AZ-140 : Configuring and Operating Windows Virtual Desktop on Microsoft Azure : Part 02

AZ-140 : Configuring and Operating Windows Virtual Desktop on Microsoft Azure : Part 02

1. Case study This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

   To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

   At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

   To start the case study
   To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

   Overview

   Contoso, Ltd. is a law firm that has a main office in Montreal and branch offices in Paris and Seattle. The Seattle branch office opened recently.

   Contoso has an Azure subscription and uses Microsoft 365.

   Existing Infrastructure. Active Directory

   The network contains an on-premises Active Directory domain named contoso.com and an Azure Active Directory (Azure AD) tenant. One of the domain controllers runs as an Azure virtual machine and connects to a virtual network named VNET1. All internal name resolution is provided by DNS server that run on the domain controllers.

   The on-premises Active Directory domain contains the organizational units (OUs) shown in the following table.

   

   The on-premises Active Directory domain contains the users shown in the following table.

   

   The Azure AD tenant contains the cloud-only users shown in the following table.

   

   Existing Infrastructure. Network Infrastructure

   All the Azure virtual networks are peered. The on-premises network connects to the virtual networks.

   All servers run Windows Server 2019. All laptops and desktop computers run Windows 10 Enterprise.

   Since users often work on confidential documents, all the users use their computer as a client for connecting to Remote Desktop Services (RDS).

   In the West US Azure region, you have the storage accounts shown in the following table.

   

   Existing Infrastructure. Remote Desktop Infrastructure

   Contoso has a Remote Desktop infrastructure shown in the following table.

   

   Requirements. Planned Changes

   Contoso plans to implement the following changes:

   – Implement FSLogix profile containers for the Paris offices.
   – Deploy a Windows Virtual Desktop host pool named Pool4.
   – Migrate the RDS deployment in the Seattle office to Windows Virtual Desktop in the West US Azure region.

   Requirements. Pool4 Configuration

   Pool4 will have the following settings:

   – Host pool type: Pooled
   – Max session limit: 7
   – Load balancing algorithm: Depth-first
   – Images: Windows 10 Enterprise multi-session
   – Virtual machine size: Standard D2s v3
   – Name prefix: Pool4
   – Number of VMs: 5
   – Virtual network: VNET4

   Requirements. Technical Requirements

   Contoso identifies the following technical requirements:

   – Before migrating the RDS deployment in the Seattle office, obtain the recommended deployment configuration based on the current RDS utilization.
   – For the Windows Virtual Desktop deployment in the Montreal office, disable audio output in the device redirection settings.
   – For the Windows Virtual Desktop deployment in the Seattle office, store the FSLogix profile containers in Azure Storage.
   – Enable Operator2 to modify the RDP Properties of the Windows Virtual Desktop deployment in the Montreal office.
   – From a server named Server1, convert the user profile clicks to the FSLogix profile containers.
   – Ensure that the Pool1 virtual machines only run during business hours.
   – Use the principle of least privilege.

   1. HOTSPOT

      You are planning the deployment of Pool4.

      What will be the maximum number of users that can connect to Pool4, and how many session hosts are needed to support five concurrent user sessions? To answer, select the appropriate options in the answer area.

      NOTE: Each correct selection is worth one point.

      

      

   2. You plan to implement the FSLogix profile containers for the Seattle office.

      Which storage account should you use?

      • storage2
      • storage4
      • storage3
      • storage1

2. You have a Windows Virtual Desktop host pool named Pool1 and an Azure Storage account named Storage1. Storage1 stores FSLogix profile containers in a share folder named share1.

   You create a new group named Group1. You provide Group1 with permission to sign in to Pool1.

   You need to ensure that the members of Group1 can store the FSLogix profile containers in share1. The solution must use the principle of least privilege.

   Which two privileges should you assign to Group1? Each correct answer presents part of the solution.

   NOTE: Each correct selection is worth one point.

   • the Storage Blob Data Contributor role for storage1
   • the List folder / read data NTFS permissions for share1
   • the Modify NTFS permissions for share1
   • the Storage File Data SMB Share Reader role for storage1
   • the Storage File Data SMB Share Elevated Contributor role for storage1
   • the Storage File Data SMB Share Contributor role for storage1

3. You have a Windows Virtual Desktop host pool.

   You need to install Microsoft Antimalware for Azure on the session hosts.

   What should you do?

   • Add an extension to each session host.
   • From a Group Policy Object (GPO), enable Windows 10 security features.
   • Configure the RDP Properties of the host pool.
   • Sign in to each session host and install a Windows feature.

4. HOTSPOT

   You have a Windows Virtual Desktop deployment.

   You need to ensure that all the connections to the managed resources in the host pool require multi-factor authentication (MFA).

   Which two settings should you modify in a conditional access policy? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

5. HOTSPOT

   Your company has the offices shown in the following table.

   

   The company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1.

   Users connect to a Windows Virtual Desktop deployment named WVD1. WVD1 contains session hosts that have public IP addresses from the 52.166.253.0/24 subnet.

   Contoso.com has a conditional access policy that has the following settings:

   Name: Policy1
   Assignments:
   – Users and groups: User1
   – Cloud apps or actions: Windows Virtual Desktop
   Access controls:
   – Grant: Grant access, Require multi-factor authentication
   Enable policy: On

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

6. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Windows Virtual Desktop host pool named Pool1 that is integrated with an Azure Active Directory Domain Services (Azure AD DS) managed domain.

   You need to configure idle session timeout settings for users that connect to the session hosts in Pool1.

   Solution: From an Azure AD DS-joined computer, you modify the AADDC Users GPO settings.

   Does that meet the goal?

   • Yes
   • No

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Windows Virtual Desktop host pool named Pool1 that is integrated with an Azure Active Directory Domain Services (Azure AD DS) managed domain.

   You need to configure idle session timeout settings for users that connect to the session hosts in Pool1.

   Solution: From an Azure AD DS-joined computer, you modify the AADDC Computers GPO settings.

   Does that meet the goal?

   • Yes
   • No

8. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Windows Virtual Desktop host pool named Pool1 that is integrated with an Azure Active Directory Domain Services (Azure AD DS) managed domain.

   You need to configure idle session timeout settings for users that connect to the session hosts in Pool1.

   Solution: From the Azure portal, you modify the Session behavior settings in the RDP Properties of Pool1.

   Does that meet the goal?

   • Yes
   • No
9. Case study This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

   To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

   At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

   To start the case study
   To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

   Overview

   Contoso, Ltd. is a law firm that has a main office in Montreal and branch offices in Paris and Seattle. The Seattle branch office opened recently.

   Contoso has an Azure subscription and uses Microsoft 365.

   Existing Infrastructure. Active Directory

   The network contains an on-premises Active Directory domain named contoso.com and an Azure Active Directory (Azure AD) tenant. One of the domain controllers runs as an Azure virtual machine and connects to a virtual network named VNET1. All internal name resolution is provided by DNS server that run on the domain controllers.

   The on-premises Active Directory domain contains the organizational units (OUs) shown in the following table.

   

   The on-premises Active Directory domain contains the users shown in the following table.

   

   The Azure AD tenant contains the cloud-only users shown in the following table.

   

   Existing Infrastructure. Network Infrastructure

   All the Azure virtual networks are peered. The on-premises network connects to the virtual networks.

   All servers run Windows Server 2019. All laptops and desktop computers run Windows 10 Enterprise.

   Since users often work on confidential documents, all the users use their computer as a client for connecting to Remote Desktop Services (RDS).

   In the West US Azure region, you have the storage accounts shown in the following table.

   

   Existing Infrastructure. Remote Desktop Infrastructure

   Contoso has a Remote Desktop infrastructure shown in the following table.

   

   Requirements. Planned Changes

   Contoso plans to implement the following changes:

   – Implement FSLogix profile containers for the Paris offices.
   – Deploy a Windows Virtual Desktop host pool named Pool4.
   – Migrate the RDS deployment in the Seattle office to Windows Virtual Desktop in the West US Azure region.

   Requirements. Pool4 Configuration

   Pool4 will have the following settings:

   – Host pool type: Pooled
   – Max session limit: 7
   – Load balancing algorithm: Depth-first
   – Images: Windows 10 Enterprise multi-session
   – Virtual machine size: Standard D2s v3
   – Name prefix: Pool4
   – Number of VMs: 5
   – Virtual network: VNET4

   Requirements. Technical Requirements

   Contoso identifies the following technical requirements:

   – Before migrating the RDS deployment in the Seattle office, obtain the recommended deployment configuration based on the current RDS utilization.
   – For the Windows Virtual Desktop deployment in the Montreal office, disable audio output in the device redirection settings.
   – For the Windows Virtual Desktop deployment in the Seattle office, store the FSLogix profile containers in Azure Storage.
   – Enable Operator2 to modify the RDP Properties of the Windows Virtual Desktop deployment in the Montreal office.
   – From a server named Server1, convert the user profile clicks to the FSLogix profile containers.
   – Ensure that the Pool1 virtual machines only run during business hours.
   – Use the principle of least privilege.

   1. Which role should you assign to Operator2 to meet the technical requirements?

      • Desktop Virtualization Session Host Operator
      • Desktop Virtualization Host Pool Contributor
      • Desktop Virtualization User Session Operator
      • Desktop Virtualization Contributor

   2. HOTSPOT

      Which users can create Pool4, and which users can join session hosts to the domain? To answer, select the appropriate options in the answer area.

      NOTE: Each correct selection is worth one point.

      

      

10. Case study This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Litware, Inc. is a pharmaceutical company that has a main office in Boston, United States, and a remote office in Chennai, India.

    Existing Environment. Identity Environment

    The network contains an on-premises Active Directory domain named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

    The Azure AD tenant contains the users shown in the following table.

    

    All users are registered for Azure Multi-Factor Authentication (MFA).

    Existing Environment. Cloud Services

    Litware has a Microsoft 365 E5 subscription associated to the Azure AD tenant. All users are assigned Microsoft 365 Enterprise E5 licenses.

    Litware has an Azure subscription associated to the Azure AD tenant. The subscription contains the resources shown in the following table.

    

    Litware uses custom virtual machine images and custom scripts to automatically provision Azure virtual machines and join the virtual machines to the on-premises Active Directory domain.

    Network and DNS

    The offices connect to each other by using a WAN link. Each office connects directly to the internet.

    All DNS queries for internet hosts are resolved by using DNS servers in the Boston office, which point to root servers on the internet. The Chennai office has caching-only DNS servers that forward queries to the DNS servers in the Boston office.

    Requirements. Planned Changes

    Litware plans to implement the following changes:

    – Deploy Windows Virtual Desktop environments to the East US Azure region for the users in the Boston office and to the South India Azure region for the users in the Chennai office.
    – Implement FSLogix profile containers.
    – Optimize the custom virtual machine images for the Windows Virtual Desktop session hosts.
    – Use PowerShell to automate the addition of virtual machines to the Windows Virtual Desktop host pools.

    Requirements. Performance Requirements

    Litware identifies the following performance requirements:

    – Minimize network latency of the Windows Virtual Desktop connections from the Boston and Chennai offices.
    – Minimize latency of the Windows Virtual Desktop host authentication in each Azure region.
    – Minimize how long it takes to sign in to the Windows Virtual Desktop session hosts.

    Requirements. Authentication Requirements

    Litware identifies the following authentication requirements:

    – Enforce Azure MFA when accessing Windows Virtual Desktop apps.
    – Force users to reauthenticate if their Windows Virtual Desktop session lasts more than eight hours.

    Requirements. Security Requirements

    Litware identifies the following security requirements:

    – Explicitly allow traffic between the Windows Virtual Desktop session hosts and Microsoft 365.
    – Explicitly allow traffic between the Windows Virtual Desktop session hosts and the Windows Virtual Desktop infrastructure.
    – Use built-in groups for delegation.
    – Delegate the management of app groups to CloudAdmin1, including the ability to publish app groups to users and user groups.
    – Grant Admin1 permissions to manage workspaces, including listing which apps are assigned to the app groups.
    – Minimize administrative effort to manage network security.
    – Use the principle of least privilege.

    Requirements. Deployment Requirements

    Litware identifies the following deployment requirements:

    – Use PowerShell to generate the token used to add the virtual machines as session hosts to a Windows Virtual Desktop host pool.
    – Minimize how long it takes to provision the Windows Virtual Desktop session hosts based on the custom virtual machine images.
    – Whenever possible, preinstall agents and apps in the custom virtual machine images.

    1. You need to recommend an authentication solution that meets the performance requirements.

       Which two actions should you include in the recommendation? Each correct answer presents part of the solution.

       NOTE: Each correct selection is worth one point.

       • Join all the session hosts to Azure AD.
       • In each Azure region that will contain the Windows Virtual Desktop session hosts, create an Azure Active Directory Domain Service (Azure AD DS) managed domain.
       • Deploy domain controllers for the on-premises Active Directory domain on Azure virtual machines.
       • Deploy read-only domain controllers (RODCs) on Azure virtual machines.
       • In each Azure region that will contain the Windows Virtual Desktop session hosts, create an Active Directory site.

    2. DRAG DROP

       You need to ensure that you can implement user profile shares for the Boston office users. The solution must meet the user profile requirements.

       Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

       

       

    3. Which two roles should you assign to Admin1 to meet the security requirements? Each correct answer presents part of the solution.

       NOTE: Each correct selection is worth one point.

       • Desktop Virtualization Host Pool Contributor
       • Desktop Virtualization Application Group Contributor
       • Desktop Virtualization Workspace Contributor
       • Desktop Virtualization Application Group Reader
       • User Access Administrator

11. You have a Windows Virtual Desktop deployment.

    You publish a RemoteApp named AppVersion1.

    You need AppVersion1 to appear in the Remote Desktop client as Sales Contact Application.

    Which PowerShell cmdlet should you use?

    • New-AzADApplication

    • Update-AzWvdApplicationGroup

    • Register-AzWvdApplicationGroup

    • Update-AzWvdApplication

12. You have a Windows Virtual Desktop deployment that contains the following:

    – A host pool named Pool1
    – Two session hosts named Host1 and Host2
    – An application group named RemoteAppGroup1 that contains a RemoteApp named App1

    You need to prevent users from copying and pasting between App1 and their local device.

    What should you do?

    • Create an AppLocker policy.
    • Modify the locks of RemoteAppGroup1.
    • Modify the locks of RemoteAppGroup1.
    • Modify the RDP Properties of Pool1.

13. HOTSPOT

    You network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The domain contains the users shown in the following table.

    

    You have a Windows Virtual Desktop deployment that contains the application groups shown in the following table.

    

    You have the workspaces shown in the following table.

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

14. You have a Windows Virtual Desktop host pool that contains two session hosts. The Microsoft Teams client is installed on each session host.

    You discover that only the Microsoft Teams chat and collaboration features work. The calling and meeting features are disabled.

    You need to ensure that users can set the calling and meeting features from within Microsoft Teams.

    What should you do?

    • Install the Remote Desktop WebRTC Redirector Service.
    • Configure Remote audio mode in the RDP Properties.
    • Install the Teams Meeting add-in for Outlook.
    • Configure audio input redirection.

15. You have a Windows Virtual Desktop host pool that contains 20 Windows 10 Enterprise multi-session hosts.

    Users connect to the Windows Virtual Desktop deployment from computers that run Windows 10.

    You plan to implement FSLogix Application Masking.

    You need to deploy Application Masking rule sets. The solution must minimize administrative effort.

    To where should you copy the rule sets?

    • the FSLogix profile container of each user
    • C:\Program Files\FSLogix\Apps\Rules on every Windows 10 computer
    • C:\Program Files\FSLogix\Apps\Rules on every session host

16. You have a Windows Virtual Desktop host pool named Pool1.

    You are troubleshooting an issue for a Remote Desktop client that stopped responding.

    You need to restore the default Remote Desktop client settings and unsubscribe from all workspaces.

    Which command should you run?

    • msrdcw

    • resetengine

    • mstsc

    • resetpluginhost

17. Your network contains an on-premises Active Directory domain and a Windows Virtual Desktop deployment. The computer accounts for all the session hosts are in an organizational unit (OU) named WVDHostsOU. All user accounts are in an OU named CorpUsers.

    A domain administrator creates a Group Policy Object (GPO) named Policy1 that only contains user settings. The administrator links Policy1 to WVDHostsOU.

    You discover that when users sign in to the session hosts, none of the settings from Policy1 are applied.

    What should you configure to apply GPO settings to the users when they sign in to the session hosts?

    • loopback processing
    • FSLogix profiles
    • mandatory Roaming User Profiles
    • restricted groups

18. You have a Windows Virtual Desktop deployment.

    You need to provide external users with access to the deployment. The external users have computers that run Windows 10 Pro and Windows 10 Enterprise. The users do not have the ability to install applications.

    What should you recommend that the users use to connect to the deployment?

    • Microsoft Edge
    • RemoteApp and Desktop Connection
    • Remote Desktop Manager
    • Remote Desktop Connection

19. You network contains an on-premises Active Directory domain. The domain contains a universal security group named WVDusers.

    You have a hybrid Azure Active Directory (Azure AD) tenant. WVDusers syncs to Azure AD.

    You have a Windows Virtual Desktop host pool that contains four Windows 10 Enterprise multi-session hosts.

    You need to ensure that only the members of WVDusers can establish Windows Virtual Desktop sessions to the host pool.

    What should you do?

    • Assign WVDusers to an Azure role scoped to each host pool.
    • On each session host, add WVDusers to the local Remote Desktop Users group.
    • Assign WVDusers to an Azure role scoped to the session hosts.
    • Assign WVDusers to an application group.

20. You deploy multiple Windows Virtual Desktop session hosts that have only private IP addresses.

    You need to ensure that administrators can initiate an RDP session to the session hosts by using the Azure portal.

    What should you implement?

    • Remote Desktop Connection Broker (RD Connection Broker)
    • Azure Application Gateway
    • Azure Bastion
    • Remote Desktop Session Host (RD Session Host)