ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-745 All Questions

View all questions & answers for the 70-745 exam
Go to Exam

Exam 70-745 topic 1 question 53 discussion

Actual exam question from Microsoft's 70-745
Question #: 53
Topic #: 1
[All 70-745 Questions]

You administer the virtualization environment for an organization. You manage all Microsoft Hyper-V hosts locally. You plan to deploy Microsoft system center virtual machine manager (SCVMM).
(SCVMM) administrators must have full administrative permissions over the SCVMM fabric but no permission to other organizational fabrics. Administrators in the domain environment must not have any permission to the SCVMM infrastructure.
You need to deploy the SCVMM environment.
What should you include?

  • A. Local installation of the SCVMM agent
  • B. Bit locker encrypted VHDX file
  • C. Host guardian service a trusted domain
  • D. Host guardian service in an isolated forest
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
When setting up HGS, you are given the option of creating an isolated Active Directory forest just for HGS or to join HGS to an existing, trusted domain. This decision, as well as the roles you assign the admins in your organization, determine the trust boundary for HGS. Whoever has access to HGS, whether directly as an admin or indirectly as an admin of something else (e.g. Active Directory) that can influence HGS, has control over your guarded fabric. HGS admins choose which Hyper-V hosts are authorized to run shielded VMs and manage the certificates necessary to start up shielded VMs. An attacker or malicious admin who has access to HGS can use this power to authorize compromised hosts to run shielded VMs, initiate a denial-of-service attack by removing key material, and more.
To avoid this risk, it is strongly recommended that you limit the overlap between the admins of your HGS (including the domain to which HGS is joined) and Hyper-
V environments. By ensuring no one admin has access to both systems, an attacker would need to compromise 2 different accounts from 2 individuals to complete his mission to change the HGS policies. This also means that the domain and enterprise admins for the two Active Directory environments should not be the same person, nor should HGS use the same Active Directory forest as your Hyper-V hosts. Anyone who can grant themselves access to more resources poses a security risk.
References:
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-manage-hgs
by [deleted] at April 4, 2025, 4:16 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Currently there are no comments in this discussion, be the first to comment!
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel