SC-100 Question #127: Real Exam Question with Answer & Explanation

Question

You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain. Client computers run Windows and are hybrid-joined to Microsoft Entra. You are designing a strategy to protect endpoints against ransomware. The strategy follows Microsoft Security Best Practices. You plan to remove all the domain accounts from the Administrators groups on the Windows computers. You need to recommend a solution that will provide users with administrative access to the Windows computers only when access is required. The solution must minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised. What should you include in the recommendation?

Options

• ALocal Administrator Password Solution (LAPS)
• BMicrosoft Entra Identity Protection
• CMicrosoft Entra Privileged Identity Management (PIM)
• DPrivileged Access Workstations (PAWs)

Explanation

{"question_number": 10, "correct_answer": "A", "explanation": "Local Administrator Password Solution (LAPS) is the correct answer. LAPS automatically generates a unique, random password for the local Administrator account on each Windows computer and stores it securely in Active Directory (or Microsoft Entra ID for cloud-native LAPS). Administrators retrieve the password on-demand only when needed, satisfying the 'only when required' requirement. Because each machine has a different password, compromising one machine's local admin account does not grant access to other machines, directly minimizing lateral movement. Microsoft Entra PIM (C) manages Azure AD privileged roles, not local Windows admin access. Identity Protection (B) detects risky sign-ins. PAWs (D) isolate privileged sessions but do not manage local admin passwords.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.