MICROSOFT CERTIFICATION
AZ-801 Configuring Windows Server Hybrid Advanced Services Practice Exam
Exam Number: 3112 | Last updated 16-Apr-26 | 780+ questions across 4 vendor-aligned objectives
The AZ-801 Configuring Windows Server Hybrid Advanced Services certification validates the skills of administrators who configure advanced Windows Server services including security, migration, and monitoring in hybrid environments. This exam measures your ability to work with Windows Server, Azure Backup, Azure Site Recovery, Windows Server Update Services, Azure Migrate, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Secure Windows Server On-Premises and Hybrid Infrastructures (25–30%), Migrate Servers and Workloads (20–25%), and Monitor and Troubleshoot Windows Server Environments (20–25%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Additional domains tested include Implement and Manage Windows Server High Availability (10–15%), and Implement Disaster Recovery (10–15%). Together, these areas round out the full exam blueprint and ensure candidates possess well-rounded expertise across the certification scope.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
279
practice exam users
92.1%
satisfied users
89.8%
passed the exam
4.2/5
quality rating
Test your AZ‑801 Windows Server Hybrid Advanced knowledge
10 of 780+ questions
Question #1 - Secure Windows Server On-Premises and Hybrid Infrastructures
A company needs to protect credentials on domain controllers from pass-the-hash and credential theft attacks.
Which security feature should be enabled?
A) BitLocker on all drives
B) NTFS encryption on the NTDS.dit file
C) Windows Defender Credential Guard
D) Windows Firewall with default rules
Show solution
Correct answers: C – Explanation:
Credential Guard uses virtualization-based security to isolate LSASS process secrets, preventing pass-the-hash and credential dumping. BitLocker protects at-rest data but not runtime credentials. Firewall controls network traffic. NTFS encryption on NTDS.dit does not protect in-memory credentials. Source: Check Source
Question #2 - Secure Windows Server On-Premises and Hybrid Infrastructures
A company needs to protect domain controller credentials from pass-the-hash and credential theft attacks.
Which security feature should be enabled?
A) BitLocker Drive Encryption protecting the operating system volume data at rest on disk
B) NTFS Encrypting File System applied to the NTDS.dit Active Directory database file
C) Windows Firewall with Advanced Security using default inbound and outbound traffic rules
D) Windows Defender Credential Guard isolating LSASS secrets using virtualization-based security
Show solution
Correct answers: D – Explanation:
Credential Guard uses virtualization-based security to isolate LSASS process secrets in a protected container, preventing pass-the-hash and credential dumping attacks. BitLocker protects at-rest disk data but not runtime in-memory credentials. Windows Firewall controls network traffic flow, not credential storage security. EFS on NTDS.dit encrypts the file at rest but does not protect credentials loaded into memory during authentication. Source: Check Source
Question #3 - Secure Windows Server On-Premises and Hybrid Infrastructures
Windows Server VMs must be patched within 72 hours of security update release. Updates need staging before production.
Which update management solution should be used?
A) Manually download patches from the Microsoft Update Catalog and install them each month
B) Azure Update Management with scheduled maintenance windows and pre-post deployment scripts
C) Allow Windows Update to download and install patches automatically without any controls
D) Disable all automatic update mechanisms to prevent unexpected reboots during business hours
Show solution
Correct answers: B – Explanation:
Azure Update Management schedules patches with configurable maintenance windows, supports staging through pre/post scripts, and tracks compliance across hybrid environments. Uncontrolled automatic updates lack staging verification before production. Manual monthly patching does not reliably meet the 72-hour requirement at scale. Disabling updates entirely leaves servers exposed to known security vulnerabilities. Source: Check Source
Question #4 - Secure Windows Server On-Premises and Hybrid Infrastructures
A government agency needs to restrict application execution on servers to a pre-approved whitelist only.
Which Windows Server feature should be configured?
A) Software Restriction Policies using legacy hash-based rules from the Local Security Policy
B) Windows Defender Application Control with code integrity policies enforcing the whitelist
C) User Account Control prompts requiring elevation confirmation for administrative operations
D) Windows Defender Antivirus with real-time malware scanning and cloud-delivered protection
Show solution
Correct answers: B – Explanation:
WDAC enforces code integrity policies that allow only whitelisted applications to execute, providing robust kernel-level application control. Antivirus detects known malware signatures but does not prevent execution of unknown, non-whitelisted applications. Software Restriction Policies are deprecated and lack the kernel enforcement capabilities of WDAC. UAC controls privilege elevation for administrative operations but does not restrict which applications can run. Source: Check Source
Question #5 - Implement and Manage Windows Server High Availability
A critical SQL Server instance on Windows Server needs automatic failover to a standby node within 30 seconds if the primary fails.
Which HA solution should be implemented?
A) Network Load Balancing distributing SQL Server client connections across multiple nodes
B) Windows Server Failover Clustering with SQL Server Failover Cluster Instance configuration
C) Hyper-V Replica providing asynchronous VM replication with manual failover initiation
D) Scheduled database backups running every 30 seconds to a secondary storage location
Show solution
Correct answers: B – Explanation:
WSFC with SQL Server FCI provides automatic database failover with near-instant failure detection and role transfer to the standby node. 30-second backup intervals cannot provide automatic failover or meet RPO requirements. NLB distributes stateless traffic and cannot handle stateful SQL Server database failover correctly. Hyper-V Replica requires manual failover initiation and has RPO greater than zero. Source: Check Source
Question #6 - Implement and Manage Windows Server High Availability
A two-node hospital cluster risks split-brain during a network partition. Both nodes may believe the other is down.
Which cluster component prevents split-brain?
A) A Cloud Witness quorum resource hosted in Azure providing a third-party arbitration vote
B) An additional network interface card added to each node for redundant communication
C) A higher-frequency heartbeat network with shorter timeout intervals between nodes
D) DNS round-robin load balancing distributing client connections between the two nodes
Show solution
Correct answers: A – Explanation:
Cloud Witness provides an Azure-hosted quorum vote that determines which partition retains cluster ownership during a network split, preventing split-brain scenarios. Higher heartbeat frequency detects failures faster but cannot arbitrate which side survives a partition. Additional NICs add network redundancy but do not provide quorum voting for partition arbitration. DNS round-robin distributes client traffic but has no role in cluster quorum decisions. Source: Check Source
Question #7 - Implement Disaster Recovery
On-premises Hyper-V VMs need replication to Azure for DR with RPO of 30 seconds and automated failover.
Which Azure service should be used?
A) Azure Site Recovery providing continuous Hyper-V to Azure replication with orchestrated failover
B) Manual VHD file copy to Azure Blob Storage scheduled as a nightly batch transfer operation
C) Azure Backup with daily application-consistent snapshots stored in a Recovery Services vault
D) Azure File Sync replicating VM disk files from the on-premises host to Azure Files shares
Show solution
Correct answers: A – Explanation:
Azure Site Recovery provides continuous replication of Hyper-V VMs to Azure with RPO as low as 30 seconds and orchestrated failover with recovery plans. Azure Backup snapshots have daily RPO, far exceeding the 30-second requirement. Manual VHD copy is not continuous and introduces long RPO gaps. File Sync handles file-level synchronization and is not designed for full virtual machine replication and failover. Source: Check Source
Question #8 - Implement Disaster Recovery
After a datacenter fire, replicated VMs in Azure must start in order: domain controllers first, then app servers, then web frontends.
Which ASR feature manages VM startup sequencing during failover?
A) Manual individual VM startup in the correct order performed by the DR team under pressure
B) Start all replicated virtual machines simultaneously and let services resolve dependencies
C) Azure Automation runbooks executed independently without any ASR integration or sequencing
D) Recovery plans with ordered groups defining startup sequence and custom scripts between groups
Show solution
Correct answers: D – Explanation:
Recovery plans define groups of machines that fail over in sequence, with custom scripts executing between groups to verify dependencies before advancing. Simultaneous startup may break applications with inter-service dependencies. Manual ordering under disaster pressure is error-prone and slow. Standalone runbooks without ASR integration lack the group sequencing and health-check framework recovery plans provide. Source: Check Source
Question #9 - Migrate Servers and Workloads
A company migrates 50 physical Windows servers to Azure VMs. They need compatibility assessment and right-sized VM recommendations.
Which Azure service should be used for assessment?
A) Azure Migrate with server discovery appliance and performance-based assessment for right-sizing
B) A manual inventory spreadsheet documenting each server configuration maintained by the team
C) Azure Pricing Calculator estimating monthly costs based on manually entered VM specifications
D) Azure Advisor providing optimization recommendations for already-deployed Azure resource usage
Show solution
Correct answers: A – Explanation:
Azure Migrate discovers on-premises servers, collects performance data, assesses Azure readiness, and recommends right-sized VM SKUs based on actual utilization patterns. The Pricing Calculator estimates costs but does not assess compatibility or analyze performance data. Advisor optimizes existing Azure resources, not pre-migration on-premises servers. Manual spreadsheets lack automated analysis, performance trending, and compatibility assessment. Source: Check Source
Question #10 - Migrate Servers and Workloads
A company migrating file servers to Azure wants on-premises access to hot files while tiering cold data to the cloud.
Which service should be deployed?
A) Robocopy script scheduled nightly to copy files from on-premises servers to Azure Blob Storage
B) DFS Replication configured to synchronize file shares to a Windows Server VM running in Azure
C) Azure File Sync with cloud tiering automatically moving cold files to Azure Files storage
D) Azure Data Box for a one-time bulk offline transfer of all file server data to Azure
Show solution
Correct answers: C – Explanation:
Azure File Sync keeps frequently accessed files cached on-premises while cloud tiering automatically moves cold data to Azure Files, optimizing local storage. Robocopy provides one-directional copy without intelligent tiering or continuous sync. Data Box is designed for bulk one-time offline transfer, not ongoing file management. DFS Replication to an Azure VM requires maintaining a full VM and does not provide intelligent tiering. Source: Check Source
Get 780+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the AZ‑801 Windows Server Hybrid Advanced exam measures
- Secure Windows Server On-Premises and Hybrid Infrastructures (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement and Manage Windows Server High Availability (10–15%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement Disaster Recovery (10–15%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Migrate Servers and Workloads (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Monitor and Troubleshoot Windows Server Environments (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Windows Server Engineer: $95,000–$130,000 per year (based on Glassdoor and ZipRecruiter data)
- Hybrid Cloud Administrator: $105,000–$140,000 per year (based on Glassdoor and ZipRecruiter data)
- Infrastructure Migration Specialist: $100,000–$135,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the AZ-801 Configuring Windows Server Hybrid Advanced Services exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.