SC-100 Certification Practice Question #19

Question

You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain. Client computers run Windows and are hybrid-joined to Azure AD.

You are designing a strategy to protect endpoints against ransomware. The strategy follows Microsoft Security Best Practices.

You plan to remove all the domain accounts from the Administrators groups on the Windows computers.

You need to recommend a solution that will provide users with administrative access to the Windows computers only when access is required. The solution must minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised.

What should you include in the recommendation?

Accepted Answer

Microsoft's ransomware lateral-movement guidance and the Windows LAPS overview both name LAPS as the control that rotates/randomizes per-device local administrator passwords so that compromising one machine doesn't yield admin on the rest — exactly the "minimize lateral movement if an administrator account on a computer is compromised" requirement. After domain accounts are removed from the local Administrators group, the built-in local admin account remains, and LAPS secures it with a unique, rotated password retrievable only "when access is required." The Suggested Answer, the 24-vote Most Voted, and both Highly Voted comments all align on A. Confidence is held at 80% because a substantial, well-reasoned minority pushes C (PIM): PIM does deliver true just-in-time elevation, but Microsoft scopes PIM to Entra/Azure directory roles — not standing local Windows administrator rights on hybrid-joined endpoints — so it is the weaker fit for this specific endpoint/ransomware scenario.

More SC-100 practice questions