none
Test questions

    Question

  • Hello!

    Help me please clarify a couple of questions:

    1) You have two Hyper-V servers:

        Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical
        Server2: UEFI version = 2.3.2; TPM version = 2.0; Type = Generation 2 VM

    On wich server(s) you can enable Credential Guard?

    My answer (based on the this documentation): on Server1 and Server2.

    The right answer: only on Server2.  Why???

    2) You need to allow inbound tcp (port 5055) connections to PC1 for Application1 only when computer is connected to the corporate network. You add the following rule:

     New-NetFirewallRule -DisplayName "Application1" -Direction Inbound -LocalPort 5055 -Protocol TCP -Action allow -Profile Domain

    Does this meet the goal?

    My answer - Yes. The right answer - No. Why???

    Thank you in advance,
    Michael


    • Edited by MF47 Friday, March 23, 2018 8:08 AM
    Friday, March 23, 2018 8:07 AM

All replies

  • Hi ,

    These questions are easy to choose wrong.

    For the Q1’s Server 1, as Hyper-V physical Server, also means it is a Hyper-V host, in addition to the UEFI and TPM requirements, the following requirements must also be met:
    --------------------------------------------------------

    The Hyper-V host must have an IOMMU.

    For Server 2, it meets all the conditions. So the right answer is: Only on Server2.
     

    For the second question, I have tested the command on my environment, this command applied to all programs, not for the specific application. See as below.

    The command is applied for all programs, not the question required that a command applied to application1 only, so the answer is wrong. You can also test it on your machine.
     
    If you have any questions about the above information, please feel free and let me know.
     

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 26, 2018 7:13 AM
  • Hi Michael,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                  

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Tuesday, March 27, 2018 1:27 AM
  • Hi Candy,

    Thank you very much for your explanations!

    Regarding Q2: I agree - I've confused  the rule name "Application1" with the application itself, but I don't understand why I must admit that the Hyper-V host from Q1 does NOT have IOMMU: the question does not say anything about it so the examinee is expected to provide the answer based on the information provided ONLY - why should I make any assumptions regarding any other options/conditions???

    In other words, should I think that if any parameter/option/condition is not mentioned explicitly in a question I must admit it does not exist/is off?

    Regards,

    Michael




    • Edited by MF47 Tuesday, March 27, 2018 2:02 PM
    Tuesday, March 27, 2018 1:57 PM
  • Hi Michael,

    Thanks for your reply.

    This is really easy to choose wrong answer, therefore, when answering a question, we should understand what is the question’s subject want to check.

    So let’s see the question, it gives two servers, one is virtual machine, and another one is Hyper-V host. The content what the issuer wants to examine is that what conditions must be met that we can enable Credential Guard.

    Let’s see the conditions as below.


    The conditions that must be met on the host is the host must have an IOMMU, the VM must be generation 2 and enable TPM.

    Let’s see the two servers as below.
    --------------------------------------
    Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical
    Server2: UEFI version = 2.3.2; TPM version = 2.0; Type = Generation 2 VM

    It is clear that VM meets the necessary conditions and host does not. Of course, the subject did not say that there is no IOMMU on Server 1. But can you make sure the Server 1 has IOMMU? No, not sure. So the answer is wrong.

    For problem 2 the questioner clearly stated that the requirements were applied to Application1 only. Obviously the result is not, so it is also wrong.

    ===========================================================================================

    You need to allow inbound tcp (port 5055) connections to PC1 for Application1 only when computer is connected to the corporate network. You add the following rule:

    New-NetFirewallRule -DisplayName "Application1" -Direction Inbound -LocalPort 5055 -Protocol TCP -Action allow -Profile Domain

    Does this meet the goal?

    If we are not sure if this condition is included, we can say yes or no, the answer is not sure. Thus, why we can consider this answer to be correct? No, it not. All of these answers are considered wrong. Unfulfilled conditions are also false propositions. So we must meet all conditions.

    Hope that I have made it clearly. 

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   


    Friday, March 30, 2018 2:40 AM
  • Hi Michael,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.               

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Tuesday, April 3, 2018 1:39 AM
  • Hi Candy,

    Thank you very much for your help!

    Regards,

    Michael

    Wednesday, April 4, 2018 11:00 AM
  • Hello!

    Sorry - haven't noticed it earlier:  IOMMU is only required IN VIRTUAL MACHINES - NOT for the physical hosts!:

    So why my answer to Q1 is wrong???

    Regards,
    Michael

    Friday, April 6, 2018 11:02 AM
  • Hi Michael,

    Thanks for your reply.

    See that the Hyper-V server 1’s information as below.

    Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical

    As the Server1 is a physical machine, so it must be a Hyper-V host. 

    The title may be somewhat ambiguous, you can refer to the following link see more information about IOMMU.

    System requirements for Hyper-V on Windows Server 2016
    ------------------------------------------------------------------------------
    https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/system-requirements-for-hyper-v-on-windows

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Monday, April 9, 2018 9:31 AM
  • Hi Candy,

    Thank you for the link!

    I've found only the following HV general requirements:

    General requirements

    Regardless of the Hyper-V features you want to use, you'll need:

    • A 64-bit processor with second-level address translation (SLAT). To install the Hyper-V virtualization components such as Windows hypervisor, the processor must have SLAT. However, it's not required to install Hyper-V management tools like Virtual Machine Connection (VMConnect), Hyper-V Manager, and the Hyper-V cmdlets for Windows PowerShell. See "How to check for Hyper-V requirements," below, to find out if your processor has SLAT.

    • VM Monitor Mode extensions

    • Enough memory - plan for at least 4 GB of RAM. More memory is better. You'll need enough memory for the host and all virtual machines that you want to run at the same time.

    • Virtualization support turned on in the BIOS or UEFI:

      • Hardware-assisted virtualization. This is available in processors that include a virtualization option - specifically processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) technology.

      • Hardware-enforced Data Execution Prevention (DEP) must be available and enabled. For Intel systems, this is the XD bit (execute disable bit). For AMD systems, this is the NX bit (no execute bit).

    - this list does not contain  IOMMU. IOMMU appears only as a requirement for the shielded VMs but it's not the case as the question is about Credential Guard...

    Regards,
    Michael

    Tuesday, April 10, 2018 8:26 AM
  • Hi Michael,

    Sorry I forgot to attach the screenshot.

    Please see as below:

    This picture is the content of the link I just intercepted.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Tuesday, April 10, 2018 8:51 AM
  • Hi Candy,

    Yes, I've seen it, but it is the requirement for the Hyper-V host containing shielded VMs (MS calls it "Requirements for specific features") - the host in the question is NOT supposed to contain any shielded VMs, so only the general requirements for Hyper-V hosts should apply and they do NOT mention IOMMU!

    Regards,
    Michael


    • Edited by MF47 Wednesday, April 11, 2018 6:59 AM
    Wednesday, April 11, 2018 6:59 AM
  • Hi Michael,

    The last link just for your reference for the information of IOMMU.

    See as below. The requirement for running Windows Defender Credential Guard in Hyper-V host must have an IOMMU.

    For physical Hyper-V host machine, Device Guard must have the requirements to deliver security that running Windows Defender Credential Guard.
    One of it is: The Hyper-V host must have an IOMMU, so the hypervisor can provide direct memory access (DMA) protection.

    Best Regards,

    Candy

     


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, April 12, 2018 2:51 AM
  • Hi Candy,

    "One of it is: The Hyper-V host must have an IOMMU, so the hypervisor can provide direct memory access (DMA) protection" - yes, it must, but IOMMU hasn't been mentioned in this question at all so I have no grounds to consider it influence on the process of finding the correct answer.

    I think this answer "Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical" is wrong simply because of the UEFI version: it should be 2.3.1 C or higher, but NOT 2.3.1!

    Regards,
    Michael


    • Edited by MF47 Wednesday, July 11, 2018 10:25 AM
    Wednesday, July 11, 2018 10:24 AM