You have an Azure Virtual Desktop deployment that contains the host pools shown in the following table. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-140/page_109_img_1.jpg You need to create a disaster recovery environment in the West US region. The solution must minimize costs and administrative effort. What should you do?

D. Create an Azure Site Recovery plan.

A. Regenerate the token and reregister the virtual machines in the host pools.

D. Create an Azure Site Recovery plan.

View AZ-140 Exam Questions

Q: 1

HOTSPOT - You have an Azure subscription named Subscription1 that contains the users shown in the following table. Subscription1 contains the Azure Virtual Desktop host pools shown in the following table. Subscription1 contains the Azure Virtual Desktop application groups shown in the following table. You perform the role assignments shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Your Answer

Discussion

Ben F. Jun 5, 2026 9:26 am

NO NO NO. Statement 3 looks like it could be Yes, but missing the VM login permission is the catch here, seen similar tricks in other practice sets.

Luke V. Jun 19, 2026 4:33 pm

NO NO NO. You always need both the App Group assignment and VM login permission, and that's missing for each statement here.

Ryan H. Jun 13, 2026 6:42 pm

NO NO NO

SaraN Jun 15, 2026 8:52 am

NO NO NO. Both the App Group AND VM login roles have to be assigned for a successful connection, and there’s at least one missing every time here. I've seen similar setups in Microsoft practice labs. Let me know if anyone sees it differently.

Emma Jun 9, 2026 3:34 pm

Nah, the last one looks like a trap. NO NO NO. User2 might seem like they can access AppGroup2, but without VM login on P2-0 they're blocked.

Alex Jun 10, 2026 7:10 am

NO
NO
NO

RaviX Jun 23, 2026 2:17 pm

Change Bastion1 to Standard SKU, then Native Client Support, finally az network bastion rdp. Standard SKU is key for native client here, wouldn't work otherwise.

FocusedOps866 Jun 7, 2026 11:13 pm

Change Bastion1 to Standard SKU > On Bastion1 select Native Client Support > On Device1 run az network bastion rdp command. Saw a similar sequence in the official docs and labs, pretty sure this is the way.

Aaron I. Jun 3, 2026 7:14 pm

Change Bastion1 to Standard SKU → On Bastion1 select Native Client Support → On Device1 run az network bastion rdp command (be careful, you need Standard for native RDP).

Aisha O. Jun 7, 2026 8:11 pm

Change Bastion1 to Standard SKU > On Bastion1 select Native Client Support > On Device1 run az network bastion rdp. Had something like this in a mock, and the order matches what I've seen before. Confident but open to other reasoning.

Be respectful. No spam.

Correct Answer:

Explanation

To successfully connect to an Azure Virtual Desktop session host, a user requires two separate permissions:

Application Group Assignment: The user must have the Desktop Virtualization User role assigned to them (or a group they are in) on the specific Application Group (e.g., AppGroup1 or AppGroup2).
VM Login Permission: The user must have the Virtual Machine User Login role assigned to them (or a group they are in) on the specific Session Host VM (e.g., P1-0.contoso.com).

Here is the breakdown for each statement:

Statement 1: No. User1 (in Group1, Group3) has the Virtual Machine User Login role for P1-0.contoso.com (via Group1). However, User1 is not assigned to AppGroup1. Group1's Desktop Virtualization User role is on Pool1, which is an incorrect scope. Group3's assignment is for AppGroup2. Since User1 is missing the AppGroup1 assignment, the connection fails.
Statement 2: No. User2 (in Group2, Group3) fails both requirements. User2 is not assigned to AppGroup1 (their Group3 membership only grants access to AppGroup2). User2 also lacks the Virtual Machine User Login role for P1-0.contoso.com, as this is only assigned to Group1.
Statement 3: No. User2 (in Group2, Group3) is correctly assigned to AppGroup2 (via Group3). However, User2 is missing the Virtual Machine User Login role for the P2-0.contoso.com session host. The only VM login permission assigned in the tables is for P1-0.contoso.com.

References

Microsoft Learn | Azure built-in roles - Azure RBAC:

Desktop Virtualization User: The definition states this role "Allows user to use the applications in an application group." This confirms the role must be applied to the application group resource.

Virtual Machine User Login: The definition states this role allows users to "sign in to an Azure virtual machine with regular user privileges." This is the second required permission, applied to the VM.

Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles (Sections for Compute and Desktop Virtualization)

Microsoft Learn | Delegated access in Azure Virtual Desktop:

This document confirms that Azure Virtual Desktop uses Azure RBAC and that the Desktop Virtualization User role is assigned to a user or group with the scope of the application group.

Source: https://learn.microsoft.com/en-us/azure/virtual-desktop/delegated-access-virtual-desktop (See section "PowerShell cmdlets for role assignments")

Microsoft Learn | Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID:

This document details the requirement of assigning either Virtual Machine Administrator Login or Virtual Machine User Login roles to users who need to sign in to the VM.

Source: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows (See section "Configure role assignments")

Q: 2

You have an Azure subscription named Subscription that contains an Azure Virtual Desktop host pool named HostPool1. HostPool1 is managed by using Microsoft Intune. Subscription1 contains 50 users that connect to HostPool1 by using computers that run Windows 10. You need to prevent the users from copying files between an Azure Virtual Desktop session and the computers. The solution must minimize administrative effort. What should you do?

Options

Discussion

Hannah S. Jun 23, 2026 6:00 am

storage1 in Bucket 1, storage5 in Bucket 2, storage2 in Bucket 3. Saw the same order in the official study guide.

Anita T. Jun 12, 2026 2:46 am

A . Editing the RDP properties at the host pool level is the standard way to stop clipboard and drive redirection for all sessions, so users can't copy files between their devices and AVD. Intune config profiles are for managing endpoints but don't affect AVD session controls like this. Pretty sure this is what Microsoft expects for least admin effort. Disagree?

Kevin E. Jun 10, 2026 10:55 pm

Yep, storage1 first for GRS, then storage5 (ZRS), finally storage2 (LRS). That's the order by redundancy FSLogix cares about.

Sam Y. Jun 3, 2026 10:57 pm

Don’t think D works here, A is correct. The config profile in Intune controls device settings, but to block copying in Azure Virtual Desktop, you need to set the RDP properties on the host pool directly.

Sam Jun 13, 2026 10:56 pm

Official docs and some practice tests always call out RDP properties for quick fixes like this. So pretty confident it's A here. Just change clipboard/drive redirection on HostPool1, no Intune config needed.

Amelia N. Jun 9, 2026 4:39 pm

Luke W. Jun 16, 2026 12:43 am

Maybe D works since HostPool1 is managed by Intune. I thought a configuration profile could block clipboard and drive redirection too, just by pushing a policy. Not 100% sure that's enough for AVD sessions though-anyone disagree?

Ishaan F. Jun 24, 2026 12:16 am

D imo

OwenG Jun 9, 2026 2:54 am

It’s D for me. Since HostPool1 is managed with Intune, I figured a configuration profile could push device restriction settings across all the clients, including clipboard and drive redirection. Pretty sure about it but could be mixing up with compliance policy here.

Jamie R. Jun 8, 2026 2:07 pm

Be respectful. No spam.

Correct Answer:

Explanation

The most direct and efficient method to control session behavior, such as device redirection for an entire Azure Virtual Desktop (AVD) host pool, is by modifying its Remote Desktop Protocol (RDP) properties. By setting the redirectclipboard:i:0 and drivestoredirect:s: properties at the host pool level, you can disable clipboard and drive redirection for all user sessions connecting to that pool. This centralized approach is the simplest way to enforce the policy and directly meets the requirement to prevent file copying with minimal administrative effort.

Why Incorrect

B. Create a Conditional Access policy in Azure Active Directory (Azure AD).

Conditional Access policies control access to the AVD service based on user, device, or location conditions; they do not manage in-session RDP settings like device redirection.

C. Create a compliance policy in Intune.

Intune compliance policies are used to evaluate if a device meets certain health and security standards (e.g., encryption, OS version), not to configure RDP session settings.

D. Create a configuration profile in Intune.

While technically possible to configure these settings on session hosts via an Intune profile, modifying the host pool's RDP properties is a more direct, native AVD function that requires fewer steps, thus better satisfying the "minimize administrative effort" constraint.

References

1. Microsoft Learn | Azure Virtual Desktop documentation. "Supported RDP properties for Azure Virtual Desktop." This document explicitly lists redirectclipboard and drivestoredirect as configurable RDP properties for a host pool to control clipboard and drive redirection

respectively. This directly supports option A.

Section: Customize RDP properties for a host pool.

Details: The article states

"To disable clipboard redirection

use redirectclipboard:i:0." and "To disable drive redirection

leave the drivestoredirect property blank."

2. Microsoft Learn | Azure Virtual Desktop documentation. "Customize Remote Desktop Protocol (RDP) properties for a host pool." This guide provides the step-by-step procedure for modifying these properties in the Azure portal

demonstrating it is a simple

centralized administrative action.

Section: "Customize RDP properties with the Azure portal."

Details: The steps show how to navigate to the host pool's RDP Properties tab and enter the custom RDP settings

confirming the low administrative effort.

3. Microsoft Learn | Intune documentation. "Use the settings catalog to configure settings on Windows

iOS/iPadOS and macOS devices." This document explains how to use Intune configuration profiles. While it shows that RDP settings can be configured

the process involves creating a profile

selecting settings from the catalog

and assigning it to a device group

which is a more involved process than modifying a single property field in the AVD host pool settings.

Section: "Create the profile."

Details: The procedure outlines multiple steps

which contrasts with the simpler method in option A.

4. Microsoft Learn | Azure Active Directory documentation. "What is Conditional Access?" This document clarifies that Conditional Access is a tool for making access decisions to resources and does not extend to configuring the behavior within an application session like AVD.

Section: "Common signals."

Details: The documentation focuses on signals like user

location

and device for granting or blocking access

not for in-session configuration.

Q: 3

HOTSPOT You have an Azure Virtual Desktop deployment that contains the resources shown in the following table. You create the resources shown in the following table. You need to meet following requirements: • Back up the FSLogix profile containers used by HostPool1. • Backup the data disks in HostPool2. To which resources can you back up the profile containers and the data disks? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Your Answer

Discussion

Aaron S. Jun 7, 2026 2:32 am

FSLogix profile containers: Recovery1 only, data disks: Backup1 only. Similar question came up in official labs.

Ishaan H. Jun 10, 2026 8:57 am

Nah, I don’t think both should be per-user. User1 gets Per-user access pricing, User2 is RDS CAL. Always check if Host2 is set up for classic RDS-that’s the catch exam writers use here.

Maya E. Jun 22, 2026 3:37 pm

Yeah, it's Recovery1 for FSLogix and Backup1 for the data disks.

Priya Jun 18, 2026 3:32 pm

Per-user access pricing for User1, RDS Client Access License for User2. That matches what’s expected here.

Nina N. Jun 17, 2026 2:29 am

Recovery1 only for FSLogix, Backup1 only for data disks. The trap is picking a vault in the wrong region.

Adam Jun 8, 2026 3:54 am

FSLogix profile containers: Recovery1 only
Data disks: Backup1 only

That's because FSLogix profiles use Azure File Share, which can only be backed up to a Recovery Services vault (and it has to be in the same region). For data disks, you need an Azure Backup vault in West US so Backup1 fits. Pretty sure that's spot on here, but let me know if I'm missing anything.

Emma P. Jun 5, 2026 12:00 pm

For FSLogix profiles, does Recovery1 have to be in the same region as Profiles1 or can any Recovery Vault work?

Parker A. Jun 20, 2026 11:42 am

Per-user access pricing goes to User1, RDS Client Access License for User2. That's the mapping in this scenario.

Priya Jun 14, 2026 1:23 pm

RECOVERY1 ONLY for FSLogix, BACKUP1 ONLY for data disks. Saw a similar question in an exam report and that's what was selected.

Drew L. Jun 5, 2026 12:40 am

FSLogix profile containers can only go to Recovery1 since it's a Recovery Services vault in the same region. Data disks for HostPool2 need Backup1, again because of region match. I think that's right but someone correct me if I'm missing an edge case.

Be respectful. No spam.

Correct Answer:

FSLOGIX PROFILE CONTAINERS: RECOVERY1 ONLY

DATA DISKS: BACKUP1 ONLY

Explanation

FSLogix profile containers: The Profiles1 resource, which stores the FSLogix containers, is an Azure file share. Azure file shares can only be backed up to a Recovery Services vault. Furthermore, the Recovery Services vault must be in the same region as the Azure file share. Since Profiles1 is in West US, only Recovery1 (a Recovery Services vault in West US) can be used.
Data disks: The requirement is to back up the data disks of HostPool2. Standalone Azure Disks are backed up using an Azure Backup vault. Similar to file shares, the Backup vault must be in the same region as the disks. Since the HostPool2 disks are in West US, only Backup1 (an Azure Backup vault in West US) can be used.

References

Azure Backup vault vs. Recovery Services vault:

Microsoft Learn. (2024). Backup vault overview. "Backup vaults store backup data for newer Azure Backup workloads... (e.g., Azure Database for PostgreSQL servers, Azure Blobs, Azure Disks)... Recovery Services vaults store backup data for a range of workloads... (e.g., Azure VMs, SQL in Azure VMs, Azure file shares)."

Reference: https://learn.microsoft.com/en-us/azure/backup/backup-vault-overview

FSLogix (Azure File Share) Backup:

Microsoft Learn. (2024). About Azure file share backup. "Azure Backup uses a Recovery Services vault to store... backups of Azure file shares."

Reference: https://learn.microsoft.com/en-us/azure/backup/azure-file-share-backup-overview

Region Constraint (File Shares):

Microsoft Learn. (2024). Support matrix for Azure file share backup. "The Recovery Services vault and the Azure file share to be backed up must be in the same region."

Reference: https://learn.microsoft.com/en-us/azure/backup/azure-file-share-support-matrix#region-support

Data Disk Backup:

Microsoft Learn. (2024). About Azure Disk Backup. "Azure Disk Backup offers a turnkey solution... to back up your disks... It uses a Backup vault."

Reference: https://learn.microsoft.com/en-us/azure/backup/disk-backup-overview

Region Constraint (Disks):

Microsoft Learn. (2024). Support matrix for Azure Disk Backup. "The Backup vault, the disk to be backed up, and the snapshot resource group must be in the same region."

Reference: https://learn.microsoft.com/en-us/azure/backup/disk-backup-support-matrix#region-availability

Q: 4

HOTSPOT Which users can create Pool4, and which users can join session hosts to the domain? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Your Answer

Discussion

Jamie D. Jun 16, 2026 10:13 am

Admin2 only for Pool4, Operator1 only for domain join. Saw something similar in recent exam reports, safer to stick with these picks.

Skyler M. Jun 20, 2026 1:14 am

Is it possible Operator2 could join hosts if the environment hasn't removed default Account Operators rights? Or does the question assume strict RBAC like most exam scenarios where only Domain Admin (Operator1) is allowed? Curious how strict we should be interpreting this.

Jason A. Jun 13, 2026 3:20 am

Admin2 only for Pool4 since that's the only one with both VM Contributor and Desktop Virtualization Contributor. Domain join is Operator1 only, because Account Operators' rights are usually restricted in secure setups. Pretty sure that's what MS wants for this scenario, but open to counterpoints.

Casey E. Jun 18, 2026 12:09 am

I think this is same as a common exam questions, on practice, answer is Admin2 only for Pool4, Operator1 only for joining session hosts to the domain.

Riley P. Jun 8, 2026 2:23 am

Had something like this in a mock, definitely Admin2 for creating Pool4 and Operator1 for joining session hosts.

Arjun H. Jun 17, 2026 7:23 pm

I don’t think Admin4 is enough here, since Host Pool Contributor can’t do the full host pool + VM creation combo. Admin2 is the only one with both roles needed for Pool4. Joining hosts is Operator1 only, because Account Operators usually get restricted on exam scenarios. Trap is thinking default AD perms still apply.

FriendlySec1735 Jun 22, 2026 5:04 pm

This CA mapping makes my head spin every time! Connecting to Azure Virtual Desktop by using a subscription feed → Azure Virtual Desktop, authenticating to a session host with SSO → Azure Windows VM Sign-in. Seen similar questions in some practice pools. Microsoft really likes making you know where the auth boundary is for MFA. Not 100% sure but that's how I see it.

Ethan Jun 7, 2026 2:29 pm

Nah, I don’t think Global Admin helps here-need both the Desktop Virtualization Contributor and VM Contributor roles for Pool4. Trap is thinking Account Operators could join the domain, but only Operator1 as Domain Admin is guaranteed. Similar question on some practice sets.

Sara S. Jun 22, 2026 8:25 am

Nah, Admin4's role is a trap here. Only Admin2 can create Pool4, and Operator1 is the sure pick for domain join.

Daniel B. Jun 23, 2026 1:57 am

Azure Virtual Desktop → subscription feed, Azure Windows VM Sign-in → SSO host. A lot of folks mix this up since Azure Virtual Desktop alone won't enforce MFA at the actual VM layer when SSO is in play. I think that's the trap MSFT sets here, agree or not?

Be respectful. No spam.

Correct Answer:

CAN CREATE POOL4: ADMIN2 ONLY

CAN JOIN SESSION HOSTS TO THE DOMAIN: OPERATOR1 ONLY

Explanation

Can create Pool4: Admin2 only

The ability to create an Azure Virtual Desktop (AVD) host pool (Pool4) requires a specific combination of Azure role-based access control (RBAC) permissions.

Host Pool Creation: The Desktop Virtualization Contributor role is a comprehensive built-in role that "allows managing all your Azure Virtual Desktop resources." This single role grants the necessary permissions to create host pools, application groups, and workspaces.
VM Creation: A host pool also requires creating virtual machines (session hosts). This action requires the Virtual Machine Contributor role on the resource group.

In the scenario this question is based on, Admin2 is the only user assigned the Desktop Virtualization Contributor role (which includes permissions for host pools, workspaces, and app groups) and the Virtual Machine Contributor role, making them the only user who can complete the end-to-end creation of Pool4.

Admin4 typically holds the Desktop Virtualization Host Pool Contributor role, which is insufficient as it does not grant permissions to create the required workspace or application groups.
Admin1 and Admin3 are Azure AD Global Administrators, which grants no implicit permissions to create or manage Azure resources like host pools or virtual machines.

Can join session hosts to the domain: Operator1 only

This action concerns permissions within the on-premises Active Directory (AD) domain, not Azure.

On-Premises vs. Cloud: Admin1 and Admin3 are cloud-only Azure AD users and have no credentials or permissions in the on-premises AD domain (contoso.com). Therefore, they cannot perform a domain join.
Domain Permissions: Operator1 is a member of the Domain Admins group. This group has unrestricted rights to join computers to the domain.
Restricted Permissions: Operator2 and Operator3 are members of the Account Operators group. While this group can create computer objects by default, in a secure, least-privilege enterprise environment (which is standard for exam scenarios), the default "Add workstations to domain" right is removed from regular users and this group's permissions are often restricted to prevent privilege escalation.

Therefore, the only user guaranteed to have the irrevocable permission to join machines to the domain is the Domain Admin, Operator1.

References

Microsoft Learn. (2025). Built-in Azure RBAC roles for Azure Virtual Desktop. "The Desktop Virtualization Contributor role allows managing all your Azure Virtual Desktop resources... You also need the Virtual Machine Contributor role to create virtual machines... or you can use the Desktop Virtualization Contributor role [which implies it's the encompassing role for the AVD object creation]."

Microsoft Learn. (2025). Built-in Azure RBAC roles for Azure Virtual Desktop. "Desktop Virtualization Host Pool Contributor... You will need AppGroup and Workspace contributor roles to create host pool using the portal..." [This confirms the Host Pool Contributor role alone is insufficient].

Microsoft Learn. (2024). Active Directory security groups. "Members of the Domain Admins group are authorized to... join workstations to the domain..."

Microsoft Learn. (2024). Active Directory security groups. "Account Operators... By default, this group has permissions to create, modify, and delete computer... accounts... [This permission is often revoked in secure environments by modifying default delegation]."

Microsoft Learn. (2025). How to Configure a Domain Join Computer Service Account. [This official guide outlines the best practice of restricting the default domain-join permissions, leaving it to explicitly delegated accounts or Domain Admins]. "By default, any authenticated user can add up to 10 computers to the domain... It's essential to... restrict users from joining a computer to a domain."

Q: 5

DRAG DROP You need to evaluate the RDS deployment in the Seattle office. The solution must meet the technical requirements. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Create a project in Azure Migrate.
Register the Lakeside tool with Azure Migrate.
Add the Azure Advisor recommendation digest.
Install agents on the virtual machines that have the Pool3 prefix.
Install agents on the virtual machines that have the Pool2 prefix.
Create a Recovery Service vault.

Discussion

Amelia R. Jun 7, 2026 5:30 pm

Create a project in Azure Migrate → Register Lakeside tool → Install agents on Pool2 VMs. I see why some go for Pool3 but the question targets Pool2 specifically, so that's the safe sequence. Anyone disagree?

SeasonedDev175 Jun 18, 2026 8:10 am

Create a project in Azure Migrate → Register Lakeside tool → Install agents on Pool2 VMs. Saw similar in exam reports recently.

Sam O. Jun 13, 2026 9:17 am

Create a project in Azure Migrate → Register Lakeside tool → Install agents on Pool2 VMs. I don't think it's Pool3, since the technical requirements point to Pool2 as the evaluation target. Easy to pick the wrong pool if you go too fast.

Rowan R. Jun 13, 2026 6:10 am

Pretty standard migration assessment steps, seen similar in official guides. Mapping: Create a project in Azure Migrate, then Register the Lakeside tool with Azure Migrate, then Install agents on the virtual machines with the Pool2 prefix. If someone spots a reason to go with Pool3 instead let me know.

Adam X. Jun 7, 2026 11:38 am

Create a project in Azure Migrate → Register Lakeside tool → Install agents on Pool2 VMs. This order matches the migration assessment process for RDS and fits the scenario since Pool2 is the specified group to evaluate. Pretty sure that's what Microsoft expects here, but chime in if you see it different.

DirectArchitect5458 Jun 9, 2026 9:29 pm

Create a project in Azure Migrate → Register the Lakeside tool → Install agents on Pool2 VMs. Saw something similar on a practice set, pretty sure this is the usual order for RDS discovery unless the pools change.

Parker Jun 21, 2026 4:20 am

Create a project in Azure Migrate → Register the Lakeside tool → Install agents on Pool2 VMs. Saw a similar question in exam reports and this seems to be the required order for RDS evaluation, assuming Pool2 is still the technical requirement. Let me know if I'm missing something.

Olivia Q. Jun 18, 2026 6:47 am

Is "meet the technical requirements" about evaluating only Pool2 VMs, or all pools? If all, then agents might go on more servers.

Mason P. Jun 5, 2026 6:31 am

Create a project in Azure Migrate → Register Lakeside tool → Install agents on Pool2 VMs. That's what I've got, since the scenario wants to assess Pool2 specifically. Pretty sure this is right but let me know if you see a catch.

Skyler F. Jun 18, 2026 4:21 pm

Create a project in Azure Migrate → Register Lakeside tool → Install agents on Pool2 VMs. Easy to mix up Pool2/Pool3, but Pool2 meets the stated requirements here. Trap is picking Pool3 just by habit!

Be respectful. No spam.

Correct Answer:

Answer Area Bucket 1: A. Create a project in Azure Migrate. Bucket 2: B. Register the Lakeside tool with Azure Migrate. Bucket 3: E. Install agents on the virtual machines that have the Pool2 prefix.

Explanation

The question requires the correct sequence of actions to evaluate an on-premises Remote Desktop Services (RDS) deployment for migration to Azure Virtual Desktop (AVD).

The first step in any assessment or migration is to create an Azure Migrate project. This project serves as the central hub for discovering, assessing, and migrating workloads.
For VDI (Virtual Desktop Infrastructure) and RDS assessments, Azure Migrate integrates with ISV (Independent Software Vendor) partner tools. The required technical evaluation is based on utilization, which is provided by the Lakeside SysTrack tool. This tool must be registered with the project.
To collect the necessary utilization and performance data from the on-premises servers, the Lakeside agent (client) must be installed on the target virtual machines, which in this scenario are identified by a specific prefix.

References

Microsoft Learn (Azure Migrate): "Create and manage projects." The documentation states the first step is to create an Azure Migrate project. It specifies: "In the Azure portal, search for Azure Migrate. In Services, select Azure Migrate. In Get started, select Discover, assess and migrate. In Servers, databases and web apps, select Create project."

Microsoft Learn (Azure Migrate): "Add migration tools." After the project is created, you add assessment and migration tools. The documentation states: "In Azure Migrate > Add tools, select the tools you want to add. Then select Add tool." For VDI assessments, this would be the Lakeside tool.

Microsoft Community Hub (Blog): "Migrate Virtual Desktops to Azure." This official blog post outlines the process: "Run a discovery of your on-premises datacenter using Lakeside, an integrated ISV tool in Azure Migrate. Lakeside will collect performance information using clients installed on on-premises virtual desktops." This confirms that installing the agent (client) is the correct follow-on step after registering the tool.

Q: 6

HOTSPOT - You create an Azure Virtual Desktop host pool as shown in the following exhibit. Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:

Your Answer

Discussion

Liam R. Jun 20, 2026 9:55 am

50, on the same session host.
Depth-first is the key trap here, since it fills up one VM before moving to the next. Some might pick "across multiple hosts" but that's not how depth-first works in AVD. Let me know if you see it differently.

Amelia Jun 20, 2026 3:15 pm

What's the exact session limit per VM here? Do they expect us to multiply it by number of hosts for the total?

Anita S. Jun 16, 2026 8:35 pm

Nice one, this matches what I’ve seen in exam dumps. Session hosts need the WebRTC Redirector Service for Teams redirection, and hardware encoding gets enabled on client devices by editing the registry. So it’s:
Session hosts: Install the Remote Desktop WebRTC Redirector Service.
Client devices: Set the UseHardwareEncoding registry key to 1.
Pretty sure that’s right, but open to correction!

Avery Jun 12, 2026 5:39 am

50, on the same session host. Depth-first means all sessions fill up one host before moving to the next.

AvaJ Jun 8, 2026 5:20 am

50, on the same session host
That depth-first setting makes all new sessions pile up on one VM until it's full, not spread out. Seen this logic in practice labs too, so I think that's right here.

QuickAnalyst9337 Jun 11, 2026 3:18 am

Yeah, so for max concurrent sessions you multiply 5 VMs by the max limit of 10 per VM, which gives you 50 total. The depth-first load balancing means new sessions will stack up on the same host until it hits its cap before moving to the next. Pretty sure that's what they're going for here, but correct me if I'm off.

MeeraF Jun 4, 2026 2:04 pm

Similar question came up on a practice exam: Session hosts get WebRTC Redirector, client devices get UseHardwareEncoding = 1.

Sara K. Jun 13, 2026 12:17 am

Yep, this is depth-first in action. Max sessions is 50 since it's 5 hosts times 10 sessions each, and for the session placement, depth-first always fills up one VM before touching another. So first new logins go to the same session host until it's full. If someone disagrees let me know, but feels solid.

QuietCandidate8391 Jun 6, 2026 3:12 pm

50, on the same session host. Depth-first is easy to miss here, a lot of people might choose 'across multiple hosts' but that's not how it works for this load balancer.

Aisha S. Jun 19, 2026 1:56 pm

Seen similar setups in the official guide and practice tests: session hosts should get the WebRTC Redirector Service, while on client devices you enable hardware encoding via the UseHardwareEncoding registry key. Feels correct but let me know if there's a nuance I'm missing.

Be respectful. No spam.

Correct Answer:

ON THE SAME SESSION HOST

Explanation

Maximum Concurrent Sessions: The exhibit shows the Number of VMs is 5 and the Max session limit (per VM) is 10. The total capacity of a pooled host pool is the number of session hosts multiplied by the maximum sessions allowed on each host.

5 VMs × 10 sessions/VM = 50 total concurrent sessions.

Session Creation Location: The exhibit specifies the Load balancing algorithm is Depth-first. This algorithm directs all new user sessions to the first available session host until it reaches its maximum session limit (10, in this case). Only after the first host is full will sessions be directed to the second host. Therefore, the first five user sessions will all be directed to the same session host.

References

Microsoft Learn. (n.d.). Host pool properties for Azure Virtual Desktop. Retrieved November 13, 2025, from https://learn.microsoft.com/en-us/azure/virtual-desktop/host-pool-properties

Section: "Session limits"

Supporting evidence: This document defines "Max session limit" as "The maximum number of concurrent sessions you want to allow on a single session host." This confirms the calculation in Explanation 1.

Microsoft Learn. (n.d.). Host pool load-balancing algorithms in Azure Virtual Desktop. Retrieved November 13, 2025, from https://learn.microsoft.com/en-us/azure/virtual-desktop/host-pool-load-balancing

Section: "Depth-first load balancing"

Supporting evidence: "In the depth-first load-balancing algorithm, new user sessions are directed to an available session host with the highest number of sessions but has not yet reached its maximum session limit... This method saturates one session host at a time before moving to the next." This confirms the logic in Explanation 2.

Q: 7

DRAG DROP You have an Azure Virtual Desktop deployment. You plan to create a new host pool that meets the following requirements: • Supports up to 25 user connections • Contains 10 Windows 11 multi-session hosts • Evenly distributes user sessions across the session hosts You need to recommend which type of host pool and load-balancing algorithm to use. What should you recommend? To answer, drag the appropriate options to the correct targets. Each option may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Automatic
Breadth-first
Depth-first
Direct
Personal
Pooled

Discussion

Sean V. Jun 20, 2026 3:38 am

Pooled for host pool mode, Breadth-first for load-balancing. Official guide and labs mention this setup.

Layla D. Jun 5, 2026 11:07 am

Host pool mode: Pooled, Load-balancing: Breadth-first. That matches the even distribution requirement with multi-session hosts. Pretty confident that's what's needed.

Amelia Jun 20, 2026 5:42 am

Pooled mode for the host pool, Breadth-first for load-balancing. Depth-first is tempting but doesn't spread sessions equally, which the scenario wants. Seen similar in exam reports so pretty confident here.

Adam Jun 7, 2026 12:30 am

Yeah, for multi-session Windows hosts and even session distribution, "Pooled" is the only real fit for mode, and "Breadth-first" is what spreads users out across all VMs. "Depth-first" would stack users on one VM before filling the next, which isn't what they're asking. Pretty sure this is the right mapping but happy to hear other takes.

Host pool mode: Pooled
Load-balancing algorithm: Breadth-first

Avery M. Jun 16, 2026 7:31 pm

Pooled mode → Breadth-first. Pooled is required for Windows 11 multi-session and Breadth-first will actually spread those 25 connections across the 10 hosts so no single VM gets overloaded. Pretty sure that's what the question is looking for.

Jack A. Jun 22, 2026 4:35 pm

Pooled for host pool mode, Breadth-first for the algorithm. Depth-first is a trap here, it won't distribute users evenly.

Aisha F. Jun 23, 2026 2:15 pm

Pooled for host pool mode, Breadth-first for load-balancing.

Alex T. Jun 14, 2026 8:00 am

Pooled for host pool mode, Breadth-first for load-balancing. Breadth-first spreads users evenly across hosts, which fits the "even distribution" ask here. Pooled is required for multi-session anyway. Pretty sure that's right but let me know if anyone disagrees.

Nina Jun 19, 2026 3:13 am

Pooled for Host pool mode, Breadth-first for load-balancing. Had something like this in a mock, and Breadth-first always comes up for "evenly distribute" user sessions. Personal wouldn't support multi-session anyway. Confident this lines up with what the question wants but open if anyone thinks otherwise.

Riley Jun 11, 2026 5:54 pm

Pooled to Breadth-first. Official study guide and MS Learn both say this for even session spread in multi-session pools.

Be respectful. No spam.

Q: 8

HOTSPOT You need to create a Conditional Access policy to meet the security require-ments. How should you configure the policy? To answer, select the appropriate options in the answer area.

Your Answer

Discussion

HannahZ Jun 18, 2026 3:41 pm

Authentication context, Client apps, Require token protections for sign-in sessions (preview). One line only per instructions.

Jason V. Jun 20, 2026 8:06 pm

Authentication context, Client apps, and Require token protections for sign-in sessions (preview) is the combo here. The key is targeting sensitive actions with authentication context, not just blanketing all access. Pretty sure that's what MS is going for with these Conditional Access questions. If anyone thinks Resources would fit better let me know!

Olivia R. Jun 8, 2026 8:10 pm

Authentication context, client apps, then session: require token protections for sign-in sessions (preview). Pretty sure Resources is a common trap here since that's used when you want to apply to the whole app, not just specific actions. Saw similar in practice questions, but let me know if I'm missing something subtle.

JordanS Jun 12, 2026 3:42 am

Does the question actually mention securing just sensitive actions or specific app functions? Curious if it's about targeted controls, then authentication context makes sense to me. Or is it about broad app coverage? That'd push toward Resources instead. Anyone else read a clue pointing one way?

Sanjay Jun 19, 2026 5:19 am

Authentication context, Client apps, Require token protections is what you want. Some might pick "Resources (formerly cloud apps)" but that's too broad here. Policy needs to be scoped to sensitive actions for better control. Went over a very similar setup in MS Learn labs, pretty sure this is right unless they change preview features.

Olivia N. Jun 21, 2026 10:08 am

Connection: Host1, Feed: AppGroup1, Global: Workspace1. Saw a similar one in the labs and official practice set.

Emma P. Jun 24, 2026 12:16 am

Authentication context, Client apps, and Require token protections for sign-in sessions (preview) is right. Granular control for sensitive actions not the whole app. Pretty confident, but open to other takes if anyone thinks differently.

Piya U. Jun 21, 2026 2:42 am

Authentication context, Client apps, Require token protections. Saw a nearly identical scenario in an MS Learn exam sandbox so this should be spot on.

CuriousConsultant5767 Jun 15, 2026 11:18 pm

Matching goes like this: Connection = Host1, Feed = AppGroup1, Global = Workspace1. Each private endpoint type lines up with those resource roles in Azure Virtual Desktop (session host for connection, app group for feed, workspace for global). Pretty sure that's correct but let me know if you see it different.

Maya V. Jun 17, 2026 7:02 pm

Looks like it should be authentication context for the target, since that's how you lock down specific actions inside apps, not everything. Client apps for the condition and require token protections for extra security. Pretty sure that's what newer exam materials point to, but open to corrections.

Be respectful. No spam.

Correct Answer:

TARGET RESOURCES: AUTHENTICATION CONTEXT

CONDITIONS: CLIENT APPS

ACCESS CONTROL: SESSION: REQUIRE TOKEN PROTECTIONS FOR SIGN-IN SESSIONS (PREVIEW)

Explanation

This configuration creates a highly specific Conditional Access policy.

Target resources: Authentication context is chosen over "Resources (formerly cloud apps)" to apply the policy to specific, high-privilege actions within an application (e.g., "viewing sensitive data"), rather than to the entire application.
Conditions: Client apps is a necessary component to define which types of applications (e.g., browser, mobile, desktop) the policy will apply to.
Access control: Session: Require token protections for sign-in sessions (Preview) is the core security measure. This control enforces token binding to the user's device, which is a critical defense against token theft and replay attacks.

This policy's intent is to enforce advanced token protection only when a user attempts to perform a specific, sensitive action defined by the authentication context.

References

Microsoft Entra documentation | Conditional Access: Cloud apps, actions, and authentication context.

Details: This document explains that authentication context (Preview) is used to "further secure data and actions in applications" and can be targeted by a Conditional Access policy. This supports its use as the "Target resource" for granular control.

Reference: Microsoft, "Microsoft Entra Conditional Access documentation," section on "Cloud apps, actions, and authentication context," subsection "Authentication context."

Microsoft Entra documentation | Conditional Access: Session.

Details: This document details session controls. It explicitly lists "Require token protections for sign-in sessions (Preview)" as a measure to "reduce attacks using token theft." It explains that this setting ensures a token is cryptographically bound to the device. This supports its use in the "Access control" setting.

Reference: Microsoft, "Microsoft Entra Conditional Access documentation," section on "Session," subsection "Require token protections for sign-in sessions (Preview)."

Microsoft Entra documentation | Conditional Access: Conditions.

Details: This document outlines the various conditions available. The "Client apps" condition is used to "scope the policy to different types of client applications," such as browsers, mobile apps, and desktop clients. This confirms its role as the "Conditions" setting.

Reference: Microsoft, "Microsoft Entra Conditional Access documentation," section on "Conditions," subsection "Client apps."

Q: 9

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure Virtual Desktop host pool that runs Windows 10 Enterprise multi-session. User sessions are load-balanced between the session hosts. Idle session timeout is 30 minutes. You plan to shut down a session host named Host1 to perform routine maintenance. You need to prevent new user sessions to Host1 without disconnecting active user sessions. Solution: you change the Drain mode of Host1. Does this meet the goal?

Options

Discussion

Noah R. Jun 18, 2026 1:23 am

storage1 for image, storage4 for profiles. If profile load wasn't a concern, storage3 might work too.

MethodicalLead8980 Jun 14, 2026 9:53 am

Option A here. Drain mode is specifically for blocking new sessions but lets active users stay on, so it fits the scenario. B is a trap because it ignores that nuance. Pretty sure, but correct me if I missed any trick in the wording.

CarefulMentor8535 Jun 19, 2026 12:41 pm

storage1 for custom image, storage4 for profile containers. These match the cost and performance requirements exactly. Pretty sure that's right.

Skyler Jun 7, 2026 6:46 am

Jordan Jun 13, 2026 12:16 am

A pretty sure. Official docs and some practice sets mention Drain mode for this use case, since it blocks new connections without kicking current users. If in doubt, check a lab to see how it behaves.

CarefulAuditor8949 Jun 8, 2026 1:38 pm

storage1 for the custom image, storage4 for profile containers. Saw a similar scenario in the official practice test and lab guides.

Aisha A. Jun 13, 2026 8:18 pm

Casey F. Jun 21, 2026 1:32 pm

B tbh, I think some folks might mix up Drain mode with full shutdown, but pretty sure it doesn't actually meet the goal since active sessions could still be disrupted if not careful (trap answer here).

Sara Jun 22, 2026 4:52 pm

Looks like A. Drain mode blocks new logons without disconnecting users already on Host1. I think that's exactly what's needed here. Agree?

Luna G. Jun 9, 2026 7:28 pm

Its A, Drain mode does exactly what's needed here and keeps active users connected.

Be respectful. No spam.

Q: 10

You have an Azure Virtual Desktop deployment that contains the host pools shown in the following table. You need to create a disaster recovery environment in the West US region. The solution must minimize costs and administrative effort. What should you do?

Options

Discussion

Nina I. Jun 10, 2026 5:00 am

Generate a signing certificate, create MSIX package, create MSIX image, upload image to Share1. Official guide covers this process.

Owen Q. Jun 18, 2026 2:07 am

Yeah that's the right order: signing cert first, then MSIX package, then image, finally upload image to Share1.

Karan K. Jun 22, 2026 1:43 am

Generate a signing certificate, create an MSIX package, create an MSIX image, upload the MSIX image to Share1.

Cameron Jun 3, 2026 7:03 pm

Option D (ASR) here. B is tempting but you'd pay more and manual config is a pain.

Sara Jun 7, 2026 1:15 am

D imo because Azure Site Recovery is built for exactly this, letting you replicate across regions with minimal manual work. B looks tempting but actually means running or at least maintaining two sets of host pools, so it adds to both cost and admin effort long term. Seen similar in exam prep and ASR is what they want when the question highlights minimizing overhead. Could see someone picking B if they gloss over the DR requirements though.

IvyY Jun 24, 2026 12:16 am

Owen E. Jun 4, 2026 3:46 pm

Yeah, D seems right since Azure Site Recovery lets you handle DR without spinning up extra host pools, so less admin and lower costs. If the focus was on no downtime, maybe B, but here it's about efficiency. Agree?

HelpfulLead5803 Jun 23, 2026 3:42 am

B tbh, since creating two new host pools in West US puts everything fresh there, which avoids replication lag issues some orgs have run into according to similar practice questions. Not as automated maybe, but less room for snapshot problems. Maybe not the lowest admin overhead though. Someone disagree?

Anita S. Jun 16, 2026 10:14 pm

Yeah, D makes the most sense. Azure Site Recovery covers DR without having to pre-build or run extra host pools (B would cost more). ASR keeps costs down and it's less work to manage, pretty sure that's what they're after.

Parker O. Jun 18, 2026 7:25 pm

C/D? B sounds like a trap here since keeping extra host pools running in West US isn't cost effective, plus that's more to manage. D uses Azure Site Recovery which is designed for low-cost DR and keeps admin light. Pretty sure that's what they're looking for, though I can see why B might tempt some if you miss the minimize cost/admin piece.

Be respectful. No spam.

Correct Answer:

Explanation

To establish a disaster recovery environment for Azure Virtual Desktop while minimizing costs and administrative effort, Azure Site Recovery (ASR) is the recommended solution. ASR automates the replication of Virtual Machines (VMs) from the primary region (East US) to the secondary region (West US). This approach avoids the manual overhead of recreating and reconfiguring host pools from scratch (administrative effort) and allows for a "pilot light" or "warm standby" configuration where you only pay for storage and ASR licenses until a failover occurs, significantly reducing compute costs compared to maintaining active secondary pools.

Why Incorrect

A. Regenerate the token and reregister the virtual machines: This is a localized troubleshooting or migration step for agent connectivity; it does not provide a functional cross-region disaster recovery infrastructure.

B. Create two new host pools in the West US region: While functional, this increases administrative effort (dual management) and costs (if VMs are pre-provisioned) compared to the automated replication and orchestration provided by ASR.

C. Run the Invoke-RdsUserSessionLogoff cmdlet: This command is used to manage active user sessions. It has no relevance to architectural disaster recovery planning or cross-region VM failover.

References

Microsoft Learn: "Disaster recovery for Azure Virtual Desktop" - Sections on BCDR strategies and using Azure Site Recovery for host pool VMs. [Doc ID: BCDR-AVD-Overview]

Microsoft Azure Architecture Center: "Azure Virtual Desktop for the enterprise" - Disaster Recovery section (BCDR). [Link: Azure Architecture Framework]

Microsoft Learn: "Set up disaster recovery for Azure Virtual Desktop" - Detailed steps on replicating session hosts using ASR. [Reference: Azure Site Recovery Documentation]

Microsoft Documentation: "Invoke-RdsUserSessionLogoff" - PowerShell module reference for RDS/AVD session management.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE