Which server role should you deploy?

Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.

Start of repeated scenario

Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.

The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10.

You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU.

You install Windows Defender on Nano1.

End of repeated scenario

You need to ensure that you can deploy a shielded virtual machine to Server4.

Which server role should you deploy?
A . Hyper-V
B . Device Health Attestation
C . Network Controller
D . Host Guardian Service

View Answer

Answer: D

Explanation:

https://blogs.technet.microsoft.com/datacentersecurity/2016/06/06/step-by-step­creating-shielded-vms-withoutvmm/Shielding an existing VMLet’s start with the simpler approach. This requires you to have a running VM on a host which is not theguarded host.This is important to distinguish, because you are simulating the scenario where a tenant wants to take anexisting, unprotected VM and shield it before moving it toa guarded host.For clarity, the host machine which is not the guarded host will be referred as the tenant host below.A shielded VM can only run on a trusted guarded host.The trust is established by the adding the Host Guardian Service server role (retrieved from the HGSserver) to the Key Protector which is used to shieldthe VM.That way, the shielded VM can only be started after the guarded host successfully attest against the HGSserver.In this example, the running VM is named SVM. This VM must be generation 2 and have a supported OSinstalled with remote desktop enabled.You should verify the VM can be connected through RDP first, as it will almost certainly be the primary way toaccess the VM once it is shielded (unless you haveinstalled other remoting capabilities).