Securing Windows Server 2016 — Question 191

Your network contains an Active Directory domain.
You plan to run shielded virtual machines.
You are implementing TPM attestation mode for a guarded fabric.
You create a Code Integrity policy named Integrity1.xml.
You need to ensure that you can apply the Code Integrity policy to Hyper-V hosts.
Which cmdlet should you run?

Answer options

• A. Add-SignerRule
• B. Add-HgsAttestationTpmHost
• C. Set-HVCIOptions
• D. ConvertFrom-CIPolicy

Correct answer: B

Explanation

The correct cmdlet to apply the Code Integrity policy to Hyper-V hosts in a TPM attestation mode setup is Add-HgsAttestationTpmHost. The other options do not relate directly to applying Code Integrity policies to Hyper-V; for instance, Add-SignerRule is used to add signing rules, while Set-HVCIOptions configures Hypervisor-protected code integrity settings, and ConvertFrom-CIPolicy is for converting policies rather than applying them.