Try 10 focused Microsoft AZ-802 questions on Manage Virtual Machines and Containers, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Microsoft AZ-802 on Web View full Microsoft AZ-802 practice page
| Field | Detail |
|---|---|
| Exam route | Microsoft AZ-802 |
| Topic area | Manage Virtual Machines and Containers |
| Blueprint weight | 9% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Manage Virtual Machines and Containers for Microsoft AZ-802. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 9% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Manage Virtual Machines and Containers
You administer on-premises Hyper-V hosts that are connected to Azure Arc. A Windows Server VM runs a production line-of-business application with a SQL Server database. Before monthly application updates, the operations team needs a rollback point that uses guest-aware mechanisms and must avoid capturing running memory or device state. If a guest-aware checkpoint cannot be created, the update should stop for investigation. Which VM configuration is the best design fit?
Options:
A. Disable the Backup integration service
B. Enable production checkpoints and disable standard checkpoint fallback
C. Enable standard checkpoints for the VM
D. Enable Enhanced Session Mode for administrators
Best answer: B
Explanation: Production checkpoints are the appropriate Hyper-V checkpoint type for production Windows Server workloads because they use guest-aware technologies, such as VSS inside the guest, instead of saving the VM’s running memory and device state. For an application and database workload, this better aligns the rollback point with supported application-consistent behavior. The additional requirement is important: if production checkpoint creation fails, Hyper-V should not fall back to a standard checkpoint, because that would capture runtime state and could create an inconsistent rollback point for the database workload. Enhanced Session Mode affects interactive console features, not checkpoint consistency.
Topic: Manage Virtual Machines and Containers
A company is modernizing an on-premises .NET Framework application by packaging it as a Windows container. The container host must run on Windows Server 2022, be manageable remotely by the server operations team, and support Hyper-V isolation for higher-risk workloads. Which design best prepares the server for this deployment?
Options:
A. Deploy a Linux container host and run the image unchanged
B. Enable Containers, add Hyper-V, and install a supported container runtime
C. Install Docker Desktop with WSL 2 on Windows Server
D. Enable IIS only and publish the application as a website
Best answer: B
Explanation: Preparing Windows Server as a container host means configuring the server to run Windows containers, not just installing the application role. The host needs the Containers feature and a supported container runtime so it can pull, create, start, and manage container images. Because the scenario requires Hyper-V isolation, the Hyper-V role must also be available on the host. Remote management can then be handled with normal Windows Server administration tools such as Windows Admin Center or PowerShell remoting. The key design fit is to prepare the Windows Server host for Windows container execution while adding Hyper-V only because the isolation requirement makes it necessary.
Topic: Manage Virtual Machines and Containers
A company runs a legacy web component as Windows Server containers on on-premises Windows Server 2022 hosts. During incidents, administrators must inspect running containers, view container logs, restart a single container, and open a shell inside the affected container. The company does not need Kubernetes scheduling or a managed container platform. Which design is the best fit?
Options:
A. Move the workload to Azure Container Instances
B. Manage containers directly on the Windows Server hosts
C. Deploy AKS and manage only node pools
D. Convert each container to a Windows service
Best answer: B
Explanation: Windows Server containers that require operational control are best managed from the Windows Server container hosts or through a management path that reaches those hosts, such as PowerShell remoting, Windows Admin Center, or the container runtime tooling. This allows administrators to inspect live container state, retrieve logs, restart one container without changing the whole platform, and run an interactive command inside a container when troubleshooting. A managed or orchestrated platform can be useful when scheduling, scaling, or declarative deployment is the primary requirement, but the scenario specifically requires direct operational actions against running Windows Server containers.
Topic: Manage Virtual Machines and Containers
An organization has two domain-joined Windows Server 2022 Hyper-V hosts that are monitored through Azure Arc. The hosts use different Intel processor generations and store VM disks on local volumes. Administrators use Windows Admin Center from their workstations and must move running VMs between hosts during maintenance without planned guest shutdowns. Which design is the best fit?
Options:
A. Use CredSSP live migration and require administrators to connect to either host locally
B. Configure Kerberos live migration, constrained delegation, and VM processor compatibility
C. Install Azure Connected Machine Agent inside each VM and enable Dynamic Memory
D. Enable Hyper-V Replica between the hosts and fail over VMs for maintenance
Best answer: B
Explanation: For remotely initiated Hyper-V live migrations from Windows Admin Center, Kerberos authentication with constrained delegation is the appropriate design because administrators are not signing in directly to the source host. Because the VMs may need to move between different Intel processor generations, enabling Hyper-V processor compatibility mode on those VMs avoids exposing CPU features that may not exist on the destination host. Since the disks are local, the design must also account for moving VM storage as part of the migration path. This meets the availability and manageability requirements without assuming shared storage or identical CPUs.
Topic: Manage Virtual Machines and Containers
A Windows Server 2022 Azure VM hosts a line-of-business file workload. After you stripe four Premium SSD data disks in Windows, users report high write latency during peak periods. Azure Monitor shows:
| Item | Value |
|---|---|
| VM size limit | 6,400 uncached IOPS |
| Each data disk limit | 5,000 IOPS |
| Each disk observed | About 1,600 IOPS |
| VM uncached IOPS consumed | 100% |
What is the most likely root cause?
Options:
A. The VM size storage limit is throttling I/O.
B. The striped volume lacks zone-redundant storage.
C. Windows storage encryption is causing write failures.
D. One Premium SSD data disk is saturated.
Best answer: A
Explanation: Azure VM disk performance is constrained by both the attached disks and the VM size. In this case, the four striped disks can theoretically provide more IOPS than the VM size can pass through as uncached disk I/O. The observed 1,600 IOPS per disk totals 6,400 IOPS, which matches the VM limit, while each disk remains well below its individual 5,000 IOPS cap. That pattern points to VM-level throttling rather than disk-level saturation. To meet the performance requirement, use a VM size with higher disk IOPS/throughput capacity or adjust the storage design to fit the VM’s limits.
Topic: Manage Virtual Machines and Containers
A Windows Server 2022 container host runs as a Hyper-V virtual machine on an on-premises network. A containerized line-of-business app must receive an IP address from the existing VLAN DHCP scope, be reachable directly by other servers on that IP address, and avoid publishing individual ports on the container host. Which configuration should you use?
Options:
A. Create a private internal vSwitch for the containers
B. Create a transparent network and enable MAC spoofing on the host VM
C. Create a NAT network and map the app ports on the host
D. Create an overlay network for the containers
Best answer: B
Explanation: Windows Server container networking uses different network drivers for different isolation and connectivity goals. A transparent network connects containers to an external Hyper-V virtual switch so the containers appear on the same Layer 2 network as other physical or virtual machines. That allows DHCP from the existing VLAN and direct inbound access to each container IP. Because the container host itself is a Hyper-V VM, MAC address spoofing must be enabled on that VM so the physical network can see traffic using the containers’ MAC addresses. NAT would require host port publishing and would not give the app direct reachability on a VLAN-assigned IP.
Topic: Manage Virtual Machines and Containers
A Hyper-V administrator must diagnose a Windows Server 2022 VM named APP01. After a virtual switch change, APP01 no longer responds to ping, RDP, WinRM, or SSH. Hyper-V Manager shows the VM is running with integration services healthy. The administrator is signed in to the Hyper-V host and has local administrator credentials for APP01. What is the best next diagnostic action?
Options:
A. Add a second virtual NIC to restore management access.
B. Run PowerShell remoting to APP01 by FQDN.
C. Open an SSH session to the last known IP address.
D. Start a PowerShell Direct session to APP01 from the host.
Best answer: D
Explanation: PowerShell Direct is the right diagnostic path when a supported Windows guest is running on a Hyper-V host, the administrator has host access, and guest network access is unavailable. It connects from the Hyper-V host into the VM through the Hyper-V integration channel, so it can be used to inspect settings such as IP configuration, firewall state, and service status even when ping, RDP, WinRM, and SSH fail. Standard PowerShell remoting and SSH both depend on a working network path to the guest endpoint. Changing VM hardware before validating the guest configuration could introduce unnecessary changes and obscure the original issue.
-ComputerName requires reachable network connectivity and WinRM on the guest.Topic: Manage Virtual Machines and Containers
A Hyper-V administrator configures a Windows Server VM for an application update. The application owner requires an application-consistent checkpoint. The VM is set to use production checkpoints with standard checkpoint fallback enabled. When the administrator creates the checkpoint, Hyper-V logs: Production checkpoint failed; a standard checkpoint was created instead. In the VM settings, the Backup (volume shadow copy) integration service is not selected.
What is the best root cause?
Options:
A. Guest services integration is disabled
B. Enhanced Session Mode is disabled on the host
C. Dynamic Memory is enabled on the VM
D. The Backup integration service is disabled
Best answer: D
Explanation: Production checkpoints use guest-aware backup mechanisms instead of saving the VM memory state. For Windows Server guests, Hyper-V relies on the Backup (volume shadow copy) integration service so VSS-aware workloads can be quiesced for an application-consistent checkpoint. Because fallback to standard checkpoints is enabled, Hyper-V can still create a checkpoint, but it is not the requested production checkpoint. The visible clue is the disabled Backup integration service, not a general VM connectivity or console feature setting.
The next fix would be to enable the Backup integration service and verify the guest VSS writers are healthy before retrying the checkpoint.
Topic: Manage Virtual Machines and Containers
A company is moving three Windows Server application tiers to Azure IaaS VMs. The VNet is connected to the datacenter by a site-to-site VPN. The VMs must join the on-premises AD DS domain and resolve corp.contoso.com by using existing domain controllers. No VM can have a public IP address. Administrators should manage the VMs only from the on-premises IT subnet, and each tier should accept traffic only from the tier in front of it. Which design is the best fit?
Options:
A. Use Azure-provided DNS, one subnet, and Windows Defender Firewall rules.
B. Use custom VNet DNS, tier subnets, NSGs, and private admin access over VPN.
C. Use public IPs with NSGs that allow only the IT subnet.
D. Use Azure Private DNS only and place all VMs in one subnet.
Best answer: B
Explanation: For domain-joined Windows Server VMs, the Azure VNet should use custom DNS servers that point to reachable AD DS DNS servers across the VPN. Separating the web, app, and data tiers into subnets allows network security groups to enforce only the required east-west flows. Omitting public IP addresses keeps management on private paths, and NSG rules can limit RDP, WinRM, or PowerShell remoting to the on-premises IT subnet over the VPN. Azure-provided DNS is not sufficient for resolving an on-premises AD DS namespace unless forwarding or custom DNS is configured.
corp.contoso.com domain and does not provide tier segmentation.Topic: Manage Virtual Machines and Containers
A company runs shielded Windows Server VMs on a Hyper-V guarded fabric in its primary datacenter. You must move several shielded VMs to a new Hyper-V cluster in a secondary datacenter. The VMs must remain shielded, host administrators must not gain access to VM contents, and the move must use the existing tenant security model. Which design best fits these requirements?
Options:
A. Copy the VHDX files to the new cluster and attach them to new VMs.
B. Use BitLocker on the Hyper-V host volumes instead of guarded hosts.
C. Onboard the new cluster as guarded hosts in the existing HGS fabric.
D. Remove shielding, migrate the VMs, and re-enable shielding after validation.
Best answer: C
Explanation: Shielded VMs are designed to run only on trusted Hyper-V hosts in a guarded fabric. To preserve the security boundary during a move, the destination Hyper-V hosts must be configured as guarded hosts and successfully attest to the Host Guardian Service (HGS) trusted by the VM key protectors. The new cluster also needs normal fabric prerequisites such as compatible networking and storage access, but the deciding security requirement is HGS authorization. Removing shielding or recreating VMs from disks breaks the protected operational model, and host-volume encryption does not replace shielded VM protections.
Use the Microsoft AZ-802 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Microsoft AZ-802 on Web View Microsoft AZ-802 Practice Test
Read the Microsoft AZ-802 Cheat Sheet for compact concept review before returning to timed practice.