Try 10 focused Microsoft AZ-802 questions on Manage Windows Servers and Hybrid Workloads, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Microsoft AZ-802 on Web View full Microsoft AZ-802 practice page
| Field | Detail |
|---|---|
| Exam route | Microsoft AZ-802 |
| Topic area | Manage Windows Servers and Hybrid Workloads |
| Blueprint weight | 6.5% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Manage Windows Servers and Hybrid Workloads for Microsoft AZ-802. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 6.5% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Manage Windows Servers and Hybrid Workloads
A company manages Azure VMs and Azure Arc-enabled Windows Server machines with Azure Update Manager. After the monthly maintenance window, the administrator must validate update compliance without using interactive RDP sessions.
Exhibit: Update evidence
| Server | Last install result | Compliance state | Details |
|---|---|---|---|
| FS01 | Succeeded | Non-compliant | Pending reboot |
| APP02 | Succeeded | Non-compliant | Pending reboot |
| WEB03 | Succeeded | Compliant | No pending updates |
Which remediation and validation step is the best design fit?
Options:
A. Assign a Log Analytics data collection rule to the servers.
B. Restart FS01 and APP02, then run an on-demand update assessment.
C. Run a Microsoft Entra Connect delta synchronization cycle.
D. Create a new maintenance configuration for FS01 and APP02.
Best answer: B
Explanation: Azure Update Manager compliance is based on update assessment state, not only whether an install job reported success. In this scenario, FS01 and APP02 installed updates successfully but still have a pending reboot. Many Windows updates are not fully applied until after restart, so the compliance state can remain non-compliant until the servers reboot and a new assessment runs. Because the requirement avoids interactive RDP, the administrator should use a managed operation such as Azure Update Manager or another approved remote management method to restart the affected servers, then trigger an on-demand assessment to validate the final compliance state. Recreating schedules or changing monitoring ingestion does not address the reboot evidence.
Topic: Manage Windows Servers and Hybrid Workloads
An administrator uses Azure Update Manager to assess an Azure Arc-enabled Windows Server. The server appears as Connected in Azure Arc, but the update assessment fails.
Server: FS-ARC-03
Azure Arc state: Connected
Update assessment: Failed
Windows Update error: 0x8024402C
Policy result:
Do not connect to Windows Update Internet locations: Enabled
Specify intranet Microsoft update service location: Not configured
What is the best remediation or validation step?
Options:
A. Enable VM Insights for the Arc-enabled server
B. Configure a reachable update source and rerun assessment
C. Create an Azure Monitor data collection rule
D. Reinstall the Azure Connected Machine Agent
Best answer: B
Explanation: Azure Update Manager assesses Windows updates by using the operating system’s update scan behavior. The server is already connected to Azure Arc, so the failure is not primarily an Arc onboarding issue. The policy evidence shows the server is blocked from contacting Windows Update Internet locations, but no intranet update service such as WSUS is configured. That leaves the Windows Update Agent without a valid scan source, causing the assessment failure. The next step is to configure a reachable WSUS/intranet update service or allow the required Windows Update source, then rerun the assessment to validate compliance.
Topic: Manage Windows Servers and Hybrid Workloads
An administrator can manage SRV1 by using WinRM over HTTP, but PowerShell remoting over HTTPS from the same workstation fails. TCP 5986 connects, and the Windows Defender Firewall rule for WinRM HTTPS is enabled. The date on SRV1 is February 20, 2026.
Evidence from SRV1:
Transport = HTTPS
Port = 5986
CertificateThumbprint = 1A2B3C4D
Subject = CN=srv1.contoso.com
NotAfter = 2026-01-10
What is the best root cause?
Options:
A. The administrator lacks remote session authorization.
B. TCP 5986 is blocked by Windows Defender Firewall.
C. The HTTPS listener uses an expired certificate.
D. Kerberos delegation is not configured for the workstation.
Best answer: C
Explanation: WinRM over HTTPS depends on the certificate bound to the HTTPS listener. The network path is not the main issue because TCP 5986 connects and the firewall rule is enabled. The listener thumbprint points to a certificate whose NotAfter date is January 10, 2026, while the server date is February 20, 2026. That causes TLS validation to fail before the session can proceed to normal authorization checks. The administrator should bind the HTTPS listener to a valid server certificate with the correct name and a trusted chain, then retry the remoting connection. HTTP success does not prove that the HTTPS listener certificate is valid.
Topic: Manage Windows Servers and Hybrid Workloads
A Windows Server named SRV1 runs on an on-premises Hyper-V host and is onboarded to Azure Arc. In Azure, SRV1 shows as Connected, and Azure Policy compliance data is reporting. An administrator runs a VM lifecycle command and receives this error:
az vm stop --resource-group RG-Hybrid --name SRV1
ResourceNotFound: The Resource 'Microsoft.Compute/virtualMachines/SRV1'
was not found in resource group 'RG-Hybrid'.
Inventory resource type:
Microsoft.HybridCompute/machines
What is the best root cause?
Options:
A. The administrator lacks Azure VM Contributor permissions.
B. The Connected Machine agent is disconnected.
C. SRV1 is Arc-enabled, not an Azure IaaS VM.
D. Azure Policy blocked the stop operation.
Best answer: C
Explanation: Azure Arc-enabled servers are governed in Azure but are not Azure IaaS virtual machines. The evidence shows SRV1 is connected through Azure Arc because its resource type is Microsoft.HybridCompute/machines, and policy compliance is reporting. Azure Arc can provide governance and management capabilities such as policy, monitoring, extensions, and update management, but it does not make an on-premises server manageable through Azure VM lifecycle operations such as az vm stop, resize, or managed disk attachment. Those commands target Microsoft.Compute/virtualMachines resources. The key diagnostic clue is the provider mismatch, not server health.
Microsoft.Compute VM resource.Topic: Manage Windows Servers and Hybrid Workloads
A company manages domain-joined Windows Server 2022 servers in an on-premises datacenter and Azure. Help desk operators must view events, restart services, and manage local firewall rules through a browser. The design must avoid routine interactive desktop sign-ins and should support delegated administration from a central entry point. Which remote management method is the best design fit?
Options:
A. RDP to each server
B. Windows Admin Center gateway
C. SSH to each server
D. PowerShell remoting sessions
Best answer: B
Explanation: Windows Admin Center is the best fit when administrators need a central, browser-based management experience for Windows Server tasks such as viewing events, managing services, configuring firewall rules, and handling storage or roles. A gateway deployment lets operators connect through one controlled entry point while the gateway manages target servers using Windows management protocols. It also better supports delegated, task-focused administration than giving help desk users full interactive desktop access. PowerShell remoting is excellent for scripted and command-line administration, but it does not provide the requested browser-based console. RDP is broader than needed and increases reliance on desktop sign-ins. SSH can be useful for command-line access, but it is not the primary fit for graphical Windows Server administration tasks.
Topic: Manage Windows Servers and Hybrid Workloads
An administrator onboarded an on-premises Windows Server to Azure Arc by using the generated installation script. The Azure resource was created, but Azure Arc shows the machine as Offline. On the server, the Azure Connected Machine Agent service is running.
Log excerpt:
azcmagent: Agent Status: Disconnected
himds: last successful heartbeat: 09:15
error: cannot reach gbl.his.arc.azure.com over TCP 443
proxy: not configured
What is the best next diagnostic action?
Options:
A. Restart the AD DS Netlogon service
B. Run azcmagent check on the server
C. Force Microsoft Entra Connect synchronization
D. Reinstall the Azure VM Agent
Best answer: B
Explanation: The evidence points to an Azure Connected Machine Agent connectivity problem, not an identity sync or domain service issue. The agent is installed and its service is running, but the heartbeat fails because the server cannot reach an Azure Arc service endpoint over TCP 443. The best diagnostic step is to run azcmagent check locally to validate required network access, proxy configuration, and endpoint reachability for Azure Arc. If the check fails, investigate firewall, proxy, or DNS rules for the required Azure Arc endpoints before reinstalling anything. A running service with a disconnected status usually means the agent cannot communicate with Azure, not that the server needs the Azure VM Agent.
Topic: Manage Windows Servers and Hybrid Workloads
A company wants to onboard an on-premises Windows Server 2022 file server to Azure Arc. The server is domain-joined, is not an Azure VM, cannot allow inbound management ports, and must use the corporate HTTP proxy for outbound Internet access. You must validate that the server appears as a connected Arc-enabled server before applying Azure Policy. Which configuration should you use?
Options:
A. Install the Azure VM Agent and enable guest configuration extensions.
B. Install the Microsoft Monitoring Agent and connect it to Log Analytics.
C. Install the Azure Connected Machine Agent, configure its proxy, and run azcmagent show.
D. Register the server with Microsoft Entra Connect Sync.
Best answer: C
Explanation: Azure Arc-enabled servers require the Azure Connected Machine Agent on non-Azure machines. For an on-premises Windows Server behind a proxy, the agent must be installed and configured to use the proxy for outbound HTTPS connectivity to Azure. After onboarding, azcmagent show is the direct validation method because it reports the agent state, connected Azure resource, tenant, subscription, and connectivity status. No inbound management port is required for Azure Arc onboarding because the agent initiates outbound communication. Installing monitoring or identity synchronization components may support adjacent scenarios, but they do not create the Arc-enabled server resource needed for Azure Policy governance.
Topic: Manage Windows Servers and Hybrid Workloads
You manage 60 on-premises Windows Server 2022 servers that are onboarded to Azure Arc. The servers are in multiple untrusted AD DS forests, and you need a single Azure-based compliance view. A required Windows service must remain running and be automatically corrected if an administrator changes it. Which configuration should you use?
Options:
A. Assign an Azure Policy Modify definition to the Arc resources
B. Assign an Azure Machine Configuration policy with auto-correction
C. Link a domain Group Policy Object in each forest
D. Create an Azure Update Manager maintenance configuration
Best answer: B
Explanation: Azure Machine Configuration is the Azure Policy-integrated mechanism for auditing and enforcing settings inside the operating system of Azure Arc-enabled servers. In this scenario, the requirement is not just to manage Azure resource properties; it is to keep a Windows Server service in the required state, report compliance centrally in Azure, and correct drift. A Machine Configuration assignment, typically deployed through an Azure Policy definition or initiative, can target the Arc-enabled servers and use an enforcement mode such as auto-correction when supported by the configuration package.
Group Policy can configure Windows settings, but it does not meet the single Azure-based governance requirement across untrusted forests. Standard Azure Policy effects such as Modify operate on Azure resource properties, not Windows service state inside the guest OS.
Topic: Manage Windows Servers and Hybrid Workloads
An on-premises Windows Server 2022 server is onboarded to Azure Arc. Azure Policy machine-configuration assignments remain in a NotStarted state, and no extensions can be installed. Direct internet access is prohibited; all outbound traffic must use the corporate proxy.
Exhibit:
azcmagent show
Agent Status: Connected
Using HTTPS proxy: not configured
Extension service: unreachable
Machine configuration service: unreachable
Extension status
Message: Failed to connect to Azure Arc extension endpoint on TCP 443
Which configuration should you apply?
Options:
A. Enable Azure Update Manager periodic assessment
B. Install Microsoft Entra Connect Sync on the server
C. Configure the Azure Connected Machine Agent proxy settings
D. Reassign the Azure Policy initiative to the resource group
Best answer: C
Explanation: Azure Arc extensions and Azure Policy machine configuration depend on the Azure Connected Machine Agent services reaching Azure Arc endpoints over HTTPS. In this scenario, policy assignment exists but extension and machine-configuration services are unreachable, and the agent has no HTTPS proxy configured. Because direct internet access is prohibited, the appropriate fix is to configure the Connected Machine Agent to use the corporate proxy and ensure the proxy permits the required Azure Arc extension and machine-configuration traffic on TCP 443.
Reassigning policy does not fix service connectivity. Update Manager and Entra Connect address neighboring management or identity tasks, not Arc extension transport.
Topic: Manage Windows Servers and Hybrid Workloads
A company has 120 Windows Server machines in its datacenter that are already Azure Arc-enabled. You need to collect Windows event logs and performance counters in Azure Monitor. The solution must apply automatically to newly onboarded Arc servers and avoid the legacy Log Analytics agent. Which configuration should you use?
Options:
A. Create an Azure Update Manager maintenance configuration
B. Install the legacy Log Analytics agent by using Group Policy
C. Assign Azure Policy to deploy the Azure Monitor Agent extension and DCR association
D. Configure diagnostic settings on the Arc server resource
Best answer: C
Explanation: Azure Arc-enabled servers can use Azure VM extensions to integrate on-premises Windows Server machines with Azure services. For Azure Monitor guest data collection, the modern approach is the Azure Monitor Agent extension plus a data collection rule (DCR) that defines which logs and counters to collect. Assigning Azure Policy is appropriate when the configuration must be enforced centrally and applied to future Arc-enabled servers automatically. This keeps the deployment hybrid-aware without moving the servers to Azure or relying on manual installs. Diagnostic settings and update configurations solve different problems, while the legacy Log Analytics agent does not meet the stated constraint.
Use the Microsoft AZ-802 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Microsoft AZ-802 on Web View Microsoft AZ-802 Practice Test
Read the Microsoft AZ-802 Cheat Sheet for compact concept review before returning to timed practice.