none
Test questions

    שאלה

  • Hello!

    Help me please clarify a couple of questions:

    1) You have two Hyper-V servers:

        Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical
        Server2: UEFI version = 2.3.2; TPM version = 2.0; Type = Generation 2 VM

    On wich server(s) you can enable Credential Guard?

    My answer (based on the this documentation): on Server1 and Server2.

    The right answer: only on Server2.  Why???

    2) You need to allow inbound tcp (port 5055) connections to PC1 for Application1 only when computer is connected to the corporate network. You add the following rule:

     New-NetFirewallRule -DisplayName "Application1" -Direction Inbound -LocalPort 5055 -Protocol TCP -Action allow -Profile Domain

    Does this meet the goal?

    My answer - Yes. The right answer - No. Why???

    Thank you in advance,
    Michael


    • נערך על-ידי MF47 יום שישי 23 מרץ 2018 08:08
    יום שישי 23 מרץ 2018 08:07

כל התגובות

  • Hi ,

    These questions are easy to choose wrong.

    For the Q1’s Server 1, as Hyper-V physical Server, also means it is a Hyper-V host, in addition to the UEFI and TPM requirements, the following requirements must also be met:
    --------------------------------------------------------

    The Hyper-V host must have an IOMMU.

    For Server 2, it meets all the conditions. So the right answer is: Only on Server2.
     

    For the second question, I have tested the command on my environment, this command applied to all programs, not for the specific application. See as below.

    The command is applied for all programs, not the question required that a command applied to application1 only, so the answer is wrong. You can also test it on your machine.
     
    If you have any questions about the above information, please feel free and let me know.
     

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    יום שני 26 מרץ 2018 07:13
  • Hi Michael,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                  

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    יום שלישי 27 מרץ 2018 01:27
  • Hi Candy,

    Thank you very much for your explanations!

    Regarding Q2: I agree - I've confused  the rule name "Application1" with the application itself, but I don't understand why I must admit that the Hyper-V host from Q1 does NOT have IOMMU: the question does not say anything about it so the examinee is expected to provide the answer based on the information provided ONLY - why should I make any assumptions regarding any other options/conditions???

    In other words, should I think that if any parameter/option/condition is not mentioned explicitly in a question I must admit it does not exist/is off?

    Regards,

    Michael




    • נערך על-ידי MF47 יום שלישי 27 מרץ 2018 14:02
    יום שלישי 27 מרץ 2018 13:57
  • Hi Michael,

    Thanks for your reply.

    This is really easy to choose wrong answer, therefore, when answering a question, we should understand what is the question’s subject want to check.

    So let’s see the question, it gives two servers, one is virtual machine, and another one is Hyper-V host. The content what the issuer wants to examine is that what conditions must be met that we can enable Credential Guard.

    Let’s see the conditions as below.


    The conditions that must be met on the host is the host must have an IOMMU, the VM must be generation 2 and enable TPM.

    Let’s see the two servers as below.
    --------------------------------------
    Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical
    Server2: UEFI version = 2.3.2; TPM version = 2.0; Type = Generation 2 VM

    It is clear that VM meets the necessary conditions and host does not. Of course, the subject did not say that there is no IOMMU on Server 1. But can you make sure the Server 1 has IOMMU? No, not sure. So the answer is wrong.

    For problem 2 the questioner clearly stated that the requirements were applied to Application1 only. Obviously the result is not, so it is also wrong.

    ===========================================================================================

    You need to allow inbound tcp (port 5055) connections to PC1 for Application1 only when computer is connected to the corporate network. You add the following rule:

    New-NetFirewallRule -DisplayName "Application1" -Direction Inbound -LocalPort 5055 -Protocol TCP -Action allow -Profile Domain

    Does this meet the goal?

    If we are not sure if this condition is included, we can say yes or no, the answer is not sure. Thus, why we can consider this answer to be correct? No, it not. All of these answers are considered wrong. Unfulfilled conditions are also false propositions. So we must meet all conditions.

    Hope that I have made it clearly. 

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   


    יום שישי 30 מרץ 2018 02:40
  • Hi Michael,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.               

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    יום שלישי 03 אפריל 2018 01:39
  • Hi Candy,

    Thank you very much for your help!

    Regards,

    Michael

    יום רביעי 04 אפריל 2018 11:00
  • Hello!

    Sorry - haven't noticed it earlier:  IOMMU is only required IN VIRTUAL MACHINES - NOT for the physical hosts!:

    So why my answer to Q1 is wrong???

    Regards,
    Michael

    יום שישי 06 אפריל 2018 11:02
  • Hi Michael,

    Thanks for your reply.

    See that the Hyper-V server 1’s information as below.

    Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical

    As the Server1 is a physical machine, so it must be a Hyper-V host. 

    The title may be somewhat ambiguous, you can refer to the following link see more information about IOMMU.

    System requirements for Hyper-V on Windows Server 2016
    ------------------------------------------------------------------------------
    https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/system-requirements-for-hyper-v-on-windows

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    יום שני 09 אפריל 2018 09:31
  • Hi Candy,

    Thank you for the link!

    I've found only the following HV general requirements:

    General requirements

    Regardless of the Hyper-V features you want to use, you'll need:

    • A 64-bit processor with second-level address translation (SLAT). To install the Hyper-V virtualization components such as Windows hypervisor, the processor must have SLAT. However, it's not required to install Hyper-V management tools like Virtual Machine Connection (VMConnect), Hyper-V Manager, and the Hyper-V cmdlets for Windows PowerShell. See "How to check for Hyper-V requirements," below, to find out if your processor has SLAT.

    • VM Monitor Mode extensions

    • Enough memory - plan for at least 4 GB of RAM. More memory is better. You'll need enough memory for the host and all virtual machines that you want to run at the same time.

    • Virtualization support turned on in the BIOS or UEFI:

      • Hardware-assisted virtualization. This is available in processors that include a virtualization option - specifically processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) technology.

      • Hardware-enforced Data Execution Prevention (DEP) must be available and enabled. For Intel systems, this is the XD bit (execute disable bit). For AMD systems, this is the NX bit (no execute bit).

    - this list does not contain  IOMMU. IOMMU appears only as a requirement for the shielded VMs but it's not the case as the question is about Credential Guard...

    Regards,
    Michael

    יום שלישי 10 אפריל 2018 08:26
  • Hi Michael,

    Sorry I forgot to attach the screenshot.

    Please see as below:

    This picture is the content of the link I just intercepted.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    יום שלישי 10 אפריל 2018 08:51
  • Hi Candy,

    Yes, I've seen it, but it is the requirement for the Hyper-V host containing shielded VMs (MS calls it "Requirements for specific features") - the host in the question is NOT supposed to contain any shielded VMs, so only the general requirements for Hyper-V hosts should apply and they do NOT mention IOMMU!

    Regards,
    Michael


    • נערך על-ידי MF47 יום רביעי 11 אפריל 2018 06:59
    יום רביעי 11 אפריל 2018 06:59
  • Hi Michael,

    The last link just for your reference for the information of IOMMU.

    See as below. The requirement for running Windows Defender Credential Guard in Hyper-V host must have an IOMMU.

    For physical Hyper-V host machine, Device Guard must have the requirements to deliver security that running Windows Defender Credential Guard.
    One of it is: The Hyper-V host must have an IOMMU, so the hypervisor can provide direct memory access (DMA) protection.

    Best Regards,

    Candy

     


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    יום חמישי 12 אפריל 2018 02:51
  • Hi Candy,

    "One of it is: The Hyper-V host must have an IOMMU, so the hypervisor can provide direct memory access (DMA) protection" - yes, it must, but IOMMU hasn't been mentioned in this question at all so I have no grounds to consider it influence on the process of finding the correct answer.

    I think this answer "Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical" is wrong simply because of the UEFI version: it should be 2.3.1 C or higher, but NOT 2.3.1!

    Regards,
    Michael


    • נערך על-ידי MF47 יום רביעי 11 יולי 2018 10:25
    יום רביעי 11 יולי 2018 10:24