remoting to access a Windows 2008 server. What cmdlet must be executed on the remote server before PowerShell remoting can be used?
Enable-PSRemoting
The network administrator for CorpNet.xyz needs to start a PowerShell remoting session with an on-premises web server named CorpWeb. What cmdlet do you need to execute? (Include the option and parameters necessary to access the specified server.)
Enter-PSSession -ComputerName CorpWeb
Azure Policy evaluates a network resource when it is created or a policy assignment is updated, created, or assigned to a resource. How often is a resource evaluated after the initial evaluation?
Every 24 hours
As a network administrator, you have just registered two new on-premises servers in Azure Arc. How often will the Azure Connected Machine agent send a heartbeat message from the newly added servers to the Azure Arc service?
Every 5 minutes.
Which Windows Admin Center installation type is similar to a gateway server installation?
Failover Cluster installation
You want to install Windows Admin Center (WAC) on your server cluster to make sure you always have access to the management system. Which of the following WAC installation types would work BEST for you?
Failover cluster installation
Which of the following are benefits of enrolling SQL databases into Azure Arc? (Select two.)
Flexible scaling options A platform as a service experience
What are the two methods to install the Hybrid Runbook Worker agent?
For this method, before the Hybrid Runbook Worker agent is installed a Azure Monitor Log Analytics Workspace must be configured, and then the Log Analytics Agent must be installed. Phyical Server This method is the recommended option, as neither the Azure Monitor Log Analytics Workspace or Log Analytics Agent needs to be installed and configured. Virtual Server
Windows Admin Center Gateway server was recently installed, and you want to access the web portal. Which web browsers are supported? (Select two.)
Google Chrome Microsoft Edge
Runbooks can be used with any Azure resource by default. To use a runbook with a non-Azure resource, what must be installed?
Hybrid Runbook Worker agent
Match each insight on the left with its associated description on the right. (Each item may be used once, more than once, or not at all.)
Identifies potential security issues that are currently being researched. Preview Recommendations Can be automatically applied to fix the related security issue. Fix Insights Can be configured to automatically deploy a policy that will fix a security issue as soon as a non-compliant resource is created. Enforce Insights Can be configured to prevent non-compliant resources from being created. Deny Insights
As the network administrator, you have implemented Defender for Cloud. Which of the following are the two main goals for Defender for Cloud? (Select two.)
Improve the current security posture. Understand the current security posture.
As a network administrator, you can click on the Defender for Cloud secure score and see a detailed report with recommendations to fix each security issue and improve the score. What are these fixes known as?
Insights
Which of the following is a method you can use to enable an application to be monitored by Azure Monitor Application Insights?
Install an SDK package into the application itself.
Defender for Cloud can actively monitor all hybrid network resources for potential security issues. Which of the following is an active monitoring technique?
Integrated threat intelligence
As the network administrator, you have implemented Kubernetes Clusters. You want to use Azure Arc to simplify the management of these clusters. Which of the following management capabilities does Azure Arc provide to control the cluster configuration and workloads? (Drag Kubernetes Clusters on the left to each applicable capability on the right. There may be some listed capabilities that do not apply.)
Inventory Kubernetes Clusters Monitoring Kubernetes Clusters Policy compliance Kubernetes Clusters User access Kubernetes Clusters Kubernetes Clusters correct answer: Security Kubernetes Clusters
Which of the following formats is used to create the Azure Policy definitions?
JavaScript Object Notation (JSON)
You have a PowerShell script that starts a remote session on server, and then attempts to connect to a second computer to pull some necessary files for the script to complete successfully. However, this prevents Kerberos from passing along your credentials to the second machine and the script fails. This is known as a Kerberos second hop issue. You want to resolve the issue by specifying what cmdlets and permissions you (and other network admins) can have access to in PowerShell. Which of the following second hop solutions meets your requirements?
Just Enough Administration (JEA)
You want to find specific information in the Azure resources logs. What can you use to run queries on the log information?
Kusto Query Language
Which Windows Admin Center (WAC) installation type works BEST for testing and small-scale deployments?
Local Client installation
You want to install Windows Admin Center (WAC) directly onto one of the managed servers to remotely manage the server as well as the cluster it belongs to. Which WAC installation type would work BEST to meet your requirements?
Managed server installation
Azure policy definitions are defined and applied to Azure resources. Which items on the right can a policy definition be assigned to, and which cannot have a policy definition assigned? (Each item on the left may be used more than once.)
Management groups Policy definitions can be assigned. Subscriptions Policy definitions can be assigned. Resource groups Policy definitions can be assigned. Azure VMs and Arc-enabled servers Policy definitions can be assigned. Workspaces Policy definitions cannot be assigned. App Services Policy definitions cannot be assigned.
You are viewing different data types in line graphs and pinning these graphs to the Azure Dashboard. Which type of Azure Monitor data is being used to create the line graphs?
Metrics
You are using Azure Arc to collect data from all network resources, detect and investigate threats using AI, and respond to incidents rapidly. Which of the following Azure Arc tools are you using to perform these tasks?
Microsoft Sentinel
Which of the following BEST describes Azure Monitor?
Monitors and collects data from hybrid network resources such as applications, containers, and virtual machines.
A network administrator wants to create a session configuration that will protect the computer and prevent unauthorized access while using PowerShell remoting. What command cmdlet is used to create a new session configuration file?
New-PSSessionConfigurationFile
When assigning a policy to a newly created resource, does a remediation task need to be specified?
No. The policy will take effect on newly created resources.
Azure Monitor VM Insights supports VMs that are hosted in which of the following? (Select two.)
On-premises Azure Arc
As part of the Windows Admin Center (WAC) configuration process, target computers need to be added. Which of the following target servers can be managed using WAC? (Each item may be used once, more than once, or not at all.)
Physical servers Managed by Windows Admin Center Azure based servers Managed by Windows Admin Center Hyper-V virtual servers Managed by Windows Admin Center Server clusters Managed by Windows Admin Center Hyper-Converged Infrastructure Managed by Windows Admin Center
When installing Windows Admin Center, which inbound and outbound ports should be opened on the firewall? (Select two.)
Port 445 Inbound TCP Port 443 Outbound
Windows Admin Center (WAC) can be integrated with Azure Hybrid Services, allowing WAC to be accessed through the Azure portal. Many Azure tools can be consolidated into one central location, which allows Azure virtual machines to be created directly from WAC. Which tool can you use to perform these tasks through WAC?
PowerShell
A network administrator needs to run a command or set of commands on a remote machine and get the results back quickly without establishing a Remote Desktop session. Which of the follow is the BEST choice to accomplish this task? (Select two.)
PowerShell scripts PowerShell cmdlets
Which of the following occurs when you execute the Enable_PSRemoting cmdlet? (Select two.)
PowerShell session endpoints are defined. An HTTP listener is defined on the remote machine.
Your network is utilizing Windows Active Directory and Kerberos. You have a PowerShell script that performs several tasks using PowerShell remoting. You want to resolve any second hop issues by configuring delegation on a server object instead of on an account. Which of the following Kerberos delegation types would you need to use?
Resource-based delegation
You are using Azure Automation to run scripts with your onboarded Azure Arc network resources. What are you using to define the scripts and steps needed to complete a specific Azure Automation task?
Runbook
The Microsoft Defender for Cloud is accessed through the Azure portal. Which of the following are Cloud Security features that can be accessed through the portal? (Select two.)
Security posture Regulatory compliance
Defender for Cloud includes pre-built workbooks. Which of the following is an included workbook?
Security score over time
As part of the Defender for Cloud, Microsoft has security and data teams that constantly monitor the threat landscape. Which of the following technique is used by these teams?
Sharing insights between multiple teams and security specialists.
You are using Azure Arc to manage virtual machine extensions. Which of the following BEST describes virtual machine extensions?
Small applications that provide post-deployment configurations such as installing a specific program or service.
Policies can be assigned using Azure Arc. What ways can a policy be applied to Arc servers? (Select two.)
Specific servers Universally
You have just registered two Linux virtual servers that you want to manage using Azure Arc. Which of the following happened during the registration process to make these servers manageable by Azure Arc? (Select two.)
The servers were assigned Resource IDs. The servers were placed into a resource group inside an Azure subscription.
Each Hybrid Runbook Worker server is assigned to a Hybrid Runbook Worker Group. Each of these groups can consist of a single worker or multiple if high availability is needed. What are the two types of workers?
This worker type supports a set of hidden runbooks that uses the Update Management feature and does not work with anything else. -System This worker type supports user-defined runbooks that are designed to run on Windows or Linux machines that are members of Runbook Worker Groups. -Runbook
Which of the following methods are used to deploy DSC using Azure Policy? (Select two.)
Virtual machines using a VM extension. Arc-enabled servers using PowerShell to deploy the DSC.
You are the administrator of a hybrid server environment. You have a Windows Server 2012 machine you are planning to use to install Windows Admin Center. Which of the following do you need to update before installation?
Windows Management Framework (WMF)
Which of the following services must be enabled and set to auto-start for PowerShell remoting to work?
Windows Remote Management (Win-RM) service
Azure Monitor Containers Insights works clusters that are running on which versions of Windows Server?
Windows Server 2019 and newer
When a PowerShell remoting session involves a second hop to pull files from a second computer, Kerberos is unable to pass the administrator's credentials to the second machine. This is known as the Kerberos second hop problem. There are several solutions available for this type of issue. Match the solution on the left with the definition on the right.
Works with Active Directory and is more secure than CredSSP but is more complicated. Kerberos delegation Used on the remote server to provide the necessary credentials and effectively ignores the second hop issue. RunAsCredential parameter Passes the credentials to the remote server but requires some awkward syntax and is not ideal for running multiple commands. Invoke-Command script block Limits which cmdlets and permissions a user will have access to in PowerShell. Is configured on every server along the path. Just Enough Administration (JEA) Caches the credentials on the remote server and passes encrypted credentials to the second server. Credential Security Support Provider (CredSSP)
As the network administrator, you want to add a non-Azure server to Defender for Cloud. Which of the following is required as part of the server onboarding process?
Workspace
Which of the following is a benefit of using Azure Monitor Insights?
You can view how a resource is performing and identify potential problems.
