70-744.pdf

Vendor: Microsoft
Exam Code: 70-744
Exam Name: Securing Windows Server 2016
Version: 18.071

Important Notice
Product
Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within
One year after your purchase.
You can login member center and download the latest product anytime. (Product downloaded
from member center is always the latest.)
PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam
again.
Feedback
We devote to promote the product quality and the grade of service to ensure customers interest.
If you have any questions about our product, please provide Exam Number, Version, Page
Number, Question Number, and your Login Account to us, please contact us at
support@passleader.com and our technical experts will provide support in 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently.
If anyone who share the file we will disable the free update and account access.
Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final
explanation for this statement.
Order ID: ****************
PayPal Name: ****************
PayPal ID: ****************

Get Latest & Actual 70-744 Exam's Question and Answers from Passleader.
http://www.passleader.com
2
QUESTION 1
Note: This question is part of a series of question that use the same or similar answer
choices. An answer choice may be correct for more than one question in the series. Each
question is Independent of the other questions in this series. Information and details
provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com.
The domain contains a file server named Server1 that runs Windows Server 2016.
Server1 has a volume named Volume1.
Dynamic Access Control is configured. A resource property named Property1 was created in the
domain.
You need to ensure that Property1 is set to a value of Big for all of the files in Volume1 that are
larger than 10 MB.
Which tool should you use?
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
F. Computer Management
G. System Configuration
H. File Server Resource Manager (FSRM)
Answer: H
Explanation:
In FSRM, "Large Files" creates a list of files conforming to a specified file spec that are a
specified size or larger.
QUESTION 2
Note: This question is part of a series of questions that present the same scenario. Each
question In the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution. After you answer a question in this section, you will NOT be able to
return to It. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com.
All servers run Windows Server 2016. The forest contains 2,000 client computers that run
Windows 10.
All client computers are deployed (rom a customized Windows image.
You need to deploy 10 Pnvileged Access Workstations (PAWs).
The solution must ensure that administrators can access several client applications used by all
users.
Solution: You deploy 10 physical computers and configure each wie as a virtualization host.
You deploy the operating system on each host by using the customized Windows image.
On each host you create a guest virtual machine and configure the virtual machine as a PAW.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:

3
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-
access/privileged-access-workstations
QUESTION 3
The forest functional level is Windows Server 2012. All servers run Windows Server 2016.
You create a new bastion forest named admin.contoso.com.
The forest functional level of admin.contoso.com is Windows Server 2012 R2.
You need to implement a Privileged Access Management (PAM) solution.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Raise the forest functional level of admm.contoso.com.
B. Deploy Microsoft Identify Management (MIM) 2016 to admin.contoso.com.
C. Configure contoso.com to trust admin.contoso.com.
D. Deploy Microsoft Identity Management (MIM) 2016 to contoso.com.
E. Raise the forest functional level of contoso.com.
F. Configure admin.contoso.com to trust contoso.com.
Answer: AC
Explanation:
Bastion forests should always be upgraded to current version. It defeats the purpose otherwise.
You need a one way transitive trust from your production to your bastion.
QUESTION 4
Your network contains an Active Directory domain named conioso.com.
The domain contains 1,000 client computers that run Windows 8.1 and 1,000 client computers
that run Windows 10.
You deploy a Windows Server Update Services (WSUS) server.
You create a computer group tor each organizational unit (OU) that contains client computers.
You configure all of the client computers to receive updates from WSUS.
You discover that all of the client computers appear m the Unassigned Computers computer
group in the Update Services console.
You need to ensure that the client computers are added automatically to the computer group that
corresponds to the location of the computer account in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
A. From Group Policy objects (GPOs), configure the Enable client-side targeting setting.
B. From the Update Services console, configure the Computers option.
C. From Active Directory Users and Computers, create a domain local distribution group for each
WSUS computer group.
D. From Active Directory Users and Computers, modify the flags attnbute of each OU.
E. From the Update Services console, run the WSUS Server Configuration Wizard.
Answer: AB
Explanation:
https://technet.microsoft.com/en-us/library/dd252762.aspx
https://technet.microsoft.com/en-us/library/cc720433(v=ws.10).aspx
QUESTION 5
Note: This question Is part of a series of questions that use the same or similar answer

4
question is Independent of the other questions in this series. Information and details
The domain contains a server named Server1 that runs Windows Server 2016.
Server1 has a shared folder named Share1.
You need to encrypt the contents of Share1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: C
Explanation:
You can encrypt files from > file and storage services > share > properties of the folder and then
setting, there is an encrypt data access checkbox which is unchecked by default.
QUESTION 6
Note: This question is part of a series of questions that use the same scenario. For your
convenience, the scenario is repeated in each question. Each question presents a different
goal and answer choices, but the text of the scenario is exactly the same in each question
in this series.
Start of repeated scenario
The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the
marketing department.
You have an OU named Finance that contains the computers in the finance department.
You have an OU named AppServers that contains application servers.
A Group Policy object (GPO) named GP1 is linked to the Marketing OU.
A GPO named GP2 is linked to the AppServers OU.

5
You install Windows Defender on Nano1.
End of repeated scenario
You need to ensure that you can deploy a shielded virtual machine to Server4.
Which server role should you deploy?
A. Hyper-V
B. Device Health Attestation
C. Network Controller
D. Host Guardian Service
Answer: D
Explanation:
A guarded fabric consists of:
1 host guardian service (hgs)
1 or more guarded hosts (in this case Server4)
A set of shielded VMs.
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-
vm/guarded-fabric-and-shielded-vms
QUESTION 7
The domain contains four servers.
The servers are configured as shown in the following table.
You need to manage FS1 and FS2 by using Just Enough Administration (JEA).
What should you do before you can implement JEA?
A. Install Microsoft .NET Framework 4.6.2 on FS2.
B. Install Microsoft .NET Framework 4.6.2 on FS1.
C. Install Windows Management Framework 5.0 on FS2.
D. Upgrade FS2 to Windows Server 2016.
Answer: C
Explanation:
JEA is incorporated into Windows Server 2016 and Windows 10, and is also incorporated into
Windows Management Framework 5.0, which you can download and install on computers
running Windows Server 2012 R2.
QUESTION 8
You are deploying Microsoft Advanced Threat Analytics (ATA).
You create a user named User1.
You need to configure the user account of User1 as a Honeytoken account.
Which information must you use to configure the Honeytoken account?

6
A. the SAM account name of User1
B. the Globally Unique Identifier (GUID) of User1
C. the SID of User1
D. the UPN of User1
Answer: C
Explanation:
To configure a Honeytoken user you will need the SID of the user account, not the user name.
https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/working-with-detection-
settings
QUESTION 9
Your network contains two single-domain Active Directory forests named contoso.com and
contosoadmin.com.
Contosoadmin.com contains all of the user accounts used to manage the servers in contoso.com.
You need to recommend a workstation solution that provides the highest level of protection from
vulnerabilities and attacks.
What should you include in the recommendation?
A. Provide a Privileged Access Workstation (PAW) for each user account in both forests.
Join each PAW to the contoso.com domain.
B. Provide a Pnvileged Access Workstation (PAW) for each user in the contoso.com forest.
C. Provide a Pnvileged Access Workstation (PAW) for each administrator.
D. Provide a Pnvileged Access Workstation (PAW) for each administrator.
Join each PAW to the contosoadmin.com domain.
Answer: D
Explanation:
Dedicated administrative forests allow organizations to host administrative accounts,
workstations, and groups in an environment that has stronger security controls than the
production environment.
https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-
privileged-access-reference-material#ESAE_BM
QUESTION 10
convenience, the scenario b repeated in each question. Each question presents a different
in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of
the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown m the following table.

7
You need to disable SMB 1.0 on Server2.
What should you do?
A. From File Server Resource Manager, create a classification rule.
B. From the properties of each network adapter on Server2. modify the bindings.
C. From Windows PowerShell, run the Set -SmbClientConfiguration cmdlet.
D. From Server Manager, remove a Windows feature.
Answer: C
Explanation:
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
QUESTION 11
The domain contains 1,000 client computers that run Windows 10.
A security audit reveals that the network recently experienced a Pass-the-Hash attack.
The attack was initiated from a client computer and accessed Active Directory objects restricted
to the members of the Domain Admins group.
You need to minimize the impact of another successful Pass-the-Hash attack on the domain.
What should you recommend?
A. Instruct all users to sign in to a client computer by using a Microsoft account.
B. Move the computer accounts of all the client computers to a new organizational unit (OU).
Remove the permissions to the new OU from the Domain Admins group.
C. Instruct all administrators to use a local Administrators account when they sign in to a client
computer.
D. Move the computer accounts of the domain controllers to a new organizational unit (OU).
Remove the permissions to the new OU from the Domain Admins group.
Answer: A
Explanation:

8
For this question, the best answer would be to log in using a Microsoft account. The Windows
Hello service uses a virtual LSASS that is protected from caching credentials. But that is only for
Windows 10 with Fall Creators Update 1607 or Server 2016. Which it does not mention. Again,
this question is missing one of the possible choices, which was the correct answer. Without that
choice, the next best answer would be to use a Microsoft Account with Win 10 along with update
1607 which added LSASS virtualization.
QUESTION 12
in this series.
You have an OU named finance that contains the computers in the finance department.
You need to exclude D:Folder1 on Nano1 from being scanned by Windows Defender.
Which cmdlet should you run?
A. Set-StorageSetting
B. Set-FsrmFileScreenException
C. Set-MpPreference
D. Set-DtcAdvancedSetting
Answer: C
Explanation:
-ExclusionPath: Specifies an array of file paths to exclude from scheduled and real-time
scanning.
You can specify a folder to exclude all the files under the folder.

9
https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
QUESTION 13
in this series.
You need to ensure that the marketing department computers validate DNS responses from
adatum.com.
Which setting should you configure in the Computer Configuration node of GP1?
A. TCPIP Settings from Administrative Templates
B. Connection Security Rule from Windows Settings
C. DNS Client from Administrative Templates
D. Name Resolution Policy from Windows Settings
Answer: D
Explanation:
The NRPT is a table that contains rules that you can configure to specify DNS settings or special
behavior for names or namespaces.The NRPT can be configured using the Group Policy
Management Editor under Computer ConfigurationPoliciesWindows SettingsName Resolution
Policy, or with Windows PowerShell. If a DNS query matches an entry in the NRPT, it is handled
according to settings in the policy.Queries that do not match an NRPT entry are processed
normally.

10
You can use the NRPT to require that DNSSEC validation is performed on DNS responses for
queries in the namespaces that you specify.
QUESTION 14
Note: This question is port of a series of questions that use the same or similar answer
choices. An answer choice may be correct for more than one question In the series. Each
question is Independent of the other questions In this series. Information and details
Vour network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2016 and a Nano Server
named Nano1.
Nano1 has two volumes named C and D.
You are signed in to Server1.
You need to configure Data Deduplication on Nano1.

11
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: C
Explanation:
Enable Data Deduplication by using Server Manager
https://technet.microsoft.com/en-us/windows-server-docs/storage/data-deduplication/install-
enable
QUESTION 15
Note: This question It part of a series of questions that present the same scenario. Each
question In the series contains a unique solution that might meet the stated goats. Some
The domain contains a computer named Computer1 that runs Windows 10.
Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally.
Computer1 runs an application named App1 that listens to port 8080.
You need to prevent connections to App1 when Computer1 is connected to the home network.
Solution: From Group Policy Management you create a software restriction policy.
A. Yes
B. No
Answer: B
Explanation:
The network profiles and the ports can be managed by using advanced windows firewall settings
and software restriction polices cannot full fill the needs .
QUESTION 16
The domain contains five file servers that run Windows Server 2016.
You have an organizational unit (OU) named Finance that contains all of the servers.
You create a Group Policy object (GPO) and link the GPO to the Finance OU.
You need to ensure that when a user in the finance department deletes a file from a file server,
the event is logged.
The solution must log only users who have a manager attribute of Ben Smith.
Which audit policy setting should you configure in the GPO?
A. File system in Global Object Access Auditing

12
B. Audit Detailed File Share
C. Audit Other Account Logon Events
D. Audit File System in Object Access
Answer: A
Explanation:
Only Global Object Access Auditing can read user attributes.
QUESTION 17
Note: Thb question Is part of a series of questions that present the same scenario. Each
correct solution. After you answer a question in this section, you
willNOTbeabletorrturntoit.Asa result, these questions will not appear in the review screen.
The domain contains multiple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network to meet the
following requirements:
- The resources of the applications must be isolated from the physical
host
- Each application must be prevented from accessing the resources of
the other applications.
- The configurations of the applications must be accessible only from
the operating system that hosts the application.
Solution: You deploy one Windows container to host all of the applications.
A. Yes
B. No
Answer: B
Explanation:
Isolation occurs at the container level. Multiple applications in the same container would share the
same resources.
http://windowsitpro.com/windows-server-2016/differences-between-windows-containers-and-
hyper-v-containers-windows-server-201
QUESTION 18
in this series.

13
You plan to implement BitLocker Drive Encryption (BitLocker) on the operating system volumes of
the application servers.
You need to ensure that the BitLocker recovery keys are stored in Active Directory.
Which Group Policy setting should you configure?
A. System cryptography; Force strong key protection (or user keys stored on the computer
B. Store Bittocker recovery information in Active Directory Domain Services (Windows Server 2008
and Windows Vista)
C. System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing
D. Choose how BitLocker-protected operating system drives can be recovered
Answer: D
Explanation:
Answer B is only applicable if using Win 2008 NON R2 Edition. Since is states we are using 2008
R2 the correct answer is D.
QUESTION 19
question in the series contains a unique solution that might meet the stated goals. Some
return to it. As a result, these questions will not appear in the review screen.
All servers run Windows Server 2016.
All client computers run Windows 10.
The relevant objects in the domain are configured as shown in the following table.

14
You need to assign User1 the right to restore files and folders on Server1, and Server2.
Solution: You add User1 to the Backup Operators group in contoso.com.
A. Yes
B. No
Answer: B
Explanation:
No, Server1 and Server2 uses local group "Backup Operators" for granting backup and restore
rights to normal users.
The solution would let User1 to backup files and folders on domain controllers for contoso.com
instead.
QUESTION 20
Your network contains an Active Directory domain named contoio.com.
You have an organizational unit (OU) named Administration that contains the computer account
of Server1.
You import the Active Directory module to Served1.
You create a Group Policy object (GPO) named GPO1.
You link GPO1 to the Administration OU.
You need to log an event each time an Active Directory cmdlet is executed succesfully from
Served.
What should you do?
A. From Advanced Audit Policy in GPO1 configure auditing for directory service changes.
B. Run the (Get-Module ActiveDirectory).LogPipelineExecutionDetails - $false command.
C. Run the (Get-Module ActivcDirectory).LogPipelineExecutionDetails = $true command.
D. From Advanced Audit Policy in GPO1 configure auditing for other privilege use events.
Answer: C
QUESTION 21
All domain controllers run Windows Server 2016.
The domain contains a server named Serverl that has Microsoft Security Compliance Manager
(SCM) 4.0 installed.
You export the baseline shown in the following exhibit.

15
You have a server named Server2 that is a member of a workgroup.
You copy the (2617e9b1-9672-492b-aefa-0505054848c2) folder to Server2.
You need to deploy the baseline settings to Server2.
What should you do?
A. Download, install, and then fun the Lgpo.exe command.
B. From Group Policy Management import a Group Policy object (GPO).
C. From Windows PowerShell, run the Restore-GPO cmdlet.
D. From Windows PowerShell, run the Import-GPO cmdlet.
E. From a command prompt run the secedit.exe command and specify the /import parameter.
Answer: A
Explanation:
Server2 is a non-domain joined computer using the the GPO pack feature.
Source: https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
LGPO.exe replaces the no-longer-maintained LocalGPO tool that shipped with the Security
Compliance Manager (SCM).
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-
utility-v1-0/
QUESTION 22
Note: This question b part of a series of questions that use the same or simitar answer
question is independent of the other questions in this series. Information and details
Server1 has a shared folder named Share1.
You need to ensure that all access to Share1 uses SMB Encryption.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer

16
H. File Server Resource Manager (FSRM)>
Answer: C
Explanation:
https://technet.microsoft.com/en-us/library/dn551363(v=ws.11).aspx
See section "To enable SMB Encryption by using Server Manager"
QUESTION 23
The forest functional level is Windows Server 2012.
The forest contains a single domain.
The domain contains multiple Hyper-V hosts.
You plan to deploy guarded hosts.
You deploy a new server named Server22 to a workgroup.
You need to configure Server22 as a Host Guardian Service server.
What should you do before you initialize the Host Guardian Service on Server22?
A. Install the Active Directory Domain Services server role on Server22.
B. Obtain a certificate.
C. Raise the forest functional level.
D. Join Server22 to the domain.
Answer: D
Explanation:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-
vm/guarded-fabricchoose-where-to-install-hgs
The only technical requirement for installing HGS in an existing forest is that it be added to the
root domain;non-root domains are not supported.
QUESTION 24
You create a Microsoft Operations Management Suite (OMS) workspace.
You need to connect several computers directly to the workspace.
Which two pieces of information do you require? Each correct answer presents part of the
solution.
A. the ID of the workspace
B. the name of the workspace
C. the URL of the workspace
D. the key of the workspace
Answer: AD
Explanation:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
QUESTION 25
Note: This question b part of a series of questions that present the same scenario. Each
return to it. As a result, these questions will not appear In the review screen.

17
Your network contains an Active Directory domain named contow.com. All servers run Windows
Server 2016. All client computers run Windows 10.
You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You create a Group Policy object (GPO), link it to the Operations Users OU, and modify
the Users Rights Assignment in the GPO.
A. Yes
B. No
Answer: A
Explanation:
Yes, in "User Rights Assignment" section of a GPO, two settings for assigning backup and
restore user rights are available as follow:
QUESTION 26
Note: This question is part of a scries of questions that present the same scenario. Each
correct solution. After you answer a question In this section, you will NOT be able to
return to It. As a result, these questions will not appear In the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains

18
mulbple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network; to meet the
- The resources of the applications must be isolated from the physical
host.
Solution: You deploy a separate Windows container for each application.
A. Yes
B. No
Answer: A
Explanation:
By using Windows Container-The resources of the applications must be isolated from the
physical host (ACHIEVED, as a single containercould only access its own resources, but not
others)-Each application must be prevented from accessing the resources of the other
applications. (ACHIEVED, as asingle container could only access its ownresources, but not
others)-The configurations of the applications must be accessible only from the operating system
that hosts theapplication. (ACHIEVED, you can use DockerFile orDockerRun to push
configurations to containers from the Container Host OS)
QUESTION 27
Note: This question Is part of a series of questions that use the same or similar answer
question is independent of the other questions in this series. Information and details
Server1 has a volume named Volume1.
A central access policy named Policyl is deployed to the domain.
You need to apply Policyl to Volume1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: A
Explanation:
"File Explorer" = "Windows Explorer".

19
https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-
access-policydemonstration- steps-#BKMK_1.4
QUESTION 28
Note: This question Is part of a series of questions that present the same scenario. Each
return to It. As a result, these questions will not appear In the review screen.
Your network contains an Active Directory domain named contoso.com. All servers run Windows
You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You create a Group Policy object (GPO), you link the GPO to the Servers OU, and then
you modify the Users Rights Assignment in the GPO.
Does this meet the goat?
A. Yes
B. No
Answer: A
QUESTION 29
You install the Windows Server Update Services server role on a member server named Server1.
Server1 runs Windows Server 2016.
You need to ensure that a user named Used can perform the following tasks:
- View the Windows Server Update Services (WSUS) configuration.
- Generate WSUS update reports.
The solution must use the principle of least privilege.
What should you do on Server1?
A. Modify the permissions of the ReportWebService virtual folder from the WSUS Administration
website.
B. Add User1 to the WSUS Reporters local group.
C. Add User1 to the WSUS Administrators local group.
D. Run wsusutil.exe and specify the postinstall parameter.
Answer: B
Explanation:
WSUS Reporters have read only access to the WSUS database and configuration

20
When a user with "WSUS Reporters" membership, he can view configuration and generate
reports as follow:

21
QUESTION 30
correct solution. After you answer a question In this section, you will NOT be able to return
to It. As a result, these questions will not appear in the review screen.
Yout network contains an Active Directory domain named contoso.com.
Solution: From Group Policy Management you create a software restriction policy.
A. Yes
B. No
Answer: B
Explanation:
The network profiles and the ports can be managed by using advanced windows firewall settings
and software restriction polices cannot full fill the needs .
QUESTION 31
Note: This question ts part of a series of questions that present the same scenario. Each

22
return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. All servers run Windows
Server 2016.
The forest contains 2,000 client computers that run Windows 10. All client computers are
deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs). The solution must ensure that
administrators can access several client applications used by all users.
Solution: You deploy one physical computer and configure it as a Hyper-V host that runs
Windows Server 2016.
You create 10 virtual machines and configure each one as a PAW.
A. Yes
B. No
Answer: B
Explanation:
"The PAW architecture does not allow for hosting an admin VM on a user workstation, but a user
VM with a standard corporate image can be hosted on a PAW host to provide personnel with a
single PC for all responsibilities.
QUESTION 32
The domain contains a server named Server5 that has the Windows Server Update Services
server role installed.
You need to configure Windows Server Update Services (WSUS) on Server5 to use SSI.
You install a certificate in the local Computer store.
Which two tools should you use? Each correct answer presents part of the solution.
A. Wsusutil
B. Netsh
C. Internet Information Services (IIS) Manager
D. Server Manager
E. Update Services
Answer: AC
Explanation:
https://technet.microsoft.com/en-us/library/hh852346(v=ws.11).aspx#bkmk_3.5.ConfigSSL
http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/
QUESTION 33
Note: Thts question is part of a series of questions that present the same scenario. Each

23
Computerl runs an application named App1 that listens to port 8080.
Solution: From Windows Firewall in the Control Panel, you add an application and allow the
application to communicate through the firewall on a Private network.
A. Yes
B. No
Answer: A
QUESTION 34
Your network contains an Active Directory domain named contoso.com. The domain contains five
servers. All servers run Windows Server 2016.
A new secunty policy states that you must modify the infrastructure to meet the following
requirements:
- Limit the nghts of administrators.
- Minimize the attack surface of the forest
Support Multi-Factor authentication for administrators.
You need to recommend a solution that meets the new secunty policy requirements.
What should you recommend deploying?
A. an administrative forest
B. domain isolation
C. an administrative domain in contoso.com
D. the Local Administrator Password Solution (LAPS)
Answer: A
Explanation:
You have to "-Minimize the attack surface of the forest", then you must create another forest for
administrators.
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-
privilegedaccess-reference-material#ESAE_BM
This section contains an approach for an administrative forest based on the Enhanced Security
Administrative Environment (ESAE) reference architecture deployed by Microsoft's cyber security
professional services teams to protect customers against cyber security attacks.Dedicated
administrative forests allow organizations to host administrative accounts, workstations, and
groups in an environment that has stronger security controls than the production environment.
QUESTION 35
Note: Thb question is part of a series of questions th?present the same scenario. Each
Your network contains an Active Directory forest named contoso.com. All servers run Windows
Server 2016.

24
The forest contains 2,000 client computers that run Windows 10. All client computers are
deployed from a customized Windows image.
You need to deploy 10 Pnvileged Access Workstations (PAWs). The solution must ensure that
administrators can access several client applications used by all users.
Solution: You deploy 10 physical computers and configure them as PAWs.
You deploy 10 additional computers and configure them by using the customized Windows
image.
A. Yes
B. No
Answer: A
Explanation:
QUESTION 36
The domain contains two servers named Server1 and Server2 that run Windows Server 2016.
Server1 is configured as a domain controller.
You configure Server1 as a Just Enough Administration (JEA) endpoint.
You configure the required JEA rights for a user named User1.
You need to tell User1 how to manage Active Directory objects from Server2.
What should you tell User1 to do first on Server2?
A. From a command prompt, run ntdsutil.exe.
B. From Windows PowerShell, run the Import-Module cmdlet.
C. From Windows PowerShell run the Enter-PSSession cmdlet.
D. Install the management consoles for Active Directory, and then launch Active Directory Users and
Computer.
Answer: C
Explanation:
"Enter-PSSession -ComputerName localhost -ConfigurationName demo1ep. You should see
your prompt change to [localhost]: indicating that you are now in the special constrained session
configuration. Run Get-Command. Observe the limited set of commands available".
https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-
step/
QUESTION 37
The domain contains a server named Serve1, that runs Windows Server 2016.
A technician is testing the deployment of Credential Guard on Server1.
You need to verify whether Credential Guard is enabled on Server1.
What should you do?
A. From a command prompt fun the credwiz.exe command.
B. From Task Manager, review the processes listed on the Details tab.
C. From Server Manager, click Local Server, and review the properties of Server!
D. From Windows PowerShell, run the Get-WsManCredSSP cmdlet.

25
Answer: B
Explanation:
https://yungchou.wordpress.com/2016/10/10/credential-guard-made-easy-in-windows-10-version-
1607/
The same as before, once Credential Guard is properly configured, up and running.
You should find in Task Manager the `Credential Guard' process and `lsaiso.exe' listed in the
Detailspage as below.
QUESTION 38
The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network.
You deploy a new server named FinanceServer5, and join FinanceServerS to the domain.
You need to ensure that the passwords of the local administrators of FinanceServer5 are
available to the LAPS administrators.
What should you do?
A. On FinanceServerS, register AdmPwd.dll.
B. On FmanceServerS, install the LAPS Windows PowerShell module.
C. In the domain, modify the permissions for the computer account of FmanceServer5.
D. In the domain, modify the permissions of the Domain Controllers organizational unit (OU).
Answer: B
QUESTION 39

26
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Center on server named Server1 and the ATA Gateway on a server named
Served.
You need to ensure that Server2 can collect NTLM authentication events.
What should you configure?
A. the domain controllers to forward Event ID 4776 to Server2
B. the domain controllers to forward Event ID 1000 to Server1
C. Server2 to forward Event ID 1026 to Server1
D. Server1 to forward Event ID 1000 to Server2
Answer: A
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-architecture
ATA monitors your domain controller network traffic by utilizing port mirroring to an ATA Gateway
using physicalor virtual switches.If you deploy the ATA Lightweight Gateway directly on your
domain controllers, it removes the requirement forport mirroring.In addition, ATA can leverage
Windows events (forwarded directly from your domain controllers orfrom a SIEM server) and
analyze the data for attacksand threats.See the GREEN line in the following figure, forward event
ID 4776 which indicates NTLM authenticationis being used to ATA Gateway Server2.

27
QUESTION 40
Note: This question is part of a series of questions that use the same or similar answer
question Is independent of the other questions in this series. Information and details
You need to create Work Folders on Server1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: C
Explanation:
https://blogs.technet.microsoft.com/canitpro/2015/01/19/step-by-step-creating-a-work-folders-test-
lab-deployment-in-windows-server-2012-r2/
https://technet.microsoft.com/en-us/library/dn265974(v=ws.11).aspx
QUESTION 41
Your network contains an Active Directory forest named conloso.com.
The network is connected to the Internet.
You have 100 point-of-sale (POS) devices that run Windows 10.
The devices cannot access the Internet.
You deploy Microsoft Operations Management Suite (OMS).
You need to use OMS to collect and analyze data from the POS devices.
What should you do first?
A. Deploy Windows Server Gateway to the network.
B. Install the OMS Log Analytics Forwarder on the network.
C. Install Microsoft Data Management Gateway on the network.
D. Install the Simple Network Management Protocol (SNMP) feature on the devices.
E. Add the Microsoft NDJS Capture service to the network adapter of the devices.
Answer: B
Explanation:
https://blogs.technet.microsoft.com/msoms/2016/03/17/oms-log-analytics-forwarder/
QUESTION 42
The domain contains a server named Server1.
Server1 is configured as shown in the following table.

28
You plan to create a pilot deployment of Microsoft Advanced Threat Analytics (ATA).
You need to install the ATA Center on Server1.
A. Install Microsoft Security Compliance Manager (SCM).
B. Obtain an SSL certificate.
C. Assign an additional IPv4 address.
D. Remove Server1 from the domain.
Answer: B
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites
ATA Center which is the first component to be deployed on Server1, requires the use of SSL
protocol tocommunicate with ATA GatewayTo ease the installation of ATA, you can install self-
signed certificates during installation.Post deployment you should replace the self-signed with a
certificate from an internal Certification Authority tobe used by the ATA Center.Make sure the
ATA Center and ATA Gateways have access to your CRL distribution point.If the they don't have
Internet access, follow the procedure to manually import a CRL, taking care to install theall the
CRL distribution points for the whole chain.
QUESTION 43
Note: This question Is part of a series of questions that present the same scenario. Each
multiple Hyper-V hosts.
You need to deploy several critical line-to-business applications to the network to meet the
- The resources of the applications must be isolated (rom the physical
host.
Solution: You deploy a separate Hyper-V container for each application.
A. Yes
B. No
Answer: A
Explanation:

29
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
QUESTION 44
Hotspot Question
You have an organizational unit (OU) named Secure that contains all servers.
You install Microsoft Security Compliance Manager (SCM) 4.0 on a server named Server1.
You need to export the SCM Pnnt Server Secunty baseline and to deploy the baseline to a server
named Server2.
What should you do? To answer, select the appropnate options in the answer area.
Answer:
Explanation:
Format to use to export the baseline: GPO Backup (folder) Tool to use to import the baseline:
Group Policy Management When the security settings is exported from SCM 4 in a GPO (folder)
format, with a long GUID name

30
You have to import it to GPO by using "Group Policy Management", right-click the GPO and use
"ImportSettings" button
Do not confuse with security template .inf files. Only security template .INF file (which is a single
file, not afolder) could be imported to a GPO by GroupPolicy Object Editor
QUESTION 45
Hotspot Question
The services on Server1 are shown in the following output.
Sefver1 has the AppLocker rules configured as shown in the exhibit (Click the Exhibit button.)

31
Rule1 and Rule2 are configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:

32
Explanation:
On Server1, User1 can run D:Folder2App1.exe : Yes
On Server1, User1 can run D:Folder1Program1.exe : Yes
If Program1 is copied from D:Folder1 to D:Folder2, User1 can run Program1.exe on Server1 :
Yes
https://docs.microsoft.com/en-us/windows/device-security/applocker/configure-the-application-
identity-service
The Application Identity service determines and verifies the identity of an app. Stopping this
service willprevent AppLocker policies from being enforced.In this question, Server1's Application
Identity service is stopped, therefore, no more enforcement onAppLocker rules, everyone could
run everything on Server1.
QUESTION 46
Hotspot Question
Your network contains an Active Directory domain named adatum.com.
You have an organizational unit (OU) named OU1 that contains Server1.
You create a Group Policy object (GPO) named GPO1 and link GPO1 to OU1.
A user named User1 is a member of group named Group1.
The properties of User1 are shown in the User1 exhibit (Click the Exhibit button.)

33
User1 has permissions to two files on Server1 configured as shown in the following table.
From Auditing Entry for Global File SACL, you configure the advanced audit policy settings in
GPO1 as shown in the SACL exhibit (Click the Exhibit button.)

34
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:

35
Explanation:
http://sourcedaddy.com/windows-7/auditing-file-and-folder-access.html
QUESTION 47
Hotspot Question
The forest has Microsoft Identity Manager (MIM) 2016 deployed.
You implement Privileged Access Management (PAM).
You need to request privileged access from a client computer in contoso.com by using PAM.
How should you complete the Windows PowerShell script? To answer, select the appropriate
options in the answer area.
Answer:

36
Explanation:
$PAM = Get-PAMRoleForRequest | ? {$_,DisplayName -eq "CorpAdmins" } New- PAMRequest -
role $PAM
QUESTION 48
Hotspot Question
in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of
the forest and the domain is Windows Server 2008 R2.

37
You need to ensure that you can implement the Local Administrator Password Solution (LAPS)
(or the finance department computers.
What should you do in the contoso.com forest? To answer, select the appropriate options in the
answer area.
Answer:
Explanation:
Windows PowerShell module to import: AdmPwd.PS
Windows PowerShell cmdlet to use: update-AdmPwdADSchema
https://flamingkeys.com/deploying-the-local-administrator-password-solution-part-2/
QUESTION 49
Hotspot Question
You plan to deploy three encrypted virtual machines that use Secure Boot.
The virtual machines will be configured as shown in the following table.

38
How should you protect each virtual machine? To answer, select the appropriate options in the
answer area.
Answer:

39
Explanation:
VM1: A shielded virtual machine
VM2: An encryption-supported virtual machine
VM3: An encryption-supported virtual machine
Shielded VM Prevents Virtual Machine connection and PowerShell Direct, it prevent the Hyper-V
host to interactin any means with the Shielded VM.
vm/guarded-fabric-andshielded-vms
QUESTION 50
Hotspot Question
Your network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains a Hyper-V host named Server1.

40
Server1 is a member of a group named HyperHosts. Adatum.com contains a server named
Server2. Server1 and Server2 run Windows Server 2016.
Contoso.com trusts adatum.com.
You plan to deploy shielded virtual machines to Server1 and to configure Admin-trusted
attestation on Server2.
Which component should you install and which cmdlet should you run on Server2? To answer,
select the appropriate options in the answer area.
Answer:
Explanation:
Component to install on Server1: The Host Guardian Hyper-V Support feature
Cmdlet to run on Server1: Set-HgsClientConfiguration Key for this question is Admin-trusted
attestation or (AD mode) for guarded fabric "Server1.contoso.com", whileServer2.adatum.com is
running the Host Guardian Service.

41
vm/guarded-fabricguarded-host-prerequisites
vm/guarded-fabricconfirm-hosts-can-attest-successfully
QUESTION 51
The New-CIPolicy cmdlet creates a Code Integrity policy as an .xml file. If you do NOT supply
either driver files or rules what will happen?
A. The cmdlet performs a system scan
B. An exception/warning is shown because either one is required
C. Nothing
D. The cmdlet searches the Code Integrity Audit log for drivers
Answer: A
Explanation:
If you do not supply either driver files or rules, this cmdlet performs a system scan similar to the
Get-SystemDriver cmdlet.

42
The cmdlet generates rules based on Level. If you specify the Audit parameter, this cmdlet scans
the Code Integrity Audit log instead.
QUESTION 52
Read the following statement carefully and answer YES or NO.
You create a rule "Allow Everyone to run Windows except Registry Editor" that allows everyone in
the organization to run Windows but does not allow anyone to run Registry Editor.
The effect of this rule would prevent users such as help desk personnel from running a program
that is necessary for their support tasks.
To resolve this problem, you create a second rule that applies to the Helpdesk user group: "Allow
Helpdesk to run Registry Editor."
However, if you created a deny rule that did not allow any users to run Registry Editor, would the
deny rule override the second rule that allows the Helpdesk user group to run Registry Editor?
A. NO
B. YES
Answer: B
Explanation:
For example, the rule "Allow Everyone to run Windows except Registry Editor" allows everyone in
the organization to run Windows but does not allow anyone to run Registry Editor. The effect of
this rule would prevent users such as help desk personnel from running a program that is
necessary for their support tasks. To resolve this problem, create a second rule that applies to the
Helpdesk user group: "Allow Helpdesk to run Registry Editor." If you create a deny rule that does
not allow any users to run Registry Editor, the deny rule will override the second rule that allows
the Helpdesk user group to run Registry Editor.
https://technet.microsoft.com/en-us/library/dd759068(v=ws.11).aspx
QUESTION 53
A shielding data file (also called a provisioning data file or PDK file) is an encrypted file that a
tenant or VM owner creates to protect important VM configuration information.
A fabric administrator uses the shielding data file when creating a shielded VM, but is unable to
view or use the information contained in the file.
Which information can be stored in the shielding data file?
A. Administrator credentials
B. All of these
C. A Key Protector
D. Unattend.xml
Answer: B
QUESTION 54
You're creating new a GPO for WSUS settings so that client computers retrieve updates from
your company's official WSUS server.
In the Group Policy Management Editor you have drilled down to Computer
ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Update and
have right clicked the "Specify intranet Microsoft update service location" and chosen Edit.
If the FQDN for your WSUS server is CONTOSO-WSUS1.contoso.com, which URL would you
enter into the field?
A. http://CONTOSO-WSUS1.contoso.com:443

43
B. http://CONTOSO-WSUS1.contoso.com:21
C. http://CONTOSO-WSUS1.contoso.com:80
D. http://CONTOSO-WSUS1.contoso.com:8530
Answer: D
Explanation:
The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer
(HTTPS) port is 8531.
If you're unsure which port WSUS is using for client communication, right-click the WSUS
Administration site in IIS Manager, and then click Edit Bindings.
QUESTION 55
Windows PowerShell is a task-based command-line shell and scripting language designed
especially for system administration.
Windows Defender comes with a number of different Defender-specific cmdlets that you can run
through PowerShell to automate common tasks.
Which Cmdlet would you run first if you wanted to perform an offline scan?
A. Start-MpWDOScan
B. Start-MpScan
C. Set-MpPreference -DisableRestorePoint $true
D. Set-MpPreference -DisablePrivacyMode $true
Answer: A
Explanation:
Some malicious software can be particularly difficult to remove from your PC. Windows Defender
Offline (Start-MpWDOScan) can help to find and remove this using up-to-date threat definitions.
QUESTION 56
_____ enables easier management for BitLocker enabled desktops and servers in a domain
environment by providing automatic unlock of operating system volumes at system reboot when
connected to a wired corporate network. This feature requires the client hardware to have a
DHCP driver implemented in its UEFI firmware.
A. Network Unlock
B. EFS recovery agent
C. JEA
D. Credential Guard
Answer: A
Explanation:
https://technet.microsoft.com/en-us/library/jj574173(v=ws.11).aspx
See last sentence of first paragraph: "This feature requires the client hardware to have a DHCP
driver implemented in its UEFI firmware"
QUESTION 57
This question relates to Windows Firewall and related technologies.
These rules use IPsec to secure traffic while it crosses the network.
You use these rules to specify that connections between two computers must be authenticated or
encrypted.
What is the name for these rules?

44
A. Connection Security Rules
B. Firewall Rules
C. TCP Rules
D. DHP Rules
Answer: A
QUESTION 58
Windows Firewall rules can be configured using PowerShell.
The "Set-NetFirewallProfile" cmdlet configures settings that apply to the per-profile configurations
of the Windows Firewall with Advanced Security.
What is the default setting for the AllowInboundRules parameter when managing a GPO?
A. FALSE
B. NotConfigured
Answer: B
Explanation:
The default setting when managing a computer is True. When managing a GPO, the default
setting is NotConfigured. The NotConfigured value is only valid when configuring a Group Policy
Object (GPO). This parameter removes the setting from the GPO, which results in the policy not
changing the value on the computer when the policy is applied.
QUESTION 59
The "Network Security: Restrict NTLM: NTLM authentication in this domain" policy setting allows
you to deny or allow NTLM authentication within a domain from this domain controller.
Which value would you choose so that the domain controller will deny all NTLM authentication
logon attempts using accounts from this domain to all servers in the domain.
The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless
the server name is on the exception list in the Network security: Restrict NTLM: Add server
exceptions in this domain policy setting.
A. Deny for domain accounts
B. Deny for domain accounts to domain servers
C. Deny all
D. Deny for domain servers
Answer: B
QUESTION 60
Encryption-supported VMs are intended for use where the fabric administrators are fully trusted.
For example, an enterprise might deploy a guarded fabric in order to ensure VM disks are
encrypted at-rest for compliance purposes.
Shielded VMs are intended for use in fabrics where the data and state of the VM must be
protected from both fabric administrators and untrusted software that might be running on the
Hyper-V hosts.
Is the Virtual Machine Connection (Console), HID devices (e.g. keyboard, mouse) ON or OFF for
Encryption Supported VM's?
A. Off

45
B. On
Answer: B
Explanation:
Shielded VMs will never permit a VM console connection whereas a fabric administrator can turn
this protection on or off for encryption supported VMs.
QUESTION 61
Updates typically consist of new versions of files that already exist on the computer that is being
updated. On a binary level, these existing files might not differ very much from updated versions.
The _________ feature identifies the exact bytes between versions, creates and distributes
updates of only those differences, and then merges the existing file together with the updated
bytes.
A. Background Intelligent Transfer Service
B. Express installation files
C. Filters
D. Deferred download
Answer: B
Explanation:
You can use express installation files to limit the bandwidth that is consumed on the local
network, because WSUS transmits only the delta applicable to a particular version of an updated
component. However, this comes at the cost of additional bandwidth between your WSUS server,
any upstream WSUS servers, and Microsoft Update, and requires additional local disk space. By
default, WSUS does not use express installation files.
QUESTION 62
The AppLocker Microsoft Management Console (MMC) snap-in is organized into areas called
rule collections. It can differentiate between various file types and formats.
Do you know which of the following is NOT a script file format?
A. .cmd
B. .com
C. .js
D. .bat
Answer: B
Explanation:
A .com (and .exe) is an executable file, the others are all scripts.
QUESTION 63
One solution to help reduce the potential for stolen data is to encrypt sensitive files by using
Encrypting File System (EFS) to increase the security of your data. Encryption is the application
of a mathematical algorithm to make data unreadable except to those users who have the
required key. EFS is a Microsoft technology that lets you encrypt data on your computer, and
control who can decrypt, or recover, the data. When files are encrypted, user data cannot be read
even if an attacker has physical access to the computer's data storage.
Which certificate allows the holder to recover encrypted files and folders throughout a domain or
other scope, no matter who encrypted them.

46
A. File Recovery certificate
B. Encrypting File System certificate
Answer: A
QUESTION 64
Complete the two missing terms in the paragraph below:
Consider some IT professionals in a department that runs many servers. They decide they want
their servers to run only software signed by the providers of their software and drivers, that is, the
companies that provide their hardware, operating system, antivirus, and other important software.
They know that their servers also run an internally written application that is unsigned but is rarely
updated. They want to allow this application to run.
To create the code integrity policy, they build a reference server on their standard hardware, and
install all of the software that their servers are known to run. Then they run New-CIPolicy with -
Level ________ (to allow software from their software providers) and -Fallback ________ (to
allow the internal, unsigned application).
A. Publisher, Hash
B. WHQLPublisher, Hash
C. LeafCertificate, Hash
D. RootCertificate, Hash
Answer: A
QUESTION 65
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small
configuration issue will be the root cause of the failure.
Which utility would you use to verify group policy is reaching the clients properly?
A. gpfixup.exe
B. pnputil.exe
C. ktmutil.exe
D. gpresult.exe
Answer: D
Explanation:
Gpresult displays the Resultant Set of Policy (RSoP) information for a remote user and computer.
QUESTION 66
You deploy the Host Guardian Service (HGS).
You have several Hyper-V hosts that have older hardware and Trusted Platform Modules (TPMs)
version 1.2.
You discover that the Hyper-V hosts cannot start shielded virtual machines.
You need to configure HGS to ensure that the older Hyper-V hosts can host shielded virtual
machines.
What should you do?
A. Run the Set-HgsServer cmdlet and specify the -TrustTpm parameter.
B. Run the Set-HgsServer cmdlet and specify the -TrustActiveDirectory parameter.
C. Run the Clear-HgsServer cmdlet and specify the -Clustername parameter

47
D. Run the Clear-HgsServer cmdlet and specify the -Force parameter.
E. It is not possible to enable older Hyper-V hosts to run Shielded virtual machines
Answer: E
Explanation:
Requirements and LimitationsThere are several requirements for using Shielded VMs and the
HGS:One bare metal host:
You can deploy the Shielded VMs and the HGS with just one host. However,
Microsoftrecommends that you cluster HGS for high availability.
Windows Server 2016 Datacenter Edition: The ability to create and run Shielded VMs and the
HGS is onlysupported by Windows Server 2016 DatacenterEdition.
For Admin-trusted attestation mode: You only need to have server hardware capable of running
Hyper-V inWindows Server 2016 TP5 or higher.
For TPM-trusted attestation: Your servers must have TPM 2.0 and UEFI 2.3.1 and they must boot
in UEFImode. The hosts must also have secure boot enabled.
Hyper-V role: Must be installed on the guarded host.HGS Role:
Must be added to a physical host. Generation 2 VMs. A fabric AD domain. An HGS AD, which in
Windows Server 2016 TP5 is a separate AD infrastructure from your fabric AD.
QUESTION 67
multiple servers that run either Windows Server 2012 or Windows Server 2012 R2.
You plan to implement Just Enough Administration (JEA) to manage all of the servers.
What should you install on each server to ensure that the servers can be managed by using JEA?
A. Remote Server Administration Tools (RSAT)
B. Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
C. Management Odata Internet Information Services (IIS) Extension
D. Windows Management Framework 5.0
Answer: D
Explanation:
https://msdn.microsoft.com/en-us/library/dn896648.aspx
Get JEAThe current release of JEA is available on the following platforms:
Windows Server
Windows Server 2016 Technical Preview 5 and higher Windows Server 2012 R2, Windows
Server 2012, and Windows Server 2008 R2* with Windows Management Framework 5.0 installed
QUESTION 68
You have the servers configured as shown in the following table.
You purchase a Microsoft Azure subscription, and you create three Microsoft Operations
Management Suite (OMS) workspaces named Workspace1, Workspace2, and Workspace3
You need to deploy Microsoft Monitoring Agent to the servers to meet the following requirements:

48
- Antimalware data from all the servers must be visible in Workspace1.
- Security and audit data from the domain controllers and the
virtualization hosts must be visible in Workspace2.
- System update data from all the servers in all the workgroups must be
visible in Workspace3
How many OMS agents should you deploy?
A. 10
B. 33
C. 73
D. 45
Answer: C
Explanation:
All the servers" mean all 5 domain controllers, plus all member servers (physical and virtual,
domain andworkgroup) and virtualization hosts, so there are noexemptions. All servers in the
above table mentioned must install OMS Microsoft Monitoring agents
QUESTION 69
You need to prevent direct .NET scripts invoked by interactive Windows PowerShell sessions
from running on the servers.
What should you do for each server?
A. Create an AppLocker rule.
B. Create a Code Integrity rule.
C. Disable PowerShell Remoting.
D. Modify the local Kerberos policy settings.
Answer: C
QUESTION 70
The domain contains a server named Server1 that has Microsoft Security Compliance Manager
(SCM) 4.0 installed.
The domain contains domain controllers that run Windows Server 2016.
A Group Policy object (GPO) named GPO1 is applied to all of the domain controllers.
GPO1 has a Globally Unique Identifier (GUID) of 7ABCDEFG-1234-5678-90AB-005056123456.
You need to create a new baseline that contains the settings from GPO1.
A. Copy the contoso.comsysvolcontoso.comPolicies{7ABCDEFG-1234-5678-90AB-
005056123456} folder to Server1.
B. From Group Policy Management, create a backup of GPO1.
C. From Windows PowerShell, run the Copy-GPO cmdlet
D. Modify the permissions of the
contoso.comsysvolcontoso.comPolicies{7ABCDEFG-1234-5678-90AB- 005056123456}
Answer: B
Explanation:

49
https://technet.microsoft.com/en-us/library/hh489604.aspx
You can import current settings from your GPOs and compare these to the Microsoft
recommended bestpractices.Start with a GPO backup that you would commonly create in the
Group Policy Management Console(GPMC).Take note of the folder to which the backup is saved.
In SCM, select GPO Backup, browse to the GPO folder's Globally Unique Identifier (GUID) and
select aname for the GPO when it's imported.SCM will preserve any ADM files and GP
Preference files (those with non-security settings that SCM doesn'tparse) you're storing with your
GPO backups. It saves them in a subfolder within the user's public folder.
When you export the baseline as a GPO again, italso restores all the associated files.
QUESTION 71
The network contains an Active Directory domain named contoso.com.
All servers run Windows Server 2016. All client computers run Windows 10 and are domain
members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of
application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing
department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You need to ensure that you can view Windows PowerShell code that was generated dynamically
and executed on the computers in OU1.
What would you configure in GP1?
A. Object AccessAudit Application Generated from the advanced audit policy
B. Turn on PowerShell Script Block Logging from the PowerShell settings
C. Turn on Module Logging from the PowerShell settings
D. Object AccessAudit Other Object Access Events from the advanced audit policy
Answer: B
Explanation:
https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script

50
While Windows PowerShell already has the LogPipelineExecutionDetails Group Policy setting to
log theinvocation of cmdlets, PowerShell's scripting language hasplenty of features that you might
want to log and/or audit.The new Detailed Script Tracing feature lets you enable detailed tracking
and analysis of Windows PowerShellscripting use on a system. After you enable detailed script
tracing, Windows PowerShell logs all script blocks to the ETW event log,Microsoft-Windows-
PowerShell/Operational.If a script block creates another script block (for example, a script that
calls the Invoke-Expression cmdlet on astring), that resulting script block is logged as well.
Logging of these events can be enabled through the Turn on PowerShell Script Block Logging
Group Policysetting (in Administrative Templates -> WindowsComponents -> Windows
PowerShell).
QUESTION 72
You network contains an Active Directory forest named contoso.com.
All domain controllers run Windows Server 2016 Member servers run either Windows Server
2012 R2 or Windows Server 2016.
Client computers run either Windows 8.1 or Windows 10.
You need to ensure that when users access files in shared folders on the network, the files are
encrypted when they are transferred over the network.
Solution: You enable access-based enumeration on all the file shares.
A. Yes
B. No
Answer: B
Explanation:
Access-Based Enumeration does not help encrypting network file transfer.
QUESTION 73
You need to prevent NTLM authentication on Server1.
Solution: From a Group Policy, you configure the Security Options.
A. Yes
B. No
Answer: A
Explanation:
https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/
QUESTION 74
Your network contains an internal network and a perimeter network.
The internal network contains an Active Directory forest named contoso.com.
You deploy five servers to the perimeter network.
All of the servers run Windows Server 2016 and are the members of a workgroup.
You need to apply a security baseline named Perimeter.inf to the servers in the perimeter
network.
What should you use to apply Perimeter.inf?
A. Local Computer Policy

51
B. Security Configuration Wizard (SCW)
C. Group Policy Management
D. Server Manager
Answer: A
Explanation:
https://docs.microsoft.com/en-us/windows-server/get-started/deprecated-features
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-
utility-v1-0/
https://msdn.microsoft.com/en-us/library/bb742512.aspx

52
QUESTION 75
You enable and configure PowerShell Script Block Logging.
You need to view which script blocks were executed by using Windows PowerShell scripts.
What should you do?
A. View the Microsoft-Windows-PowerShell/Operational event log.
B. Open the log files in %LocalAppData%MicrosoftWindowsPowerShell.
C. View the Windows PowerShell event log.
D. Open the log files in %SYSTEMROOT%Logs.
Answer: A
Explanation:
https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
After you enable detailed script tracing, Windows PowerShell logs all script blocks to the event
log, MicrosoftWindows-PowerShell/Operational.

53
QUESTION 76
The domain contains four global groups named Group1, Group2, Group3, and Group4.
A user named User1 is a member of Group3.
You have an organizational unit (OU) named OU1 that contains computer accounts.
A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account
named Computer1.
GPO1 has the User Rights Assignment configured as shown in the following table:
You need to ensure that User1 can access the shares on Computer1. What should you do?
A. Modify the membership of Group1.
B. In GPO1, modify the Access this computer from the network user right
C. Modify the Deny access to this computer from the network user right.
D. Modify the Deny log on locally user right
Answer: B
QUESTION 77
You are building a guarded fabric.
You need to configure Admin-trusted attestation.
Which cmdlet should you use?

54
A. Add-HgsAttestationHostGroup
B. Add-HgsAttestationTpmHost
C. Add-HgsAttestationCIPolicy
D. Add-HgsAttestationTpmPolicy
Answer: A
Explanation:
Authorize Hyper-V hosts using Admin-trusted attestation
vm/guarded-fabric-addhost-information-for-admin-trusted-attestation
QUESTION 78
You implement a single-domain administrative forest named admin.contoso.com that has
Enhanced Security Administrative Environment (ESAE) deployed.
You have an administrative user named Admin1 in admin.contoso.com.
You need to ensure that Admin1 can manage the domain controllers in contoso.com.
To which group should you add Admin1?
A. ContosoDomain Admins
B. AdminAdministrators
C. AdminDomain Admins
D. ContosoAdministrators
Answer: D
Explanation:
admin.contoso.com (NetBIOS domain name "ADMIN") is the administrative
domain.contoso.com (NetBIOS domain name "CONTOSO" ) is the corporate resource domain.
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-
privilegedaccess-reference-material

55
QUESTION 79
You have a server named Server1 that runs Windows Server 2016.
You need to identify whether ICMP traffic is exempt from IPsec on Server1.
A. Get-NetIPSecRule
B. Get-NetFirewallRule
C. Get-NetFirewallProfile
D. Get-NetFirewallSetting
E. Get-NetFirewallPortFilter
F. Get-NetFirewallAddressFilter
G. Get-NetFirewallSecurityFilter
H. Get-NetFirewallApplicationFilter
Answer: D
Explanation:
The Get-NetFirewallSetting cmdlet retrieves the global firewall settings of the target computer.
The NetFirewallSetting object specifies properties that apply to the firewall and IPsec settings, no

56
matter whichnetwork profile is currently in use. The global configurations include viewing the
active profile, exemptions, specified certification validation levels,and user and computer
authorization lists.
QUESTION 80
You need to ensure that App1.exe can accept connections only when Computer1 is connected to
the corporate network.
Solution: You run the command New-NetFirewallRule -DisplayName "Rule1" -Direction Inbound -
Program "D:AppsApp1.exe" -Action Allow -Profile Domain
A. Yes
B. No
Answer: A
Explanation:
Tested correct cmdlet, worked, and the profile "Domain" for corporate network is also correct.

57
QUESTION 81
The domain contains several Hyper-V hosts.
You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2016.
You need to configure Server22 as the primary Host Guardian Service server.
Which three cmdlets should you run in sequence?
A. Install-HgsServer
B. Install-Module
C. Install-Package
D. Enable-WindowsOptionalFeature
E. Install-ADDSDomainController
F. Initialize-HgsServer
Answer: AEF
Explanation:
Correct order of actions: 1.
Install-ADDSDomainController, as Server22 is a workgroup computer, create a new domain on it
first.2. Install-HgsServer3. Initialize-HgsServer
vm/guarded-fabricsetting-up-the-host-guardian-service-hgs

58
vm/guarded-fabricinstall-hgs-defaultInstall-HgsServer
vm/guarded-fabricinitialize-hgs-tpm-mode-defaultInitialize-HgsServer
QUESTION 82
The local administrator credentials of Server1 are managed by using the Local Administrator
Password Solution (LAPS).
You need to retrieve the password of the Administrator account on Server1.
What should you do?
A. From Windows PowerShell on Server1, run the Get-ADFineGrainedPasswordPolicy cmdlet and
specify the -Credential parameter.
B. From Windows PowerShell on Server1, run the Get-ADUser cmdlet and specify the - Credential
parameter.
C. From Active Directory Users and Computers, open the properties at Server1 and view the value
at the msMcs-AdmPwd attribute
D. From Active Directory Users and Computers, open the properties of Administrator and view the
value of the userPassword attribute
Answer: C
Explanation:
The "ms-Mcs-AdmPwd" attribute of a computer account in Active Directory Users and Computers
stores thelocal Administrator password of a computer, which is configured by LAPS.

59
QUESTION 83
The domain contains a DNS server named Server1 that runs Windows Server 2016.
A domain-based Group Policy object (GPO) is used to configure the security policy of Server1.
You plan to use Security Compliance Manager (SCM) 4.0 to compare the security policy of
Server1 to the WS2012 DNS Server Security 1.0 baseline.
You need to import the security policy into SCM. What should you do first?
A. From Security Configuration and Analysis, use the Export Template option.
B. Run the Copy-GPO cmdlet and specify the -TargetName parameter.
C. Run the Backup-GPO cmdlet and specify the-Path parameter.
D. Run the secedit.exe command and specify the/export parameter.
Answer: C
Explanation:
https://technet.microsoft.com/en-us/library/ee461052.aspx
Backup-GPO cmdlet and specify the -Path parameter creates a GPO backup folder with GUID
name and issuitable to import to SCM 4.0
QUESTION 84
The forest contains three domains. All domain controllers run Windows Server 2016.
You deploy a second Active Directory forest named admin.contoso.com.

60
The forest contains a domain member server named Server1.
Server1 has Microsoft Identity Manager (MIM) 2016 deployed.
You need to implement Privileged Access Management (PAM) and to use admin.contoso.com as
an administrative forest.
Which two actions should you perform? Each correct answers presents part of the solution.
A. From a domain controller in contoso.com. run the New-PAMTrust cmdlet.
B. From Server1, run the New-PAMDomainConfiguration cmdlet
C. From a domain controller in admin.contoso.com, run the New-PAMTrust cmdlet.
D. From a domain controller in contoso.com, run the New-PAMDomainConfiguration cmdlet.
E. From a domain controller in admin.contoso.com, run the New-PAMDomainConfiguration cmdlet
F. From Server1, run the New-PAMTrust cmdlet
Answer: BF
Explanation:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-
for-pam
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-
priv-corpforests
QUESTION 85

61
You need to configure Nano1 as a Hyper-V Host. Which command should you run?
A. Add-WindowsFeature Microsoft-NanoServer-Compute-Package
B. Add-WindowsFeature Microsoft-NanoServer-Guest-Package
C. Add-WindowsFeature Microsoft-NanoServer-Host-Package
D. Add-WindowsFeature Microsoft-NanoServer-ShieldedVM-Package
E. Install-Package Microsoft-NanoServer-Compute-Package
F. Install-Package Microsoft-NanoServer-Guest-Package
G. Install-Package Microsoft-NanoServer-Host-Package
H. Install-Package Microsoft-NanoServer-ShieldedVM-Package I. Install-WindowsFeature Microsoft-
NanoServer-Compute-Package J. Install-WindowsFeature Microsoft-NanoServer-Guest-Package
K. Install-WindowsFeature Microsoft-NanoServer-Host-Package L. Install-WindowsFeature
Microsoft-NanoServer-ShieldedVM-Package
Answer: E
Explanation:
https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server#BKMK_online
The Nano Server package "Microsoft-NanoServer-Compute-Package" includes the Hyper-V role
for a NanoServer host.Moreover, the Install-WindowsFeature or Add-WindowsFeature cmdlet are
NOT available on a Nano Server.
QUESTION 86
You have a server named Server1 that runs Windows Server 2016.
You need to identity whether any connection security rules are configured on Server1.
A. Get-NetIPSecRule
B. Get-NetFirewallRule
C. Get-NetFirewallProfile
D. Get-NetFirewallSetting
E. Get-NetFirewallPortFilter
F. Get-NetFirewallAddressFilter

62
G. Get-NetFirewallSecurityFilter
H. Get-NetFirewallApplicationFilter
Answer: A
Explanation:
https://technet.microsoft.com/en-us/itpro/powershell/windows/netsecurity/get-netipsecrule
Get-NetIPSecRule displays the existence and details of Connection Security Rules, as
connection securityrules implements IPsec between computers (not usingtunnel endpoints) or
sites (using tunnel endpoints)
QUESTION 87
You implement Log Analytics in Microsoft Operations Management Suite (OMS) on all servers
that run Windows Server 2016.
You need to generate a daily report that identifies which servers restarted during the last 24
hours.
Which query should you use?
A. EventLog=Application EventId:6009 Type:Event TimeGenerated>NOW+24HOURS
B. EventLog=Application EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
C. EventLog=System EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
D. EventLog=System EventId:6009 Type:Event TimeGenerated>NOW+24HOURS
Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-searches
Computer restart events are stored in "System" eventlog instead of Application even log."NOW-
24HOURS" clause matches all events generated in the last 24 hours.
QUESTION 88
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,

63
these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. All servers run Windows
You need to assign User1 the right to restore files and folders on Server1, and Server2.
Solution: You add User1 to the Backup Operators group on Server1 and Server2.
A. Yes
B. No
Answer: A
Explanation:
https://technet.microsoft.com/en-us/library/cc771990(v=ws.11).aspx
Backup OperatorsMembers of this group can back up and restore files on a computer, regardless
of any permissions thatprotect those files.This is because the right to perform a backup takes
precedence over all file permissions. Members of thisgroup cannot change security settings.
QUESTION 89
The network uses the 172.16.0.0/16 address space.
Computer1 has an application named App1.exe that is located in D:Apps.
App1.exe is configured to accept connections on TCP port 8080.
You need to ensure that App1.exe can accept connections only when Computer1 is connected to
the corporate network.
Solution: You configure an inbound rule that allows the TCP protocol on port 8080, uses a scope
of 172. 16.0.0/16 for local IP addresses, and applies to a private profile.
A. Yes
B. No
Answer: B
Explanation:
"You need to ensure that App1.exe can accept connections only when Computer1 is connected
to thecorporate network.", you should create the firewall rule for"Domain" profile instead, not the
"Private" profile.
https://technet.microsoft.com/en-us/library/getting-started-wfas-firewall-profiles-
ipsec(v=ws.10).aspx

64
QUESTION 90
The network contains an Active Directory domain named contoso.com.
All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of
application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing
department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You need to implement BitLocker Network Unlock for all of the laptops. Which server role should
you deploy to the network?
A. Network Controller

70-744.pdf

Recommended

Recommended

More Related Content

Similar to 70-744.pdf

Similar to 70-744.pdf (20)

More from Lisa Cain

More from Lisa Cain (20)

Recently uploaded

Recently uploaded (20)

70-744.pdf