Skip Navigation Links
 

Microsoft - AZ-140: Configuring and Operating Microsoft Azure Virtual Desktop

Sample Questions

Question: 194
Measured Skill: Plan and implement identity and security (15–20%)

You have an Azure Virtual Desktop deployment that has just-in-time (JIT) VM access enabled.

You need to request access to a session host by using JIT VM access.

Which three virtual machine settings can you use to request access?

(To answer, select the appropriate settings in the answer area. NOTE: Each selection is worth one point.)

www.cert2brain.com

ANetworking
B Connect
C Microsoft Defender for Cloud
D Configuration
E Identity
F Properties

Correct answer: B, C, D

Explanation:

You can use Microsoft Defender for Cloud's just-in-time (JIT) access to protect your Azure virtual machines (VMs) from unauthorized network access. Many times firewalls contain allow rules that leave your VMs vulnerable to attack. JIT lets you allow access to your VMs only when the access is needed, on the ports needed, and for the period of time needed.

When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT. You can request access using the Connect, the Microsoft Defender for Cloud, or the Configuration settings. The Configurations settings will guide you to the Microsoft Defender for Cloud settings.

Reference: Enable just-in-time access on VMs



Question: 195
Measured Skill: Plan and implement identity and security (15–20%)

You have an Azure Virtual Desktop host pool that contains 20 Windows 11 session hosts.

You create a Windows Defender Application Control (WDAC) policy named Policy1.xml.

You need to deploy Policy1.xml to the session hosts.

How should you prepare the policy, and to where should you copy the policy?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ATo prepare the policy: Compress Policy1.xml
Copy the policy to: C:\Windows\System32\Configuration
B To prepare the policy: Compress Policy1.xml
Copy the policy to: C:\Windows\System32\AppLocker
C To prepare the policy: Convert Policy1.xml to its binary form
Copy the policy to: C:\System32\CodeIntegrity\CIPolicies\Active\
D To prepare the policy: Convert Policy1.xml to its binary form
Copy the policy to: C:\Windows\SystemRessources\Windows\UI.AccountsControl
E To prepare the policy: Digitally sign Policy1.xml
Copy the policy to: C:\Windows\System32\Configuration
F To prepare the policy: Digitally sign Policy1.xml
Copy the policy to: C:\Windows\SystemRessources\Windows\UI.AccountsControl

Correct answer: C

Explanation:

Before you deploy your WDAC policies, you must first convert the XML to its binary form. You can do this using PowerShell. The binary file must then be deployed to the C:\System32\CodeIntegrity\CIPolicies\Active\ file path on each destination computer. The policy gets activated with a system restart.

References:

Deploying Windows Defender Application Control (WDAC) policies

Deploy WDAC policies using script



Question: 196
Measured Skill: Plan and implement user environments and apps (20–25%)

You have an Azure Virtual Desktop deployment that contains 10 session hosts and a RemoteApp named App1.

You have users that connect to the deployment by using the clients shown in the following table.



You enable screen capture protection on all the session hosts.

Which users can connect to a session host by using the full desktop, and which users can connect to App1?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AFull desktop: User2 only
App1: User2 and User3 only
B Full desktop: User1 and User4 only
App1: User1, User2, and User3 only
C Full desktop: User2 and User3 only
App1: User1, User2, User3, and User4
D Full desktop: User1, User2, and User3 only
App1: User2 only
E Full desktop: User1, User2, User3, and User4
App1: User1 and User4 only
F Full desktop: User1, User2, User3, and User4
App1: User1, User2, User3, and User4

Correct answer: E

Explanation:

Screen capture protection, alongside watermarking, helps prevent sensitive information from being captured on client endpoints through a specific set of operating system (OS) features and Application Programming Interfaces (APIs). When you enable screen capture protection, remote content is automatically blocked in screenshots and screen sharing.

Screen capture protection does not prevent Remote Desktop clients from connect to a session host.

There are some differences between the features of each of the Remote Desktop clients when connecting to Azure Virtual Desktop. Below you can find information about what these differences are.

References:

Enable screen capture protection in Azure Virtual Desktop

Compare the features of the Remote Desktop clients when connecting to Azure Virtual Desktop

Remote Desktop clients for Azure Virtual Desktop



Question: 197
Measured Skill: Plan and implement an Azure Virtual Desktop infrastructure (40–45%)

You have an Azure Virtual Desktop deployment and the Azure Storage accounts shown in the following table.



You plan to create FSLogix profile containers and store the containers in the storage accounts.

You need to identify which storage accounts support the FSLogix profile containers, and then order the accounts from highest to lowest redundancy.

Which three storage accounts should you identify in sequence?

(To answer, move the appropriate accounts from the list of accounts to the answer area and arrange them in the correct order.)

www.cert2brain.com

A1. storage1
2. storage5
3. storage2
B 1. storage3
2. storage4
3. storage2
C 1. storage5
2. storage2
3. storage1
D 1. storage2
2. storage5
3. storage1

Correct answer: A

Explanation:

Azure offers multiple storage solutions that you can use to store your FSLogix profile container. 

Using an Azure Storage account we can choose a premium File Share or a standard File Share (part of a StorageV2 account).

The following redundancy options are supported (sorted from lowest to highest redundancy):

  • Locally redundant (LRS)
  • Zone-redundant (ZRS)
  • Geo-redundant (GRS)
  • Geo-zone-redundant (GZRS)

References:

Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Microsoft Entra Domain Services

Storage options for FSLogix profile containers in Azure Virtual Desktop



Question: 198
Measured Skill: Plan and implement an Azure Virtual Desktop infrastructure (40–45%)

You have an Azure subscription that contains an Azure Compute Gallery named Gallery1 and a virtual machine named Template1. Template1 has custom apps and settings configured.

You plan to deploy Azure Virtual Desktop session hosts by using a custom virtual machine image.

The solution must meet the following requirements:
  • The custom image must be stored in Gallery1.
  • The custom image must be based on Template1.
  • All new session hosts must have unique computer names and identifiers.
You need to create the custom image.

What should you do in the Azure portal?

AFrom Gallery1, create a new VM application definition.
B From Gallery1, create a new VM image definition.
C From Template1, capture a generalized virtual machine image.
D From Template1, capture a specialized virtual machine image.

Correct answer: C

Explanation:

Before you can deploy a Windows image to new PCs, you have to first generalize the image. Generalizing the image removes computer-specific information such as installed drivers and the computer security identifier (SID). You can either use Sysprep by itself or Sysprep with an unattend answer file to generalize your image and make it ready for deployment.

Reference: Sysprep (Generalize) a Windows installation





 
 
 

© Copyright 2014 - 2024 by cert2brain.com