- (Exam Topic 2)
You need to recommend a solution for securing the landing zones. The solution must meet the landing zone requirements and the business requirements.
What should you configure for each landing zone?

1. A. Azure DDoS Protection Standard
2. B. an Azure Private DNS zone
3. C. Microsoft Defender for Cloud
4. D. an ExpressRoute gateway

Correct Answer: D
One of the stipulations is to meet the business requirements of minimizing costs. ExpressRoute is expensive. Given the landing zone requirements of
1) "Use a DNS namespace of litware.com"
2) "Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints"

- (Exam Topic 3)
Your company has a Microsoft 365 E5 subscription.
Users use Microsoft Teams, Exchange Online, SharePoint Online, and OneDrive for sharing and collaborating. The company identifies protected health information (PHI) within stored documents and communications. What should you recommend using to prevent the PHI from being shared outside the company?

1. A. insider risk management policies
2. B. data loss prevention (DLP) policies
3. C. sensitivity label policies
4. D. retention policies

Correct Answer: B
https://docs.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-worldwide

- (Exam Topic 3)
You have a customer that has a Microsoft 365 subscription and an Azure subscription.
The customer has devices that run either Windows, iOS, Android, or macOS. The Windows devices are deployed on-premises and in Azure.
You need to design a security solution to assess whether all the devices meet the customer's compliance rules. What should you include in the solution?

1. A. Microsoft Information Protection
2. B. Microsoft Defender for Endpoint
3. C. Microsoft Sentinel
4. D. Microsoft Endpoint Manager

Correct Answer: D
https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#open-the-compliance-dashboa

- (Exam Topic 3)
Your company has devices that run either Windows 10, Windows 11, or Windows Server. You are in the process of improving the security posture of the devices.
You plan to use security baselines from the Microsoft Security Compliance Toolkit.
What should you recommend using to compare the baselines to the current device configurations?

1. A. Microsoft Intune
2. B. Policy Analyzer
3. C. Local Group Policy Object (LGPO)
4. D. Windows Autopilot

Correct Answer: B
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework

- (Exam Topic 3)
A customer is deploying Docker images to 10 Azure Kubernetes Service (AKS) resources across four Azure subscriptions. You are evaluating the security posture of the customer.
You discover that the AKS resources are excluded from the secure score recommendations. You need to produce accurate recommendations and update the secure score.
Which two actions should you recommend in Microsoft Defender for Cloud? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

1. A. Configure auto provisioning.
2. B. Assign regulatory compliance policies.
3. C. Review the inventory.
4. D. Add a workflow automation.
5. E. Enable Defender plans.

Correct Answer: AE
https://docs.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation