2/12/25, 11:42 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

Exercise 1:
Lab answer key: Deploying and configuring
Authoring Azure
Resource
Manager (ARM)
Windows Server on Azure VMs
templates for
Azure VM
Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You
deployment may find slight differences between the interactive simulation and the hosted lab, but the core concepts and
ideas being demonstrated are the same.
Exercise 2:
Modifying ARM
templates to
include VM Exercise 1: Authoring Azure Resource Manager (ARM) templates for
Azure VM deployment
extension-based
configuration

Exercise 3:
Deploying Azure Task 1: Connect to your Azure subscription and enable enhanced security of Microsoft Defender for Cloud
VMs running
Windows Server In this task, you will connect to your Azure subscription and enable enhanced security features of Microsoft
by using ARM Defender for Cloud.
templates

1. Connect to SEA-ADM1, and then, if needed, sign in as CONTOSO\Administrator with a password of

Exercise 4:
Configuring Pa55w.rd.
administrative 2. On SEA-ADM1, start Microsoft Edge, go to the Azure portal at https://portal.azure.com , and sign in by
access to Azure
VMs running using the credentials of a user account with the Owner role in the subscription you’ll be using in this lab.
Windows Server

Exercise 5: ❕ Note: Skip the remaining steps in this task and proceed directly to the next one if you have already enabled Microsoft
Configuring Defender for Cloud in your Azure subscription.
Windows Server
security in Azure
VMs
1. In the Azure portal, in the Search resources, services, and docs text box, on the toolbar, search for and
Exercise 6: select Microsoft Defender for Cloud.
Deprovisioning 2. On the Microsoft Defender for Cloud | Getting started page, select Upgrade, and then select Install
the Azure
environment
agents.

Task 2: Generate an ARM template and parameters files by using the Azure portal

In this task, you will use the Azure portal to create resource groups and create a disk in the resource group.

1. On SEA-ADM1, in the Azure portal, in the Search resources, services, and docs text box, on the toolbar,
search for and select Virtual machines. In the Virtual machines page, select + Create, and then select
Azure virtual machine.

2. In the Create a virtual machine page, on the Basics tab, specify the following settings and leave all other
settings with their default values, but do not deploy it:

Setting Value

Subscription the name of the Azure subscription you will be using in this lab.

Resource group the name of a new resource group AZ800-L0601-RG

Virtual machine name az800L06-vm0

Region Use the name of an Azure region in which you can provision Azure
virtual machines

Availability options No infrastructure redundancy required

Image Windows Server 2022 Datacenter: Azure Edition - Gen2

Run with Azure Spot discount No

Size Standard_D2s_v3

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_AK_06_Deploying_and_configuring_Windows_Server_on_Azure_VMs.html 1/8
2/12/25, 11:42 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

Setting Value

Username Student

Password Pa55w.rd1234

Public inbound ports None

Would you like to use an existing Windows Off

Server license

3. Select Next: Disks >, and then on the Create a virtual machine page, on the Disks tab, specify the
following settings, leaving all other settings with their default values:

Setting Value

OS disk type Standard HDD

4. Select Next: Networking >, and in the Create a virtual machine page, on the Networking tab, select the
Create new hyperlink that follows the Virtual network text box.

5. On the Create virtual network page, specify the following settings, leaving all other settings with their
default values, and then select OK:

Setting Value

Name az800L06-vnet

Address range 10.60.0.0/20

Subnet name subnet0

Subnet range 10.60.0.0/24

6. Back on the Create a virtual machine page, on the Networking tab, specify the following settings, leaving
all other settings with their default values:

Setting Value

Public IP None

NIC network security group None

Enable accelerated networking Off

Load balancing options None

7. Select Next: Management >, leaving all settings with their default values.

8. Select Next: Monitoring >, and on the Create a virtual machine page, on the Monitoring tab, specify
the following settings, leaving all other settings with their default values:

Setting Value

Boot diagnostics Enable with managed storage account (recommended)

9. Select Next: Advanced >, on the Advanced tab of the Create a virtual machine page, review the
available settings without modifying any of them, and then select Review + Create.

❕ Note: Do not create the virtual machine. You will use for this purpose the autogenerated template.

Task 3: Download the ARM template and parameters files from the Azure portal

1. In the Azure portal, on the Create a virtual machine page, select Download a template for automation.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_AK_06_Deploying_and_configuring_Windows_Server_on_Azure_VMs.html 2/8
2/12/25, 11:42 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

2. On the Template page, select Download.

3. Select the ellipsis button next to the template.zip, and then in the pop-up menu, select Show in folder.
This will automatically open File Explorer displaying the content of the Downloads folder.
4. In File Explorer, copy template.zip to the C:\Labfiles\Lab06 folder on SEA-ADM1 (create a new folder if
needed).
5. From the Template page, browse back to the Create a virtual machine page, and close it without
completing the deployment.

Exercise 2: Modifying ARM templates to include VM extension-

based configuration

Task 1: Review the ARM template and parameters files for Azure VM deployment

1. On SEA-ADM1, start File Explorer, and then browse to the C:\Labfiles\Lab06 folder.
2. Extract the content of the template.zip file into the same folder.
3. Open the template.json file in Notepad, and review its content. Keep the Notepad window open.
4. From File Explorer, open the C:\Labfiles\Lab06\parameters.json file in Notepad and review its content.
5. Close the Notepad window displaying the parameters.json file.

Task 2: Add an Azure VM extension section to the existing template

1. On SEA-ADM1, in the Notepad window displaying the content of the template.json file, insert the
following code directly after the ` “resources”: [` line):

❕ Note: If you are using a tool that pastes the code in line by line, intellisense may add extra brackets causing
validation errors. You may want to paste the code into notepad first and then paste it into the JSON file.

Code  Copy

{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('virtualMachineName'), '/customScriptExtension')]",
"apiVersion": "2018-06-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/',
parameters('virtualMachineName'))]"
],
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
"typeHandlerVersion": "1.7",
"autoUpgradeMinorVersion": true,
"settings": {
"commandToExecute": "powershell.exe Install-WindowsFeature -name Web-Server
-IncludeManagementTools && powershell.exe remove-item 'C:\\inetpub\\wwwroot\\iisstart.htm'
&& powershell.exe Add-Content -Path 'C:\\inetpub\\wwwroot\\iisstart.htm' -Value $('Hello
World from ' + $env:computername)"
}
}
},

2. Save the change and close the file.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_AK_06_Deploying_and_configuring_Windows_Server_on_Azure_VMs.html 3/8
2/12/25, 11:42 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

Exercise 3: Deploying Azure VMs running Windows Server by using

ARM templates

Task 1: Deploy an Azure VM by using an ARM template

1. On SEA-ADM1, switch to the browser window displaying the Azure portal.

2. In the Azure portal, on the toolbar, in the Search resources, services, and docs text box, search for and
select Deploy a Custom Template.
3. In the Custom deployment page, select Build your own template in the editor.
4. On the Edit template page, select Load file, upload the template file template.json that you edited in the
previous exercise, and then select Save.
5. On the Custom deployment page, select Edit parameters.
6. On the Edit parameters page, select Load file, upload the parameters file parameters.json that you
reviewed in the previous exercise, and then select Save.

7. Back on the Custom deployment page, specify the following settings, and leave the other settings with
their default values:

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group AZ800-L0601-RG

Region the name of the Azure region into which you can provision Azure VMs

Admin Password Pa55w.rd1234

8. Select Review + create, and then select Create.

❕ Note: The deployment might take about 10 minutes.

9. Verify that the deployment completed successfully.

Task 2: Review results of the Azure VM deployment

1. In the Azure portal, on the toolbar, in the Search resources, services, and docs text box, search for and
select Resource groups.
2. On the Resource groups page, select the AZ800-L0601-RG entry.
3. On the AZ800-L0601-RG page, on the Overview page, review the list of resources, including the Azure
VM az800L06-vm0.
4. Within the list of resources, select the Azure VM az800L06-vm0 entry.
5. On the az800L06-vm0 page, select Extensions + applications, and on the list of extensions, verify that
the customScriptExtension has been provisioned successfully.
6. Browse back to the AZ800-L0601-RG page, and in the Settings section, select Deployments.
7. On the AZ800-L0601-RG | Deployments page, select the Microsoft.Template link.
8. On the Microsoft.Template | Overview page, select Template, and note that this is the same template
you used for deployment.

Exercise 4: Configuring administrative access to Azure VMs running

Windows Server

Task 1: Verify the status of Azure Microsoft Defender for Cloud

1. In the Azure portal, on the toolbar, in the Search resources, services, and docs text box, search for and
select Microsoft Defender for Cloud.
2. On the Overview page of Microsoft Defender for Cloud, on the vertical menu on the left side, in the
Management section, select Environment settings.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_AK_06_Deploying_and_configuring_Windows_Server_on_Azure_VMs.html 4/8
2/12/25, 11:42 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

3. On the Environment settings page, select the entry representing your Azure subscription.
4. On the Settings | Defender plans page, verify that the tile Enable all Microsoft Defender for Cloud
plans is selected and, on the top side, select Settings & monitoring.
5. On the Settings & monitoring page, in the list of extensions, to the right side of the Log Analytics
agent/Azure Monitor agent entry, select the Edit configuration link.
6. On the Auto-provisioning configuration, in the Workspace selection ensure that the Default
workspace(s) entry is selected, select Apply, and back on the Settings & monitoring page, select
Continue.
7. On the Settings | Defender plans page, select Save.

Task 2: Review the Just-in-time VM access settings

1. Browse back to the Overview page of Microsoft Defender for Cloud, and then, in the Cloud Security
section, select Workload protections.
2. On the Microsoft Defender for Cloud | Workload protections page, select Just-in-time VM access.

3. On the Just-in-time VM access page, review the Configured, Not Configured, and Unsupported tabs.

❕ Note: It might take up to 24 hours for the newly deployed VM to appear on the Unsupported tab. Rather than wait,
continue to the next exercise.

Exercise 5: Configuring Windows Server security in Azure VMs

Task 1: Create and configure an NSG

1. In the Azure portal, on the toolbar, in the Search resources, services, and docs text box, search for and
select Network security groups.
2. On the Network security groups page, select + Create.

3. On the Basics tab of the Create network security group page, specify the following settings (leave others
with their default values):

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group AZ800-L0601-RG

Name az800L06-vm0-nsg1

Region the name of the Azure region into which you provisioned the Azure VM az800L06-vm0

4. On the Create network security group page, on the Basics tab, select Review + create, and then select
Create.
5. In the Azure portal, browse back to the AZ800-L0601-RG page, and then in the list of resources, select the
entry representing the newly created network security group az800L06-vm0-nsg1.
6. On the az800L06-vm0-nsg1 page, review the listing of the default inbound and outbound security rules,
and then in the Settings section, select Inbound security rules.
7. On the az800L06-vm0-nsg1 | Inbound security rules page, select + Add.

8. On the Add inbound security rule page, specify the following settings, leaving all others with their default
values, and then select Add:

Setting Value

Source Any

Source port ranges *

Destination Any

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_AK_06_Deploying_and_configuring_Windows_Server_on_Azure_VMs.html 5/8
2/12/25, 11:42 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

Setting Value

Service HTTP

Action Allow

Priority 300

Name AllowHTTPInBound

Task 2: Configure Inbound HTTP access to an Azure VM

1. In the Azure portal, on the toolbar, in the Search resources, services, and docs text box, search for and
select Public IP address.
2. On the Public IP address page, select + Create.

3. On the Basics tab of the Create public IP address page, specify the following settings (leave others with
their default values):

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group AZ800-L0601-RG

Name az800l06-vm0-pip1

Region the name of the Azure region into which you provisioned the Azure VM az800l06-vm0

SKU Standard

4. On the Create public IP address page, on the Basics tab, select Review + create, and then select Create.
5. Verify that the deployment completed successfully.
6. In the Azure portal, browse back to the AZ800-L0601-RG page, and then in the list of resources, select the
entry representing the Azure VM az800l06-vm0.
7. On the az800l06-vm0 page, select Networking.
8. On the az800l06-vm0 | Networking page, select the link designating the network interface attached to
az800l06-vm0.
9. On the page displaying the network interface properties, in the vertical menu on the left side, in the
Settings section, select Network security group.
10. On the Network security group page, in the drop-down list, select az800l06-vm0-nsg1, and then select
Save.
11. Back on the page displaying the properties of the network interface, select IP configurations, and then
select the ipconfig1 entry.
12. On the ipconfig1 page, in the Public IP address section, select Associate, and then select az800l06-vm0-
pip1 from the Public IP address drop-down list.
13. On the ipconfig1 page, select Save.
14. Browse back to the page displaying the network interface properties and select Overview. Note the value
of the public IP address assigned to the interface.
15. Open another browser tab, browse to that IP address, and verify that a webpage opens, displaying Hello
World from az800L06-vm0.

16. From the lab computer, start the Remote Desktop app, and try connecting to the same IP address. Verify
that the connection fails.

❕ Note: This is expected because the Azure VM is currently not accessible from the Internet via TCP port 3389. It is
accessible only via TCP port 80.

Task 3: Trigger re-evaluation of the JIT status of an Azure VM

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_AK_06_Deploying_and_configuring_Windows_Server_on_Azure_VMs.html 6/8
2/12/25, 11:42 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

❕ Note: This task is necessary to trigger re-evaluation of the JIT status of the Azure VM. By default, this might take up to 24
hours.

1. In the Azure portal, browse back to the AZ800-L0601-RG page, and then in the list of resources, select the
entry representing the Azure VM az800L06-vm0.
2. On the az800L06-vm0 page, select Configuration.
3. On the az800L06-vm0 | Configuration page, select Enable just-in-time VM access and select the Open
Microsoft Defender for Cloud link.
4. On the Just-in-time VM access page, verify that the entry representing the az800L06-vm0 Azure VM
appears on the Configured tab.

Task 4: Connect to the Azure VM via JIT VM access

1. Browse back to the az800L06-vm0 page, select Connect, and then in the drop-down list, select RDP.
2. On the az800L06-vm0 | Connect page, in the Source IP section, select My IP, and then select Request
access.
3. Wait for the notification stating that your request has been approved, select Download RDP File and
follow prompts to connect to the target Azure VM.

4. When prompted for credentials, specify the following values, and then select OK:

Setting Value

Username Student

Password Pa55w.rd1234

5. Verify that you can successfully access via Remote Desktop the operating system running in the Azure VM
and close the Remote Desktop session.

Exercise 6: Deprovisioning the Azure environment

Task 1: Start a PowerShell session in Cloud Shell

1. On SEA-ADM1, in the Microsoft Edge window displaying the Azure portal, open the Azure Cloud Shell
pane by selecting the Cloud Shell icon.

2. If prompted to select either Bash or PowerShell, select PowerShell.

❕ Note: If this is the first time you’re starting Cloud Shell and you’re presented with the You have no storage
mounted message, select the subscription you are using in this lab, and then select Create storage.

Task 2: Identify all Azure resources provisioned in the lab

1. From the Cloud Shell pane, run the following command to list all resource groups created throughout this
lab:

Code  Copy

Get-AzResourceGroup -Name 'AZ800-L06*'

2. Run the following command to delete all resource groups created throughout this lab:

Code  Copy

Get-AzResourceGroup -Name 'AZ800-L06*' | Remove-AzResourceGroup -Force -AsJob

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_AK_06_Deploying_and_configuring_Windows_Server_on_Azure_VMs.html 7/8
2/12/25, 11:42 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

❕ Note: The command executes asynchronously (as determined by the -AsJob parameter). So, while you will be able to
run another PowerShell command immediately after within the same PowerShell session, it will take a few minutes
before the resource groups are actually removed.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_AK_06_Deploying_and_configuring_Windows_Server_on_Azure_VMs.html 8/8