Free AZ-140 Practice Questions with Detailed Explanations (25 Questions)

The AZ-140 (Configuring and Operating Azure Virtual Desktop) is a Specialty exam that tests deep, configuration-level knowledge of the Azure Virtual Desktop platform. Unlike fundamentals exams, AZ-140 expects you to know specific FSLogix registry settings, MSIX app attach lifecycle stages, AVD-specific RBAC roles, scaling plan phase configuration, and which Log Analytics tables contain AVD diagnostic data.

These 25 questions are written to match the real exam's scenario format. Each question describes a specific operational requirement and asks you to select the correct AVD configuration option. Many questions have two very similar-looking answers — one technically correct, one that misses a key AVD constraint.

What You'll Get:

✓25 scenario-based AVD questions across all 4 AZ-140 domains
✓FSLogix, MSIX, scaling plans — the most-tested technical topics
✓Detailed explanations covering why each option is right or wrong
✓Key concept summaries for the most commonly missed AZ-140 topics

What These Questions Cover

AVD Infrastructure

Host pools, FSLogix, storage, networking, scaling

Identity & Security

RBAC, Conditional Access, identity models, screen capture

User Environments

MSIX app attach, OneDrive, Teams, RemoteApp

Monitor & Maintain

AVD Insights, scaling plans, drain mode, backup

📝 Practice Test Instructions

• Each question has ONE best answer — choose the option that satisfies ALL stated requirements
• AZ-140 questions often hinge on a single configuration detail — read every option completely
• Note your answers before scrolling to the answer key below
• Aim to complete all 25 questions in 30 minutes (real exam: 180 minutes for 40–60 questions)

🖥️

AVD Infrastructure

Questions 1–8

Host Pool Type Selection

A financial services company needs to deploy Azure Virtual Desktop for 300 knowledge workers. All users need a full Windows 11 desktop experience. User workloads vary — some run light browser-based apps, others use resource-intensive financial modeling software. Cost optimization is important. Users should not share a desktop session with other users.

Which host pool type and configuration is MOST appropriate?

A)Personal host pool with Windows 11 Enterprise, Automatic assignment type — each user gets a dedicated session host VM they do not share with others

B)Pooled host pool with Windows 11 multi-session OS, breadth-first load balancing

C)Pooled host pool with Windows Server 2022 RDSH, depth-first load balancing

D)Personal host pool with Windows 11 multi-session, Direct assignment type

Host Pool Load Balancing

You have a pooled host pool with 10 session hosts and 200 users. During peak hours, all 200 users are active simultaneously. You want to minimize the number of running session host VMs during off-peak hours. You have configured autoscale with a scaling plan. The load balancing algorithm should prioritize filling each VM to capacity before starting the next VM, allowing unused VMs to shut down.

Which load balancing algorithm should be configured for the off-peak phase?

A)Breadth-first — distributes users across all available session hosts equally

B)Round-robin — alternates connections across session hosts in sequence

C)Depth-first — fills one session host to its max session limit before routing new connections to the next host, allowing empty hosts to remain deallocated

D)Least connections — routes to the session host with the fewest active sessions regardless of max limit

FSLogix Storage Selection

You are designing FSLogix profile storage for a pooled host pool with 500 concurrent users. The users' applications generate heavy disk I/O for profile operations — estimated peak IOPS requirement is 25,000 IOPS for the profile share. The organization uses an on-premises Active Directory domain synchronized with Microsoft Entra ID. SLA requirements demand 99.99% storage availability.

Which Azure storage option BEST meets all requirements?

A)Azure Files Standard tier (StorageV2) — supports up to 20,000 IOPS per share

B)Azure NetApp Files Ultra tier — supports up to 450,000+ IOPS, AD DS Kerberos authentication, and 99.99% SLA

C)Azure Blob Storage — supports unlimited IOPS at low cost

D)Azure Files Premium tier — supports up to 100,000 IOPS per share for smaller deployments

FSLogix Cloud Cache

An organization runs Azure Virtual Desktop in both East US and West US regions for business continuity. FSLogix profiles must be available even if one region's storage becomes completely unavailable. Profile changes made in one region must be available when a user connects from the other region. You need to configure FSLogix to support this multi-region high-availability profile scenario.

Which FSLogix configuration supports multi-region profile HA?

A)Configure VHDLocations pointing to a geo-redundant Azure Files share (GRS) — GRS provides automatic failover

B)Use Azure Site Recovery to replicate FSLogix VHD files between regions automatically

C)Configure VHDLocations with two paths separated by a semicolon — FSLogix will use the second path if the first fails

D)Configure CCDLocations (Cloud Cache) with storage paths to Azure Files shares in both East US and West US — Cloud Cache writes to all locations simultaneously and reads from the first available, providing active-active HA

Custom Image and Azure Compute Gallery

Your organization maintains a golden image for AVD session hosts that must be updated monthly with Windows patches, software updates, and corporate tools. The image must be available in 3 Azure regions. Session host VMs should always run the latest approved image version. When a new image version is published, existing VMs should not be automatically reimaged — only new VMs should use the new version.

Which approach manages custom images most effectively for this scenario?

A)Use Azure Compute Gallery (formerly Shared Image Gallery) — create an image definition, publish image versions (replicated to 3 regions), and reference the image definition in the host pool. New VMs use the latest version; existing VMs are not affected.

B)Store the VHD in a standard Azure Storage account and reference it directly in the host pool image configuration

C)Use Azure Marketplace images with custom script extensions to install corporate tools at deployment time

D)Store the image as a managed disk snapshot and share across subscriptions using disk access policies

RDP Shortpath

Users in your organization's corporate headquarters connect to AVD session hosts via an ExpressRoute private peering connection. Users report high latency and occasional connection drops. You want to enable direct UDP-based connectivity between client devices and session hosts to reduce latency and improve connection reliability, using the existing ExpressRoute infrastructure.

Which RDP Shortpath type is designed for this scenario?

A)RDP Shortpath for public networks (STUN/TURN) — routes UDP traffic via Microsoft TURN servers for internet-based connections

B)RDP Shortpath is not compatible with ExpressRoute — only VPN Gateway connections are supported

C)RDP Shortpath for managed networks — uses direct UDP connectivity within a private network (ExpressRoute, VPN) with no relay servers required, giving lowest possible latency

D)Enable RemoteFX UDP transport in the host pool RDP properties to use UDP over ExpressRoute

Application Group Types

A hospital needs to deploy AVD for three groups of users: (1) Nurses — need access to a specific clinical application and a general-purpose browser, but NOT a full desktop. (2) Administrators — need a full Windows 11 desktop with access to all installed applications. (3) Radiologists — need access to a specialized imaging viewer application only.

Which application group configuration should be used for each user group?

A)All three groups: Desktop Application Group (DAG) with different application restrictions per group

B)Nurses: RemoteApp Application Group (RAG) with clinical app + browser published. Admins: Desktop Application Group (DAG). Radiologists: separate RemoteApp Application Group (RAG) with imaging viewer published

C)Nurses: Desktop Application Group (DAG) filtered to specific apps. Admins: RemoteApp Application Group (RAG) set to show all apps. Radiologists: Desktop Application Group (DAG)

D)All three groups: RemoteApp Application Group (RAG) — full desktop access is achieved by publishing Windows Explorer in a RAG

Scaling Plan Configuration

Your pooled host pool runs business-critical sessions from 8 AM to 6 PM weekdays. You want to: (1) Begin starting additional hosts at 7:30 AM to ensure capacity is ready at 8 AM. (2) During peak hours (8 AM–5 PM), use breadth-first load balancing. (3) From 5 PM to 6 PM, force-disconnect idle sessions and gradually stop hosts as capacity allows. (4) Outside business hours, stop all hosts except a minimum of 1.

Which scaling plan phase configuration achieves this?

A)Configure a single phase that runs 24/7 with a minimum host count of 1 and autoscale based on session count

B)Scaling plans cannot stop hosts during ramp-down — a separate Azure Automation runbook is required

C)Configure two phases: Business hours (8 AM–6 PM, breadth-first, all hosts running) and After hours (6 PM–8 AM, all hosts stopped)

D)Configure four phases: Ramp-up (7:30 AM — start hosts ahead of peak, breadth-first). Peak (8 AM–5 PM — breadth-first, no host shutdown). Ramp-down (5 PM — force-logoff idle users, stop hosts as they empty). Off-peak (6 PM+ — minimum host count = 1, depth-first)

🔐

Identity & Security

Questions 9–14

AVD Identity Model Selection

A startup wants to deploy Azure Virtual Desktop with no on-premises infrastructure. They use only Microsoft Entra ID (cloud-only) and Microsoft Intune for device management. They want session hosts joined to Entra ID (not AD DS). They need FSLogix profile containers stored in Azure Files.

What is a critical limitation of this Entra ID-only AVD deployment for FSLogix?

A)FSLogix is not supported in Entra ID-only AVD deployments — a different profile solution must be used

B)FSLogix requires session hosts to be joined to an on-premises domain — Entra ID joined session hosts cannot use FSLogix

C)Azure Files requires AD DS Kerberos authentication for FSLogix SMB access. In an Entra ID-only deployment, FSLogix with Azure Files requires Entra ID-based SMB authentication (identity-based access), which is supported but requires the storage account to be configured for Entra ID authentication instead of AD DS

D)Entra ID-only deployments must use OneDrive for Business instead of FSLogix for profile management

AVD RBAC Roles

You need to assign permissions for three people: (1) Sarah — needs to manage all AVD resources (create/modify host pools, application groups, workspaces) but should not be able to manage Azure subscriptions or Entra ID. (2) Tom — is an end user who needs to connect to session hosts in a specific host pool. (3) Alex — manages only the session hosts within a host pool (add/remove session hosts, put them in drain mode) but not the host pool settings itself.

Which AVD RBAC role should each person receive?

A)Sarah: Desktop Virtualization Contributor. Tom: Desktop Virtualization User. Alex: Desktop Virtualization Host Pool Contributor

B)Sarah: Owner. Tom: Contributor. Alex: Desktop Virtualization Host Pool Contributor

C)Sarah: Desktop Virtualization Contributor. Tom: Desktop Virtualization Reader. Alex: Desktop Virtualization Contributor

D)Sarah: Contributor (Azure built-in). Tom: Desktop Virtualization User. Alex: Desktop Virtualization Reader

Conditional Access for AVD

Your organization wants to enforce that users connecting to Azure Virtual Desktop must be using a device that is: (1) Entra ID joined or Hybrid Entra ID joined, AND (2) marked as compliant in Microsoft Intune. The policy should only apply to AVD connections, not to other cloud app sign-ins.

How should Conditional Access be configured for this requirement?

A)Create a Conditional Access policy targeting All cloud apps with a device filter for compliant and Entra ID joined devices

B)Create a Conditional Access policy targeting the "Azure Virtual Desktop" enterprise application specifically, with Device state condition set to require: Entra ID joined or Hybrid Entra ID joined AND device compliance (Intune compliant)

C)Create a Conditional Access policy targeting the "Windows Virtual Desktop" legacy app ID with an IP location condition for corporate IPs only

D)Configure device compliance requirements directly in the AVD host pool RDP properties without Conditional Access

Screen Capture Protection

A legal firm processes confidential client documents in Azure Virtual Desktop sessions. The compliance team requires that users cannot take screenshots, use screen recording software, or use remote screen-sharing tools (like Teams screen share) to capture the content visible in their AVD remote session window. This requirement applies only to this specific host pool.

Which AVD feature prevents screen capture of remote session content?

A)Configure a Conditional Access policy blocking screen sharing applications from being installed on client devices

B)Configure Clipboard redirection to disabled in the host pool RDP properties — this prevents data transfer including screenshots

C)Enable Screen capture protection on the host pool — this renders the session window as black to screen capture tools and screen sharing software on the client device, while the session remains visible to the local user

D)Enable watermarking on the host pool — watermarks deter unauthorized sharing of session content

Private Endpoint for AVD

A financial institution requires that all network traffic from AVD session hosts to the AVD control plane (gateway, broker, diagnostics) must remain on Microsoft's private network backbone — no traffic should traverse the public internet. Client devices connect from the corporate network via ExpressRoute.

Which networking configuration achieves private AVD control plane traffic?

A)Configure NSG rules on the session host subnet to block outbound internet traffic — AVD will use private paths automatically

B)Use Azure ExpressRoute Microsoft peering to route AVD traffic — ExpressRoute Microsoft peering automatically provides private AVD control plane access

C)Configure Azure Firewall with FQDN application rules to allow only AVD-required URLs — other traffic is blocked

D)Deploy Private Endpoints for Azure Virtual Desktop — this creates private IP addresses in your VNet for the AVD connection broker, gateway, and diagnostics service, allowing all control plane traffic to remain private

Intune for AVD Multi-Session

Your organization wants to manage AVD session host VMs (Windows 11 multi-session) using Microsoft Intune — applying configuration profiles, compliance policies, and security baselines to the session hosts themselves (not the user sessions). Session hosts are Entra ID joined (no AD DS).

What is required to enroll AVD multi-session session hosts in Microsoft Intune?

A)Windows 11 multi-session session hosts that are Entra ID joined automatically enroll in Intune when the Intune MDM scope includes the session host computer account — configure via Intune device enrollment settings for Windows

B)Enroll the session host VMs in Intune during host pool creation using the AVD Azure portal integration — a separate Intune enrollment step is not needed

C)Intune cannot manage Windows multi-session OS — only Windows Server and Windows 10/11 single-session are supported

D)Deploy the Intune management extension (IME) manually to each session host VM using a PowerShell script

📦

User Environments & Apps

Questions 15–20

MSIX App Attach — Format Selection

You are deploying MSIX app attach for a pooled host pool with 50 session hosts. The MSIX packages are stored on an Azure Files share. You need to choose between storing packages as VHD, VHDX, or CIM format. Your security team requires that mounted package files are read-only and cannot be modified by processes running on session hosts. Antivirus scanning of mounted MSIX images should not be required.

Which package format should you use?

A)VHD format — standard virtual disk format, widest compatibility

B)CIM (Composite Image File System) format — natively read-only, no antivirus exclusions required for mounted images, faster mounting performance vs. VHD/VHDX in large deployments

C)VHDX format — supports larger package sizes than VHD, read-write mode available

D)ZIP format — smallest file size, automatically expanded to memory on session host startup

MSIX App Attach Lifecycle

A user named Alex signs into a pooled AVD session. Alex has been assigned to an Application Group that includes an MSIX app attach package. Alex uses the application during their session. Alex then signs out of the AVD session. Describe what happens to the MSIX package at each stage during Alex's session lifecycle.

Which sequence of MSIX lifecycle states correctly describes what happens?

A)Staged (before session) → Registered (user sign-in) → Active (during use) → Unregistered (user sign-out) → Removed (session host restart)

B)Destaged (before session) → Staged (session host startup) → Registered (user sign-in) → Deregistered (user sign-out) → Destaged (session host shutdown or no active sessions)

C)Mounted (session host startup) → Available (user sign-in) → Unmounted (user sign-out) → Cached (idle)

D)Published (app group assignment) → Installed (user first sign-in) → Updated (package new version) → Uninstalled (user removed from app group)

OneDrive in AVD Multi-Session

You are deploying OneDrive for Business on Windows 11 multi-session session hosts. You want users to be automatically signed into OneDrive with their Entra ID credentials when they start a session — no manual sign-in prompt. You also want users' Desktop, Documents, and Pictures folders to automatically sync to OneDrive (Known Folder Move). OneDrive should not prompt for sign-in or setup on each new session.

Which OneDrive configuration settings achieve silent sign-in and Known Folder Move in multi-session AVD?

A)Configure OneDrive in per-user mode using user profile registry keys; users sign in manually on first session

B)Configure OneDrive per-user installation and use a login script to sign in users via command line on each session start

C)OneDrive Known Folder Move is not supported in Windows 11 multi-session environments — use SharePoint mapped drives instead

D)Configure OneDrive per-machine installation (install with /allusers flag), enable SilentAccountConfig Group Policy (silent SSO via Entra ID token), and enable Known Folder Move Group Policy for Desktop/Documents/Pictures — per-machine install is required for multi-session

Teams Optimization for AVD

Users in a pooled AVD host pool use Microsoft Teams for video calls. They report that video calls consume significant CPU/GPU resources on the session host VMs, causing performance degradation for all users sharing the same session host during calls. You want to redirect audio and video processing to the client device instead of the session host.

Which feature enables client-side media processing for Teams in AVD?

A)Teams WebRTC media optimization for AVD — installs the WebRTC redirector service on session hosts and the AVD client supports media engine redirect, offloading audio/video processing to the client device's local hardware

B)Enable the "Audio/Video redirection" setting in the host pool RDP properties — this redirects all audio processing to the client

C)Use Teams Live Events instead of standard meetings — Live Events process media on Microsoft servers instead of session hosts

D)Configure GPU-optimized VM sizes (NV-series) for session hosts to handle video encoding locally without performance impact on other users

RemoteApp vs Full Desktop

A manufacturing company uses AVD to deliver two types of experiences: (1) Office workers need a full Windows 11 desktop with multiple applications, file access, and the ability to install approved software via Company Portal. (2) Shop floor workers need to use only a single specialized production scheduling application — they should not see or access anything outside of this application.

Which application group configuration is appropriate for each group?

A)Both groups: Desktop Application Group (DAG) with different Intune application assignment profiles per group

B)Office workers: pooled host pool with Desktop Application Group (DAG). Shop floor workers: separate pooled host pool with RemoteApp Application Group (RAG) publishing only the production scheduling app

C)Office workers: RemoteApp Application Group (RAG) with all apps published. Shop floor workers: Desktop Application Group (DAG) with app restrictions via AppLocker

D)Both groups: RemoteApp Application Group (RAG) — full desktop is not available in pooled host pools

FSLogix Application Masking

Your organization has licensed Microsoft Project and Microsoft Visio for 30 out of 200 AVD users. These applications are installed on all session host VMs in a shared host pool (because reinstalling for each user group is not practical). You need to ensure that only the 30 licensed users can see and launch Project and Visio — the other 170 users should not see these applications in their Start menu or taskbar.

Which FSLogix feature achieves this without creating separate host pools?

A)Use MSIX app attach to deliver Project and Visio only to the 30 licensed users' application group assignment

B)Use Intune application assignment to target Project and Visio only to the 30 licensed users — Intune removes the apps from unlicensed users' sessions

C)Use FSLogix Application Masking — create masking rules that hide Project and Visio for users NOT in the licensed group, while the applications remain installed and visible to the 30 licensed users. No separate host pool needed.

D)Create a separate host pool with Project and Visio installed, assign the 30 licensed users to this pool, and use breadth-first load balancing

📊

Monitor & Maintain

Questions 21–25

AVD Insights — Diagnostics Setup

You need to enable Azure Monitor for Azure Virtual Desktop (AVD Insights). Users are reporting connection failures, but you have no data to diagnose the issue. AVD Insights is showing empty charts. Your Log Analytics workspace exists but contains no AVD data.

What is the most likely reason AVD Insights shows no data, and how do you fix it?

A)AVD Insights requires a premium Log Analytics workspace — upgrade from the standard workspace and data will populate automatically

B)The Log Analytics workspace must be in the same region as the AVD host pool — create a new workspace in the same region as the session hosts

C)AVD Insights requires the Log Analytics agent to be installed on each session host VM — deploy the agent via Azure Policy

D)Diagnostics settings have not been configured for the host pool, workspace, and application groups. Enable diagnostic settings on each AVD resource (host pool, workspace, app groups) to send logs to the Log Analytics workspace — AVD does not send diagnostics automatically

AVD Log Analytics Tables

A user reports they cannot connect to their AVD session. You want to query Log Analytics to find specific error details about this user's failed connection attempt, including the error code and the stage of the connection where the failure occurred.

Which Log Analytics table contains AVD connection attempt details and error codes?

A)WVDConnections — contains details of each connection attempt including UserName, State, SessionHostName, ClientType, and error information for failed connections

B)AzureActivity — contains all Azure resource management operations including AVD connection events

C)WindowsEvent — contains Windows Event Log data from session host VMs including RDP connection events

D)Heartbeat — contains session host VM availability data used to determine if hosts are online

Start VM on Connect

You manage a personal host pool where each user is assigned a dedicated session host VM. To reduce costs during evenings and weekends, you want VMs to automatically shut down when users disconnect (after a 15-minute idle period). When a user connects in the morning, their VM should automatically start — the user should not need to wait for an administrator to start the VM manually.

Which feature enables automatic VM startup on user connection?

A)Configure Azure Auto-shutdown on each VM with a startup schedule for 7 AM each day

B)Enable Start VM on Connect on the personal host pool — when a user connects and their assigned VM is stopped/deallocated, AVD automatically starts it. Requires assigning the Desktop Virtualization Power On Contributor role to the AVD service principal at the subscription or resource group level.

C)Create an Azure Automation runbook triggered by AVD connection events via Azure Monitor Alerts to start the VM

D)Configure Azure Policy to automatically start deallocated VMs when a connection request is received

Session Host Drain Mode

You need to apply Windows security patches to 5 session hosts in a pooled host pool. You do not want to disrupt active user sessions. You want to prevent new connections from being routed to these hosts while allowing existing sessions to complete naturally. After all sessions have ended on each host, you will apply patches and then re-enable the hosts.

Which session host management feature enables this graceful maintenance approach?

A)Delete the session hosts from the host pool, patch the VMs, and re-register them with the host pool

B)Use Azure Update Manager to apply patches automatically during a configured maintenance window — existing sessions are not disconnected

C)Enable Drain Mode on the session hosts — new connections are blocked (existing sessions are unaffected), allowing you to wait for all users to sign out naturally before patching

D)Set the max session limit to 0 on the session hosts — this prevents new connections while existing sessions continue

FSLogix Profile Backup

Your organization uses FSLogix profile containers stored in an Azure Files Premium share. You need to configure backup for the FSLogix profile data to meet a recovery point objective (RPO) of 24 hours and a retention period of 30 days. The backup solution must support individual file and folder restore from within a profile container VHD.

Which Azure backup solution is most appropriate for FSLogix profiles on Azure Files?

A)Azure Backup for Azure Virtual Machines — backs up the session host VMs which contain the profile data

B)Azure Site Recovery for Azure Files — provides continuous replication and point-in-time recovery for file shares

C)Configure Azure Files geo-redundant storage (GRS) — GRS automatically backs up data with 24-hour replication lag

D)Azure Backup for Azure Files — takes daily snapshots of the Azure Files share containing FSLogix VHD/VHDX files. Supports retention up to 200 daily snapshots. Restore allows file-level recovery of the VHD container and can restore to an alternate location.

✋ Stop Here Before Scrolling!

Have you answered all 25 questions? Record your answers before checking below.

Pro tip: Many AZ-140 questions hinge on a single word — "pooled" vs "personal", "VHDLocations" vs "CCDLocations", "DAG" vs "RAG". Read every option fully.

📝 Answer Key with Detailed Explanations

Review each explanation carefully — even for questions you got right

Quick Answer Reference

Q10

Q11

Q12

Q13

Q14

Q15

Q16

Q17

Q18

Q19

Q20

Q21

Q22

Q23

Q24

Q25

Question 1: Host Pool Type Selection

✓ Correct Answer: A) Personal host pool with Windows 11 Enterprise, Automatic assignment

Why this is correct:

Personal host pools assign each user a dedicated session host VM — users do not share the desktop with others. Windows 11 Enterprise (single-session) is the appropriate OS for dedicated personal desktops. Automatic assignment lets AVD assign an unassigned session host on first connection (no pre-mapping required). Variable resource requirements across users are handled by right-sizing VMs per user class.

Why other answers are incorrect:

B: Windows 11 multi-session in a pooled host pool means users share VMs — the requirement explicitly states users should not share a desktop session.

C: Windows Server 2022 RDSH uses Remote Desktop Services licensing and is appropriate for pooled scenarios — not the recommended choice for full Windows 11 desktop experience.

D: Windows 11 multi-session in a personal host pool is a contradiction — multi-session is designed for pooled (shared) scenarios. Personal host pools should use single-session OS.

💡 Key Concept:

Host pool selection: Pooled = multiple users share session hosts, Windows 10/11 multi-session or Windows Server, cost-effective for similar workloads. Personal = each user gets a dedicated VM, Windows 10/11 Enterprise single-session, required when users need persistent customizations or isolated resources. Assignment types: Automatic (assigned on first connect), Direct (pre-mapped to specific user).

Question 2: Host Pool Load Balancing

✓ Correct Answer: C) Depth-first — fills hosts before starting new ones

Why this is correct:

Depth-first load balancing routes new connections to the session host with the most existing connections (up to its max session limit). This concentrates users on fewer hosts, allowing other hosts to remain empty and potentially be shut down by autoscale. This is the correct algorithm for cost optimization in off-peak hours. Breadth-first distributes connections evenly — keeping all hosts active and preventing cost savings from host shutdown.

Why other answers are incorrect:

A: Breadth-first is optimal for peak hours (spreads load evenly for performance) but counterproductive for cost optimization — it keeps all hosts active with few sessions each, preventing host shutdown.

B: AVD does not offer a Round-robin algorithm — the two options are Breadth-first and Depth-first.

D: AVD does not offer a Least-connections algorithm — only Breadth-first and Depth-first are available.

💡 Key Concept:

Load balancing algorithms: Breadth-first = distribute evenly across all hosts (maximize performance, use during peak). Depth-first = fill one host before the next (minimize active hosts, use during off-peak for cost savings). Scaling plans can change the algorithm per phase — use breadth-first for ramp-up/peak, depth-first for off-peak to enable host shutdown.

Question 3: FSLogix Storage Selection

✓ Correct Answer: B) Azure NetApp Files Ultra tier

Why this is correct:

Azure NetApp Files (ANF) Ultra tier is designed for the highest performance storage requirements: it supports 450,000+ IOPS per volume (compared to Azure Files Premium which supports up to 100,000 IOPS per share for large provisioned sizes). ANF supports AD DS Kerberos authentication (required for FSLogix SMB access). ANF provides 99.99% SLA. For 500 concurrent users generating 25,000+ peak IOPS, ANF is the appropriate choice.

Why other answers are incorrect:

A: Azure Files Standard (StorageV2) is limited to 20,000 IOPS for standard file shares — below the 25,000 IOPS requirement. Standard also uses HDD-based storage with higher latency.

C: Azure Blob Storage does not support SMB protocol — FSLogix requires SMB (Server Message Block) to mount VHD/VHDX profile containers. Blob Storage cannot be used for FSLogix.

D: Azure Files Premium supports higher IOPS than Standard (up to 100,000 IOPS for large provisioned shares). For 25,000 IOPS, a large provisioned Files Premium share could work, but ANF Ultra provides higher throughput, lower latency, and is the recommended choice for very high IOPS requirements.

💡 Key Concept:

FSLogix storage selection: Azure Files Standard = small deployments, <1000 users, budget-sensitive. Azure Files Premium (SSD-based) = medium deployments, up to 100K IOPS, good balance of performance and cost. Azure NetApp Files Premium/Ultra = large enterprise deployments, highest IOPS and throughput, lowest latency, required for 500+ concurrent users with heavy I/O. All options require AD DS or Entra ID authentication for FSLogix SMB access.

Question 4: FSLogix Cloud Cache

✓ Correct Answer: D) CCDLocations (Cloud Cache) with both region storage paths

Why this is correct:

FSLogix Cloud Cache (CCDLocations) maintains synchronized copies of profile containers in multiple storage locations simultaneously. It writes to ALL configured locations and reads from the first available. If East US storage fails, Cloud Cache automatically reads from West US storage within seconds — users experience minimal disruption. This is the purpose-built solution for multi-region FSLogix HA.

Why other answers are incorrect:

A: GRS (geo-redundant storage) replicates data asynchronously to a secondary region for disaster recovery, but the secondary endpoint is read-only and not automatically accessible during a primary region failure for normal SMB access. GRS failover is an account-level operation initiated by Microsoft or the storage account owner — it is not transparent to FSLogix.

B: Azure Site Recovery replicates Azure VMs, not Azure Files shares. ASR is designed for compute DR, not file share replication.

C: VHDLocations with multiple paths separated by semicolons is NOT Cloud Cache — FSLogix uses the second path only as a fallback registration location, not for simultaneous write/failover. This does not provide true HA.

💡 Key Concept:

VHDLocations vs CCDLocations: VHDLocations = one or more UNC paths to storage, FSLogix tries paths in order and uses the first successful mount. If the primary storage fails, the profile is unavailable. CCDLocations (Cloud Cache) = writes to ALL paths simultaneously, reads from first available. Provides true HA — storage failure in one location is transparent to the user. Use Cloud Cache for multi-region AVD deployments.

Question 5: Custom Image — Azure Compute Gallery

✓ Correct Answer: A) Azure Compute Gallery with image definition and versioned images replicated to 3 regions

Why this is correct:

Azure Compute Gallery (ACG, formerly Shared Image Gallery) provides: image versioning (e.g., 1.0.0, 1.1.0, 1.2.0), automatic replication to multiple regions (configured per image version), image definitions that specify OS type and Hyper-V generation, and the ability to reference the image definition (latest version) or a specific version in host pool configuration. New VMs use the latest published version; existing VMs are unaffected until replaced.

Why other answers are incorrect:

B: Storing VHDs in standard storage accounts does not provide versioning, multi-region replication, or the lifecycle management that ACG provides. VHDs in storage accounts cannot be shared across subscriptions or regions efficiently.

C: Custom script extensions at deployment time increase deployment time, add complexity (script failures break VM deployments), and don't provide a consistent, versioned golden image — each VM may end up slightly different if script runs fail partially.

D: Managed disk snapshots don't support multi-region replication (snapshots are regional), versioning, or cross-subscription sharing in the same organized way as ACG.

💡 Key Concept:

Azure Compute Gallery workflow: Create gallery → Create image definition (OS, VM generation, publisher/offer/SKU) → Create and publish image version (source: VM, managed image, or another image version; replicate to N regions) → Reference image definition (latest) or specific version in AVD host pool. Host pool automatically uses latest published version for new VMs.

Question 6: RDP Shortpath — Managed Networks

✓ Correct Answer: C) RDP Shortpath for managed networks

Why this is correct:

RDP Shortpath has two variants: Managed networks (for private connections via ExpressRoute or VPN) and Public networks (for internet connections via STUN/TURN). For ExpressRoute-connected corporate users, RDP Shortpath for managed networks establishes a direct UDP path between the client device and the session host within the private network — no relay servers needed, lowest possible latency (no trampoline through gateway). This significantly reduces latency compared to the TCP-based reverse connect transport.

Why other answers are incorrect:

A: RDP Shortpath for public networks uses STUN/TURN relay servers on the Microsoft network for internet-based clients — this is for users connecting from home or via the internet, not for ExpressRoute-connected corporate networks.

B: RDP Shortpath is specifically designed to work with ExpressRoute and VPN — it is not incompatible.

D: RemoteFX is deprecated and removed from modern Windows versions — it is not a current RDP Shortpath mechanism.

💡 Key Concept:

RDP Shortpath variants: Managed networks = direct UDP between client and session host over private network (ExpressRoute/VPN), UDP port 3390, lowest latency, no relay. Public networks = STUN/TURN-based UDP relay for internet clients, Microsoft-hosted relay servers, still faster than TCP but has relay hop. Both require UDP traffic allowed in NSGs and firewalls. Managed networks = configure NSG to allow UDP 3390 from client subnet to session host subnet.

Question 7: Application Group Types

✓ Correct Answer: B) Nurses: RAG with specific apps. Admins: DAG. Radiologists: separate RAG with imaging viewer

Why this is correct:

Desktop Application Group (DAG) publishes a full Windows desktop to users. RemoteApp Application Group (RAG) publishes specific applications — users only see and can launch those published apps. One host pool can have only ONE DAG (only one full desktop per host pool) but can have MULTIPLE RAGs. Each user group gets the right access: Nurses get their specific tools via RAG, Admins get a full desktop via DAG, Radiologists get only their imaging app via a separate RAG.

Why other answers are incorrect:

A: DAG does not support per-group application restrictions in the standard configuration — all users assigned to the DAG see the full desktop with all installed apps. Application control (AppLocker/WDAC) can restrict apps but is more complex than using RAGs.

C: Setting a DAG to "all apps" in a RAG is not how AVD works — RAGs publish specific RemoteApp programs, not a desktop view of all apps.

D: Full desktop access IS available in pooled host pools via a Desktop Application Group (DAG). Saying "full desktop is not available in pooled host pools" is incorrect.

💡 Key Concept:

Application group rules: One DAG per host pool maximum. Multiple RAGs per host pool allowed. A user can be assigned to multiple application groups across different host pools. DAG = full Windows desktop. RAG = specific published applications (RemoteApp). Published apps in a RAG appear in the AVD web client or client app as individual app icons, not as a desktop session.

Question 8: Scaling Plan Configuration

✓ Correct Answer: D) Four phases: Ramp-up, Peak, Ramp-down, Off-peak

Why this is correct:

Scaling plans support four distinct phases per schedule: Ramp-up (start ahead of peak demand — spin up hosts, use breadth-first to prepare capacity), Peak (maintain full capacity with configured load balancing), Ramp-down (reduce capacity as demand drops — force-log off idle sessions, stop hosts as they empty), Off-peak (maintain minimum capacity, use depth-first to consolidate remaining sessions). This matches all four stated requirements precisely.

Why other answers are incorrect:

A: A single 24/7 phase cannot implement the time-based behavioral differences (ramp-up preparation, peak load management, forced idle disconnection during ramp-down) — a single phase with autoscale doesn't support the forced disconnection during ramp-down.

B: Scaling plans CAN stop hosts during ramp-down — this is a core feature. Force-logoff of idle users in ramp-down phase enables hosts to become empty and automatically stop. No separate runbook is required.

C: Two phases miss the ramp-up (start hosts before peak demand) and ramp-down (graceful reduction with idle session force-logoff). A binary on/off approach is less cost-efficient and doesn't prepare for peak proactively.

💡 Key Concept:

Scaling plan phases: Ramp-up = start time before peak, start hosts proactively, can change load balancing to breadth-first. Peak = full capacity, configured load balancing. Ramp-down = starts after peak end time, force-logoffs idle users after configured wait period, stops empty hosts. Off-peak = minimum host count maintained (ensure at least 1 host for late workers), depth-first to consolidate. Assign scaling plan to one or more host pools.

Question 9: AVD Identity Model — Entra ID-only FSLogix limitation

✓ Correct Answer: C) Azure Files requires Entra ID-based SMB authentication in Entra ID-only deployments

Why this is correct:

In a hybrid (Entra ID + AD DS) deployment, Azure Files uses Kerberos authentication backed by AD DS — session hosts authenticate using their AD computer account. In an Entra ID-only deployment (no AD DS), Azure Files must be configured for Entra ID Kerberos authentication (a newer feature that uses Entra ID tickets). This IS supported but requires specific configuration: enabling identity-based access on the storage account using Entra ID, configuring RBAC for the storage account, and ensuring the AVD client and session host OS version support Entra Kerberos. It works, but requires careful setup distinct from the traditional AD DS path.

Why other answers are incorrect:

A: FSLogix IS supported in Entra ID-only deployments — it requires Entra ID Kerberos authentication for Azure Files instead of AD DS Kerberos. The profile container concept remains the same.

B: This was true historically but is no longer accurate — Entra ID joined session hosts can use FSLogix with Entra ID Kerberos authentication for Azure Files since the feature was introduced.

D: OneDrive for Business and FSLogix are complementary — OneDrive handles documents/desktop folder redirection, FSLogix handles the full Windows profile container. They are not mutually exclusive.

💡 Key Concept:

Identity model feature support: Hybrid (Entra ID + AD DS sync) = most features, traditional Kerberos auth, broadest compatibility. Entra ID-only = supported with Entra Kerberos for Azure Files, requires specific OS and client versions, growing feature parity. Entra Domain Services = managed AD DS, Kerberos support, no DC management overhead. Choose identity model early — it affects many downstream configuration decisions.

Question 10: AVD RBAC Roles

✓ Correct Answer: A) Sarah: Desktop Virtualization Contributor. Tom: Desktop Virtualization User. Alex: Desktop Virtualization Host Pool Contributor

Why this is correct:

Desktop Virtualization Contributor grants full management of all AVD resources (host pools, app groups, workspaces, session hosts) without Azure subscription-level permissions. Desktop Virtualization User grants the right to connect to AVD session hosts — required for end users. Desktop Virtualization Host Pool Contributor is scoped to managing host pool infrastructure (session hosts) without broader AVD resource management rights.

Why other answers are incorrect:

B: Owner at the subscription level grants all Azure resource management including RBAC — far more than Sarah needs. Tom needs Desktop Virtualization User, not Contributor.

C: Tom needs Desktop Virtualization User (connection access), not Desktop Virtualization Reader (view metadata only — cannot connect to session hosts). Desktop Virtualization Reader is for auditors, not end users.

D: Azure built-in Contributor for Sarah grants all Azure resource management permissions — too broad. She should have AVD-specific Contributor scoped to AVD resources.

💡 Key Concept:

AVD-specific RBAC roles: Desktop Virtualization Contributor = full AVD management (create/modify/delete host pools, app groups, workspaces). Desktop Virtualization User = connect to AVD sessions (end user role). Desktop Virtualization Host Pool Contributor = manage session hosts within a host pool (operations team). Desktop Virtualization Reader = view AVD resources (auditors). Assign at the appropriate scope (subscription, resource group, or individual resource).

Question 11: Conditional Access for AVD

✓ Correct Answer: B) CA policy targeting Azure Virtual Desktop with device state conditions

Why this is correct:

To apply Conditional Access specifically to AVD connections, target the "Azure Virtual Desktop" enterprise application (or both "Azure Virtual Desktop" and "Microsoft Remote Desktop" for full coverage). The device state condition in Conditional Access allows requiring both Entra ID joined/Hybrid joined AND Intune compliance. By targeting the specific AVD application, the policy only applies to AVD connections — other apps are unaffected.

Why other answers are incorrect:

A: Targeting All cloud apps applies the device compliance requirement to all Azure and Microsoft 365 services — not just AVD. Users would need a compliant device to access email, SharePoint, etc.

C: "Windows Virtual Desktop" is the legacy app ID — using the modern "Azure Virtual Desktop" application is preferred. IP location-based policies are less secure than device compliance requirements.

D: RDP properties control what is enabled within a session (clipboard, drive redirection) — they cannot enforce Entra ID device compliance. Conditional Access enforces these requirements before the session is established.

💡 Key Concept:

Conditional Access for AVD: Target "Azure Virtual Desktop" (and optionally "Microsoft Remote Desktop") enterprise applications. Common conditions: device compliance, device join type, sign-in risk, MFA. Common grant controls: Require MFA, Require compliant device, Require Hybrid Entra ID joined. Session controls: sign-in frequency, persistent browser session. CA is enforced at the initial connection authentication — not per individual RDP operation.

Question 12: Screen Capture Protection

✓ Correct Answer: C) Screen capture protection — renders session black to capture tools

Why this is correct:

Screen capture protection is an AVD host pool property that instructs the session host to render the remote session window as opaque black when the Windows graphics system detects a screen capture operation (screenshot API, print screen, screen recording software, Teams screen share, etc.). The actual session content is still displayed on the physical screen for the legitimate user, but capture tools receive a black image. This is configured per host pool in the RDP properties.

Why other answers are incorrect:

A: Conditional Access controls session establishment conditions — it cannot block specific applications (like OBS or Snipping Tool) on the client device after authentication.

B: Clipboard redirection disabled prevents copy-paste of text/files between the session and the local device — it does not prevent screenshots. Screen capture protection is a separate, specific feature for this use case.

D: Watermarking adds visible QR-code watermarks to deter unauthorized sharing by making screenshots traceable — it does NOT prevent screenshots. The user can still capture the screen; the watermark just makes it attributable. Screen capture protection actually prevents the capture.

💡 Key Concept:

Screen capture protection vs Watermarking: Screen capture protection = blocks screen capture tools from capturing session content (session appears black to capture APIs). Prevents screenshots. Watermarking = adds a QR code watermark visible in the session (contains user info). Deters sharing by making it traceable — does NOT prevent screenshots. For compliance requirements that prohibit screenshots: Screen capture protection. For data governance/traceability: Watermarking. Can use both simultaneously.

Question 13: Private Endpoint for AVD

✓ Correct Answer: D) Private Endpoints for Azure Virtual Desktop control plane

Why this is correct:

AVD Private Endpoints create private IP addresses in your VNet for the AVD control plane services: Connection Broker (session routing), Gateway (WebSocket connection), Diagnostics, and Feed (workspace). Traffic from session hosts to these services traverses your VNet and Azure backbone — never the public internet. Client devices connecting from the corporate network via ExpressRoute also reach the AVD control plane via the Private Endpoints.

Why other answers are incorrect:

A: NSG rules can block outbound internet traffic, but this breaks AVD connectivity because the control plane traffic would have no path to the AVD services. Without private endpoints, AVD requires internet outbound access to public Azure endpoints.

B: ExpressRoute Microsoft peering connects to Microsoft's public services via the Microsoft backbone, but the AVD control plane endpoints are still accessed via their public IP addresses unless Private Endpoints are configured — Microsoft peering improves routing but doesn't make public endpoints private.

C: Azure Firewall with FQDN rules controls WHAT traffic is allowed/denied but doesn't change the routing path — traffic to public AVD endpoints still traverses the internet (or Azure backbone, but via public IPs). Private Endpoints change where the service is accessible (private IP vs. public IP).

💡 Key Concept:

AVD Private Endpoint configuration: Create private endpoints for each component type: Connection Gateway, Connection Broker, Web Access, Diagnostics. Configure private DNS zones (privatelink.wvd.microsoft.com) to resolve AVD service FQDNs to private IPs. Disable public network access on the AVD workspace to force all traffic through private endpoints. Required for zero-internet-egress AVD deployments.

Question 14: Intune for AVD Multi-Session

✓ Correct Answer: A) Entra ID joined session hosts automatically enroll via Intune MDM scope settings

Why this is correct:

Windows 11 multi-session session hosts that are Entra ID joined support Intune MDM enrollment. When the Intune MDM scope includes users or devices (and device enrollment is enabled for Windows), Entra ID joined session hosts automatically enroll in Intune during the join process. Configuration profiles, compliance policies, and security baselines can then be applied to the session host computer objects. This is distinct from user MDM enrollment — it's device-level management of the session host VMs.

Why other answers are incorrect:

B: Intune enrollment does not happen automatically through the AVD portal — it happens through the Entra ID join + MDM scope configuration process. The AVD host pool creation and Intune enrollment are separate processes.

C: Intune CAN manage Windows 11 multi-session OS — this capability was introduced specifically to support AVD management scenarios. Session host VMs appear in Intune as computer objects.

D: The Intune Management Extension (IME) is for deploying PowerShell scripts and Win32 apps — it is not the enrollment mechanism. Enrollment happens via the Entra ID join and MDM policy, not by installing a specific extension manually.

💡 Key Concept:

Intune for AVD multi-session: Supported for Windows 11 multi-session and Windows 10 multi-session (Enterprise multi-session). Requirements: Session hosts must be Entra ID joined (not Hybrid joined via GPO-based MDM enrollment). MDM scope must include the session host computer accounts. Intune manages machine-level settings (security baselines, OS configuration) — user-level policies via GPO or Intune user profiles work alongside machine policies.

Question 15: MSIX App Attach — Format Selection

✓ Correct Answer: B) CIM (Composite Image File System) format

Why this is correct:

CIM format is the recommended format for MSIX app attach in production environments. Key advantages: CIM is inherently read-only — the package content cannot be modified by processes on the session host (compared to VHD/VHDX which can be opened in read-write mode). CIM images do not require antivirus exclusions when mounted — VHD/VHDX files mounted as disks need antivirus exclusions to prevent scanning interference. CIM also provides better concurrent read performance for multiple sessions accessing the same package.

Why other answers are incorrect:

A: VHD supports read-write attachment by default — extra configuration is required to ensure read-only mounting. Antivirus exclusions are typically required for mounted VHD files. VHD has a 2 TB size limit.

C: VHDX supports larger sizes (64 TB) and has some performance advantages over VHD, but still requires antivirus exclusions and supports read-write attachment mode.

D: ZIP format is not a supported MSIX app attach format. MSIX packages themselves are ZIP-based archives, but the disk image format for app attach must be VHD, VHDX, or CIM.

💡 Key Concept:

MSIX app attach format comparison: VHD = legacy virtual disk, 2 TB limit, read-write capable, antivirus exclusions needed. VHDX = improved virtual disk, 64 TB, read-write capable, antivirus exclusions needed. CIM = Composite Image File System, read-only by design, no antivirus exclusions, better concurrent access performance, preferred for production. For shared AVD environments: always use CIM for MSIX app attach.

Question 16: MSIX App Attach Lifecycle

✓ Correct Answer: B) Destaged → Staged → Registered → Deregistered → Destaged

Why this is correct:

The MSIX app attach lifecycle follows four stages: Before the user connects, the image is Destaged (disk not attached to the session host). When the session host starts (or MSIX is configured), the image is Staged (disk attached to session host, package files accessible but not visible to users). When the user signs in, the package is Registered (application appears in Start menu and is launchable by the user). When the user signs out, the package is Deregistered (application disappears from Start). When the session host shuts down or the package is removed, it is Destaged (disk detached).

Why other answers are incorrect:

A: There is no "Active" or "Unregistered" state in the official MSIX lifecycle. The correct states are Staged, Registered, Deregistered, and Destaged.

C: "Mounted", "Available", and "Cached" are not official MSIX app attach lifecycle state names.

D: "Published", "Installed", "Updated", and "Uninstalled" describe traditional application deployment terminology, not MSIX app attach lifecycle stages.

💡 Key Concept:

MSIX lifecycle memory aid: Think of it as disk mount → user registration → user deregistration → disk unmount. Staged = disk in (host-level, no user visibility). Registered = user can see and use the app. Deregistered = user signs out, app hidden. Destaged = disk out (cleanup). The staging/destaging happens at the session host level; registration/deregistration happens at the user session level.

Question 17: OneDrive in AVD Multi-Session

✓ Correct Answer: D) Per-machine installation + SilentAccountConfig + Known Folder Move via Group Policy

Why this is correct:

OneDrive per-machine installation (/allusers flag) installs OneDrive once for all users on the session host instead of per-user profile — essential for multi-session environments to avoid profile size bloat and per-user installation overhead. SilentAccountConfig Group Policy uses the user's Entra ID token to automatically sign into OneDrive without a manual sign-in prompt. Known Folder Move (KFM) Group Policy redirects Desktop, Documents, and Pictures to OneDrive automatically.

Why other answers are incorrect:

A: Per-user installation in multi-session environments means each user's profile contains a separate OneDrive installation binary — this increases profile size significantly and causes issues with FSLogix profile containers.

B: OneDrive Known Folder Move IS supported in Windows 11 multi-session — this has been a supported configuration for several years. SharePoint mapped drives are an alternative but not required.

C: Command-line sign-in scripts are fragile and don't support the full silent SSO flow — SilentAccountConfig Group Policy provides the proper Entra ID token-based silent sign-in.

💡 Key Concept:

OneDrive for AVD best practices: Install per-machine (not per-user) using /allusers switch. Enable SilentAccountConfig for automatic Entra ID sign-in. Configure KFM for Desktop/Documents/Pictures. Enable Files On-Demand to avoid downloading all files to profile. Exclude OneDrive cache folders from FSLogix profile container if using separate Office Container. Do NOT sync the entire FSLogix profile VHD file to OneDrive.

Question 18: Teams Optimization for AVD

✓ Correct Answer: A) Teams WebRTC media optimization

Why this is correct:

Teams WebRTC media optimization redirects the audio/video media processing from the session host to the client device. The AVD client on the local machine runs the Teams WebRTC engine locally, processing the camera, microphone, and speaker directly. Only the Teams UI and call control signaling runs on the session host — media streams go peer-to-peer between client devices (or via Microsoft relay) without touching the session host CPU/GPU. This dramatically reduces session host resource consumption during video calls.

Why other answers are incorrect:

B: "Audio/Video redirection" in RDP properties is a simple RDP audio redirection feature (plays sound locally), not the same as Teams WebRTC media optimization. Basic audio redirection still processes the audio on the session host before redirecting.

C: Teams Live Events are broadcast-style, one-to-many webcast meetings — not a solution for standard meeting performance optimization.

D: GPU-optimized VMs (NV-series) improve graphics rendering performance (useful for CAD/3D workloads) but do not eliminate the problem — all 50 users on shared session hosts using video calls would still consume NV-series GPU resources proportionally.

💡 Key Concept:

Teams WebRTC media optimization requirements: Teams desktop client installed on the session host (not MSIX app attach for Teams — install normally). AVD client installed on the local device (Windows, macOS — not web client). The WebRTC redirect service is installed by the Teams installer on the session host. Verify optimization is active: in Teams call → three dots → Device settings → should show "AVD Media Optimized". New "Slim Core" Teams architecture supports improved AVD media optimization.

Question 19: RemoteApp vs Full Desktop

✓ Correct Answer: B) Office workers: DAG in pooled host pool. Shop floor: separate pooled host pool with RAG

Why this is correct:

Office workers need a full Windows desktop with flexibility — Desktop Application Group (DAG) in a pooled host pool provides this. Shop floor workers need application isolation — RemoteApp Application Group (RAG) publishing only the production scheduling app provides a focused, locked-down experience. Using separate host pools for the two groups allows different VM sizing, session limits, and application installations without cross-contamination.

Why other answers are incorrect:

A: Applying Intune application assignment profiles doesn't prevent users from seeing other installed applications in a full desktop — AppLocker or WDAC would be required for true application restriction, and this is more complex than using a RAG.

C: A RAG cannot deliver a full desktop experience — RemoteApp runs individual apps in their own windows, not within a Windows shell. AppLocker in a DAG is a valid security control but not simpler than the DAG/RAG separation.

D: Full desktop (DAG) IS available in pooled host pools — this is a very common deployment pattern. The statement that full desktop is not available in pooled host pools is false.

💡 Key Concept:

When to use RemoteApp (RAG): Task workers who need only specific apps, call center agents, shop floor workers, kiosk scenarios, users who need to share data from RemoteApp with local apps (file associations). When to use full desktop (DAG): Knowledge workers, power users, users who need the full Windows experience, developers, users who run many applications. Both can run in the same pooled host pool using different application groups.

Question 20: FSLogix Application Masking

✓ Correct Answer: C) FSLogix Application Masking — hides apps for non-licensed users

Why this is correct:

FSLogix Application Masking uses a rule-based system to hide applications, files, registry keys, and shortcuts from specified users or groups. Create masking rules that make Project and Visio invisible (Start menu, taskbar, file associations, registry) for users NOT in the licensed Entra ID/AD group. Licensed users in the group see and access the applications normally. The applications remain installed on all session hosts — masking only controls visibility per user group. No separate host pool needed.

Why other answers are incorrect:

A: MSIX app attach is for packaging applications in MSIX format and delivering them dynamically — it requires converting Project and Visio to MSIX packages. Microsoft 365 apps like Project and Visio can be delivered via M365 click-to-run, and MSIX app attach adding a separate packaged version would be redundant and complex.

B: Intune application assignment can install/uninstall apps, but uninstalling from session hosts would remove them for ALL users (not per-session selective hiding). Reinstalling per session is not practical in a shared host pool.

D: Creating a separate host pool adds infrastructure overhead, session host VM costs, and requires managing two host pool image versions — Application Masking achieves the same result more elegantly without additional infrastructure.

💡 Key Concept:

FSLogix Application Masking use cases: License-based application control (hide Project/Visio from unlicensed users), role-based application visibility (admins see admin tools, users don't), OS feature hiding. Masking rules define: what to hide (file paths, registry keys, Start menu shortcuts, application shortcuts), and who to hide it from (user/group exclusions or inclusions). Rule set files (.fxa) are configured with the FSLogix App Masking Rule Editor tool.

Question 21: AVD Insights — Diagnostics Setup

✓ Correct Answer: D) Diagnostics settings not configured on AVD resources

Why this is correct:

AVD Insights is a workbook in Azure Monitor that queries data from a Log Analytics workspace. However, AVD resources (host pools, workspaces, application groups) do not send diagnostic data to Log Analytics automatically. You must manually configure diagnostic settings on each resource: Host pool → Diagnostics settings → Send to Log Analytics workspace → select log categories (WVDConnections, WVDErrors, WVDHostRegistrations, etc.). Once configured, data flows within minutes and AVD Insights populates.

Why other answers are incorrect:

A: There is no "premium" Log Analytics workspace tier — all workspaces are the same type (per-GB billing). No upgrade is needed.

B: AVD Insights uses diagnostic settings (resource-level logging) sent to Log Analytics — not the Log Analytics agent installed on VMs. Session host performance data (CPU, memory) does use the Azure Monitor agent on VMs, but AVD connection/error diagnostics come from the diagnostic settings, not the agent.

C: Log Analytics workspaces can receive AVD data from resources in any region — the workspace and host pool do not need to be in the same region.

💡 Key Concept:

AVD Insights setup checklist: 1) Create Log Analytics workspace. 2) Enable diagnostic settings on: host pool(s) — all log categories, workspace — all categories, application groups — all categories. 3) Enable Azure Monitor agent on session host VMs for performance counters. 4) Open AVD Insights workbook → configure it to point to your Log Analytics workspace. Data latency: 5–15 minutes after first configuration. Use the AVD Insights workbook Configuration tab to verify all required data sources are configured.

Question 22: AVD Log Analytics Tables

✓ Correct Answer: A) WVDConnections — connection attempts, states, errors

Why this is correct:

WVDConnections is the Log Analytics table that contains a record for each AVD connection attempt. Fields include: UserName, State (Connected, Completed, Failed, Disconnected), SessionHostName, ClientType, ClientVersion, ResourceAlias (workspace/app group), Duration, ClientIPAddress, and importantly — for failed connections — the ErrorMessage and ErrorCode fields that describe why the connection failed. This is the primary table for diagnosing user connection issues.

Why other answers are incorrect:

B: AzureActivity logs Azure Resource Manager (ARM) operations — resource creation, deletion, RBAC changes. It does not contain AVD session-level connection attempt details or user sign-in information.

C: WindowsEvent (from the Windows Event Log data collector) captures OS-level events from session host VMs — these can include RDP service events but are not the structured AVD connection telemetry table.

D: Heartbeat contains agent heartbeat data (VM online/offline status) from the Log Analytics agent — not connection attempt or user session details.

💡 Key Concept:

Key AVD Log Analytics tables: WVDConnections = user connection attempts and outcomes. WVDErrors = error events and diagnostic messages. WVDHostRegistrations = session host registration with the host pool (startup events). WVDCheckpoints = pipeline events for troubleshooting connection stages. WVDSessionHostManagement = scaling and management events. WVDAgentHealthStatus = session host health reporting. For connection troubleshooting: start with WVDConnections → WVDErrors → WVDCheckpoints for deep diagnostics.

Question 23: Start VM on Connect

✓ Correct Answer: B) Start VM on Connect on the personal host pool with Power On Contributor role

Why this is correct:

Start VM on Connect is a feature that enables AVD to automatically start a stopped or deallocated session host VM when a user attempts to connect to it. For personal host pools, this is configured directly on the host pool settings. The AVD service principal (the Azure Virtual Desktop app) must be granted the "Desktop Virtualization Power On Contributor" custom role at the subscription or resource group containing the session host VMs — this role grants the service permission to start VMs on behalf of users.

Why other answers are incorrect:

A: Azure Auto-shutdown schedules are one-directional — they stop VMs on a schedule but have no mechanism to start VMs when a user connects. A manual or scheduled startup would be needed, not user-triggered.

C: Creating automation runbooks triggered by AVD connection events requires complex event-driven architecture (AVD → Event Hub → Logic App → Runbook or similar). Start VM on Connect is the built-in, simpler solution for this exact scenario.

D: Azure Policy cannot react to real-time connection requests — Policy evaluates resource compliance on a scheduled basis, not in response to user connection events.

💡 Key Concept:

Start VM on Connect setup: Enable on host pool (personal or pooled). Assign "Desktop Virtualization Power On Contributor" role to the AVD service principal ("Windows Virtual Desktop" or "Azure Virtual Desktop" enterprise application) at subscription or resource group scope. For personal host pools: user's assigned VM starts on connection. For pooled host pools: works with scaling plans. User experiences a ~30–60 second wait for VM to start if it was deallocated.

Question 24: Session Host Drain Mode

✓ Correct Answer: C) Enable Drain Mode on the session hosts

Why this is correct:

Drain Mode is an AVD session host property that, when enabled, prevents the AVD gateway from routing NEW connections to that session host. Existing active sessions are completely unaffected — users continue working normally. When all users on the session host have signed out naturally (or been asked to save and sign out), the session host becomes empty and can be patched safely. After patching, drain mode is disabled and the host resumes accepting connections.

Why other answers are incorrect:

A: Deleting and re-registering session hosts from the host pool is a disruptive and time-consuming process — existing user sessions would be immediately terminated when the host is deleted.

B: Azure Update Manager can apply patches with minimal disruption for OS patches but depends on the maintenance window configuration — it does not provide the graceful "wait for users to sign out" behavior that Drain Mode enables. Some patches require restart which would disconnect active sessions.

D: Setting max session limit to 0 might prevent new connections (depending on implementation) but is not the official drain mechanism — Drain Mode is the supported feature for this purpose. Max session limit of 0 may cause unexpected behavior.

💡 Key Concept:

Session host maintenance workflow: 1) Enable Drain Mode on session hosts to be patched (prevents new connections). 2) Notify existing users via session message (use Send-RDUserMessage cmdlet or portal). 3) Wait for users to sign out naturally (or set a deadline). 4) Verify 0 active sessions (check portal or WVDConnections table). 5) Apply patches/updates. 6) Verify session host health. 7) Disable Drain Mode to restore to service. Use Azure Update Manager with maintenance windows for automated scheduled patching.

Question 25: FSLogix Profile Backup

✓ Correct Answer: D) Azure Backup for Azure Files

Why this is correct:

Azure Backup for Azure Files provides: daily snapshot-based backups of Azure Files shares (including the FSLogix VHD/VHDX container files), configurable retention (up to 200 daily recovery points, weekly/monthly/yearly), file-level restore (restore individual files or the complete share to the original or alternate location), and integration with Recovery Services Vault for centralized management. This directly meets the 24-hour RPO and 30-day retention requirements.

Why other answers are incorrect:

A: Azure Backup for Azure Virtual Machines backs up the session host VM disks (OS and data disks) — not the FSLogix profile data on Azure Files. Even if a session host is backed up, the FSLogix profiles are on a separate Azure Files share, not on the VM disks.

B: Azure Site Recovery is designed for VM replication and disaster recovery — it does not support Azure Files share replication for backup purposes.

C: GRS (geo-redundant storage) replicates data to a secondary region for disaster recovery but is NOT a backup solution. GRS does not provide point-in-time recovery, retention policies, or file-level restore. If a file is accidentally deleted, GRS replicates the deletion to the secondary region as well — GRS protects against regional failure, not data loss.

💡 Key Concept:

FSLogix backup strategy: Azure Backup for Azure Files = primary backup tool for FSLogix shares. Configure in Recovery Services Vault → Backup → Azure Files → select storage account and file share → configure daily backup policy with 30-day retention. Restore options: Full share restore, individual file/folder restore, restore to original or alternate storage account. Test restores periodically — verify that restored VHD files can be mounted and profiles are intact.