Microsoft 70-744 203q

Securing Windows Server 2016
Microsoft 70-744
Total Questions: 203
https://dumpsarena.com
sales@dumpsarena.com
QUESTION NO: 1
Your network contains an Active Directory domain named contoso.com.
The domain contains four global groups named Group1, Group2, Group3, and Group4. A user named User1 is a member of
Group3.
You have an organizational unit (OU) named OU1 that contains computer accounts. A Group Policy object (GPO) named
GPO1 is linked to OU1. OU1 contains a computer account named Computer1.
GPO1 has the User Rights Assignment configured as shown in the following table.
You need to ensure that User1 can access the shares on Computer1. What should you do?
A. Modify the membership of Group3.
B. Modify the membership of Group2.
C. Modify the membership of Group1.
D. Modify the membership of Group4.
E. In GPO1, modify the Allow log on locally user right.

ANSWER: B
Explanation:
QUESTION NO: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a
unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear
in the review screen.
Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2016. The forest
contains 2,000 client computers that run Windows 10. All client computers are deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs). The solution must ensure that administrators can access
several client applications used by all users.
Solution: You deploy 10 physical computers and configure them as PAWs. You deploy 10 additional computers and
configure them by using the customized Windows image.
DumpsArena - Pass Your Next Certification Exam Fast!

dumpsarena.com - Page 2 of 166
Does this meet the goal?
A. Yes
B. No
ANSWER: A
Explanation:
References: https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-
workstations
QUESTION NO: 3
unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in
the review screen.
You deploy Windows Server 2016 to a server named Server1.
You need to ensure that you can run Windows Containers on Server1.
Solution: On server1, you install the DockerMsftProvider PowerShell and the Docker package. You restart the server.
A. Yes
B. No
ANSWER: A
Explanation:
References:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/deploy-containers-on-server
QUESTION NO: 4
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that
runs Windows Server 2016.
You have an organizational unit (OU) named Administration that contains the computer account of Server1.
You import the Active Directory module to Server1.
You create a Group Policy object (GPO) named GPO1. You link GPO1 to the Administration OU.
You need to log an event each time an Active Directory cmdlet is executed successfully from Server1.

What should you do?
A. From Advanced Audit Policy in GPO1, configure auditing for directory service changes.
B. Run the(Get-Module ActiveDirectory).LogPipelineExecutionDetails = $falsecommand.
C. Run the(Get-Module ActiveDirectory).LogPipelineExecutionDetails = $truecommand.
D. From Advanced Audit Policy in GPO1, configure for other privilege use events.
E. From Administrative Templates in GPO1, configure an Event Logging policy.

ANSWER: C
Explanation:
References: https://www.petri.com/enable-powershell-logging
QUESTION NO: 5
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1
and Server2 that run Windows Server 2016.
The Microsoft Advanced Threat Analytics (ATA) Center service is installed on Server1.
The domain contains the users shown in the following table.
You are installing ATA Gateway on Server2.
You need to specify a Gateway Registration account.
Which account should you use?
A. User7
B. User8
C. User1
D. User6
ANSWER: D

Explanation:
References:
https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step1
QUESTION NO: 6
Your network contains an Active Directory domain named contoso.com. The domain contains domain controllers that run
Windows Server 2016.
The Job Title attribute for a domain user named User1 has a value of Sales Manager.
User1 runs whoami/claims and receives the following output.
You need to ensure that the security token of User1 has a claim for Job Title.
What should you do?
A. From Active Directory Users and Computers, modify the properties of the User1 account.
B. From a Group Policy object(GPO), configure KDC support for claims, compound authentication, and Kerberos armoring.
C. From Active Directory Administrative Center, add a claim type.
D. From Windows PowerShell, run the New-ADClaimTransformPolicy cmdlet and specify the –Name parameter.
ANSWER: C
Explanation:
References: https://www.nyazit.com/how-to-configure-dynamic-access-control-in-windows-server-2012-r2-2/
QUESTION NO: 7 - DRAG DROP
DRAG DROP
You plan to implement encryption on a file server named Server1.
Server1 has TPM 2.0 and uses Secure Boot.
Server1 has the volumes configured as shown in the following table.

You need to encrypt the contents of volumes C and
G. The solution must use the highest level of security possible.
What should you use to encrypt the contents of each volume? To answer, drag the appropriate encryption options to the
correct volumes. Each encryption option may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
ANSWER:
Explanation:
References: https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
QUESTION NO: 8

Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1
that runs Windows10.
The network uses the 172.16.0.0/16 address space.
Computer1 has an application named App1.exe that is located in D:\Apps\. App1.exe is configured to accept connections on
TCP port 8080.
You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.
Solution: You configure an inbound rule that allows the TCP protocol on port 8080, uses a scope of 172.16.0.0/16 for local IP
addresses, and applies to a private profile.
A. Yes
B. No
ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/dd448531(v=ws.10)
QUESTION NO: 9 - HOTSPOT
HOTSPOT
You have 100 computers that run Windows 10 and are members of a workgroup.
You need to configure Windows Defender to meet the following requirements:
Exclude a C:\Sales|Salesdb from malware scans. Configure a full scan to occur daily.
What should you run to meet each requirement? To answer, select the appropriate options in the answer area.
Hot Area:

ANSWER:

Explanation:
References: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-
process-opened-file-exclusions-windows-defender-antivirus https://docs.microsoft.com/en-
us/powershell/module/defender/add-mppreference?view=win10-ps https://docs.microsoft.com/en-
us/powershell/module/defender/set-mppreference?view=win10-ps
QUESTION NO: 10
Your network contains an Active Directory domain named contoso.com. The domain contains five file servers that run
You have an organizational unit (OU) named Finance that contains all of the servers.
You create a Group Policy object (GPO) and link the GPO to the Finance OU.
You need to ensure that when a user in the finance department deletes a file from a file server, the event is logged. The
solution must log only users who have a manager attribute of Ben Smith.
Which audit policy setting should you configure in the GPO?
A. File system in Global Object Access Auditing
B. Audit Detailed File Share
C. Audit Other Account Logon Events

D. Audit File System in Object Access
ANSWER: D
Explanation:
References: https://technet.microsoft.com/en-us/library/cc976403.aspx
QUESTION NO: 11
You need to allow network administrators to use Just Enough Administration (JEA) to change the TCP/IP settings on
Server1. The solution must use the principle of least privilege.
How should you configure the session configuration file?
A. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Contoso\Network Configuration Operators.
B. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Contoso\Network Configuration Operators.
C. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Network Configuration Operators.
D. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Network Configuration Operators.

ANSWER: D
Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-
pssessionconfigurationfile?view=powershell-6
QUESTION NO: 12
You have a server named Server1.
You need to configure PowerShell logging to capture dynamic code generation. The solution must minimize the number of
events that are logged.
What should you configure?
A. protected event logging
B. script block logging
C. module logging
D. system-wide transcription
ANSWER: C
Explanation:
References:

https://www.rootusers.com/enable-and-configure-module-script-block-and-transcription-logging-in-windows-powershell/
QUESTION NO: 13
Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network.
You deploy a new server named FinanceServer5, and join FinanceServer5 to the domain.
You need to ensure that the passwords of the local administrators of FinanceServer5 are available to the LAPS
administrators.
What should you do?
A. On FinanceServer5, register AdmPwd.dll.
B. On FinanceServer5, install the LAPS Windows PowerShell module.
C. In the domain, modify the permissions for the computer account of FinanceServer5.
D. In the domain, modify the permissions of the Domain Controllers organizational unit (OU).
ANSWER: A
Explanation:
References: https://gallery.technet.microsoft.com/Step-by-Step-Deploy-Local-7c9ef772
QUESTION NO: 14
You have a virtual machine named FS1 that runs Windows Server 2016.
FS1 has the shared folders shown in the following table.
You need to ensure that each user can store 10 GB of files in \\FS1\Users.
What should you do?
A. From File Explorer, open the properties of volume D, and then modify the Quota settings.
B. Install the File Server Resource Manager role service, and then create a file screen.
C. From File Explorer, open the properties of D:\Users, and then modify the Advanced sharing settings.
D. Install the File Server Resource Manager role service, and then create a quota.
ANSWER: D

Explanation:
References: https://docs.microsoft.com/en-us/windows-server/storage/fsrm/create-quota
QUESTION NO: 15
Your network contains an Active Directory domain.
You plan to implement Dynamic Access Control.
You need to create a central access rule that will grant permissions to users who have the Department attribute set to
Finance. The users must have access to resources that have the Department property set to Finance.
Which two actions should you perform before you create the central access rule? Each correct answer presents part of the
solution.
A. Enable a claim type
B. Create a central access policy
C. Create a resource property list
D. Enable a resource property
E. Create a claim type

ANSWER: CE
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-
steps-
QUESTION NO: 16
Your network contains an Active Directory domain named contoso.com. The domain contains multiple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network to meet the following requirements:
The resources of the applications must be isolated from the physical host.
Each application must be prevented from accessing the resources of the other applications.

The configurations of the applications must be accessible only from the operating system that hosts the application.
Solution: You deploy a separate Hyper-V container for each application.
A. Yes
B. No
ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
QUESTION NO: 17
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2016. All client
computers run Windows 10.
The relevant objects in the domain are configured as shown in the following table.
You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You add User1 to the Backup Operators group in contoso.com.
A. Yes
B. No
ANSWER: A
Explanation:
References: https://technet.microsoft.com/en-us/library/cc771990(v=ws.11).aspx
QUESTION NO: 18

Your network contains an Active Directory domain named contoso.com. The domain contains four servers. The servers are
configured as shown in the following table.
You need to manage FS1 and FS2 by using Just Enough Administration (JEA).
What should you do before you can implement JEA?
A. Upgrade DC2 to Windows Server 2016.
B. Deploy Microsoft Identity Manager (MIM) 2016 to the domain.
C. Upgrade FS2 to Windows Server 2016.
D. Upgrade DC1 to Windows Server 2016.

ANSWER: C
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/jea/prerequisites
QUESTION NO: 19
You are deploying Microsoft Advanced Threat Analytics (ATA).
You create a user named User1.
You need to configure the user account of User1 as a Honeytoken account.
Which information must you use to configure the Honeytoken account?
A. The SAM account name of User1
B. The Globally Unique Identifier (GUID) of User1
C. the SID of User1
D. the UPN of User1

ANSWER: C
Explanation:

QUESTION NO: 20
You install the Windows Server Update Services server role on a member server named Server1. Server1 runs Windows
Server 2016.
You need to ensure that a user named User1 can perform the following tasks:
View the Windows Server Update Services (WSUS) configuration. Generate WSUS update reports.
The solution must use the principle of least privilege.
What should you do on Server1?
A. Modify the permissions of the ReportWebService virtual folder from the WSUS Administration website.
B. Add User1 to the WSUS Reporters local group.
C. Add User1 to the WSUS Administrators local group.
D. Run wsusutil.exe and specify the postinstall parameter.

ANSWER: C
Explanation:
References: https://technet.microsoft.com/en-us/library/hh852346(v=ws.11).aspx#BKMK_ConfigComputerGroups
QUESTION NO: 21
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is
repeated in each question. Each question presents a
different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is
Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have
an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that

contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is
linked to the AppServers OU.
You install Windows Defender on Nano1.
You need to execute D:\Folder1 on Nano1 from being scanned by Windows Defender.
Which cmdlet should you run?
A. Set-StorageSetting
B. Set-FsrmFileScreenException
C. Set-MpPreference
D. Set-DtcAdvancedSetting
ANSWER: C
Explanation:
References: http://www.thomasmaurer.ch/2016/07/how-to-disable-and-configure-windows-defender-on-windows-server-
2016-using-powershell/
QUESTION NO: 22
You network contains an Active Directory forest named contoso.com. All domain controllers run Windows Server 2016.
Member servers run either Windows Server 2012 R2 or Windows Server 2016. Client computers run either Windows 8.1 or
Windows 10.
You need to ensure that when users access files in shared folders on the network, the files are encrypted when they are
transferred over the network.
Solution: You disable SMB 1.0 on all the computers in the domain, and then you enable the Encrypt data access option on
each file share.
A. Yes
B. No
ANSWER: B
Explanation:
QUESTION NO: 23

A Group Policy object (GPO) named GPO1 is applied to all of the domain controllers. GPO1 has a Globally Unique Identifier
(GUID) of 6AC1786C-016F-11D2-945F00C04fB984F9.
You need to create a new baseline that contains the settings from GPO1.
What should you do first?
A. Copy the \\contoso.com\sysvol\contoso.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} folder to Server1.
B. From Group Policy Management, create a backup of GPO1.
C. From Microsoft Security Compliance Manager, associate a baseline.
D. From a command prompt, run the secedit.exe command and specify the /export parameter.
ANSWER: B
Explanation:
References: https://technet.microsoft.com/en-us/library/hh489604.aspx
QUESTION NO: 24
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be
correct for more than one question in the series. Each question is independent of the other questions in this series.
Information and details provided in a question apply only to that question.
You have a server named Server1 that runs Windows Server 2016.
You need to identify whether ICMP traffic is exempt from IPsec on Server1.
Which cmdlet should you use?
A. Get-NetIPSecRule
B. Get-NetFirewallRule
C. Get-NetFirewallProfile
D. Get-NetFirewallSetting
E. Get-NetFirewallPortFilter
F. Get-NetFirewallAddressFilter
G. Get-NetFirewallSecurityFilter
H. Get-NetFirewallApplicationFilter
ANSWER: D
Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallsetting?view=win10-ps

QUESTION NO: 25
You have a Hyper-V host named Server1 that hosts the virtual machines shown in the following table.
You plan to encrypt the operating system drive on the virtual machines.
On which virtual machines can you use a TPM protector for BitLocker Drive Encryption (BitLocker)?
A. VM3 and VM4 only
B. VM1, VM2, VM3, and VM4
C. VM4 only
D. VM2 and VM4 only

ANSWER: A
Explanation:
Virtual TPM is only available in Generation 2 VMs.
QUESTION NO: 26
You have a guarded fabric that consists of the servers shown in the following table.
You need to ensure that you can start the shielded virtual machines on the Hyper-V hosts if the Hyper-V hosts cannot
connect to the HGS.
What should you do?
A. On Server1, run Set-HgsKeyProtectionConfiguration.
B. On Server1, Server2, and Server3, configure admin-trusted attestation.

C. On Server1, run Set-HgsKeyProtectionAttestationSignerCertificatePolicy.
D. On Server4 and Server5, disable the heartbeat integration service on the shielded virtual machines.
ANSWER: B
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-admin-trusted-
attestation-creating-a-security-group
HOTSPOT
You plan to implement Windows Defender Device Guard in your datacenter.
You build a model server that contains all the drivers and the software that you want to deploy and secure.
You need to create a new policy to ensure that only whitelisted files can be loaded to the servers. The policy must be in
enforcement mode.
How should you complete the commands? To answer, select the appropriate options in the answer area.
Hot Area:
ANSWER:

Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/configci/new-cipolicyrule?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/configci/set-ruleoption?view=win10-ps
QUESTION NO: 28
You have a Host Guardian Service (HGS) and a guarded host.
You have a VHDX file that contains an image of Windows Server 2016.
You need to provision a virtual machine by using a shielded template.
Which three files should you create? Each correct answer presents part of the solution.
A. a TPM baseline policy file
B. a TPM identifier file
C. a shielding data .pdk file
D. a signature for the .vhdx file
E. an unattended.xml file
ANSWER: CDE
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-create-a-
shielded-vm-template https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-
tenant-creates-shielding-data
QUESTION NO: 29

Server1 has a shared folder named Share1.
You need to ensure that all access to Share1 uses SMB Encryption.
Which tool should you use?
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
F. Computer Management
G. System Configuration
H. File Server Resource Manager (FSRM)

ANSWER: C
Explanation:
References: https://support.microsoft.com/en-za/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-
windows-vista,-windows-server-2008,-windows-7,-windowsserver-2008-r2,-windows-8,-and-windows-server-2012
https://blogs.technet.microsoft.com/filecab/2012/05/03/smb-3-security-enhancements-in-windows-server-2012/
QUESTION NO: 30
You have a file server named Server1 that runs Windows Server 2016.
A new policy states that ZIP files must not be stored on Server1.
An administrator creates a file screen filter as shown in the following output.

You need to prevent users from storing ZIP files on Server1.
What should you do?
A. Change the filter to active.
B. Enable Quota Management on all the drives.
C. Add a template to the filter.
D. Configure File System (Global Object Access Auditing).

ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/storage/fsrm/create-file-screen
QUESTION NO: 31
You have the servers configured as shown in the following table.
You purchase a Microsoft Azure subscription, and you create three Microsoft Operations Management Suite (OMS)
workspaces named Workspace1, Workspace2, and Workspace3.
You need to deploy Microsoft Monitoring Agent to the servers to meet the following requirements:
Antimalware data from all the servers must be visible in Workspace1.
Security and audit data from the domain controllers and the virtualization hosts must be visible in Workspace2. System
update data from all the servers in all the workgroups must be visible in Workspace3.
How many OMS agents should you deploy?
A. 6
B. 33
C. 73
D. 91
ANSWER: C
Explanation:
References:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent
QUESTION NO: 32
Your company has an accounting department.
The network contains an Active Directory domain named contoso.com. the domain contains 10 servers.
You deploy a new server named Server11 that runs Windows Server 2016. Server11 will host several network applications
and network shares used by the accounting department.
You need to recommend a solution for Server11 that meets the following requirements:
Protects Server11 from address spoofing and session hijacking
Allows only the computers in the accounting department to connect to Server11
What should you recommend implementing?
A. Just Enough Administration (JEA)
B. AppLocker rules
C. Privileged Access Management (PAM)
D. connection security rules

ANSWER: D
Explanation:
References: https://support.microsoft.com/en-us/help/942957/security-rules-for-windows-firewall-and-for-ipsec-based-
connections-in
HOTSPOT
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain. You install the ATA Gateway on a server
named Server1.
To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect events.
You need to configure the query filter for event subscriptions on Server1.
How should you configure the query filter? To answer, select the appropriate options in the answer are.
Hot Area:

ANSWER:
Explanation:
References: https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection
HOTSPOT
Your network contains an Active Directory domain named adatum.com.
The domain contains a server named Server1 that runs Windows Server 2016. The domain contains two users named User1
and User2.
On Server1, you create two files named File1.doc and File2.doc in a folder named C:\Folder1.
The Audit Entry for File1.doc is configured as shown in the File1 exhibit. (Click the File1 tab.)

File2.doc has an empty auditing entry list.
The Auditing Entry for Global File SACL that applies to Server1 is configured as shown in the SACL exhibit. (Click the SACL
tab.)

The Advanced Audit Policy Configuration for Server1 is configured as shown in the Audit Policy exhibit. (Click the Audit
Policy tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
ANSWER:

Explanation:
References:
http://sourcedaddy.com/windows-7/auditing-file-and-folder-access.html
QUESTION NO: 35
Your network contains an Active Directory domain named contoso.com. The domain contains servers that run Windows
Server 2016.
You enable Remote Credential Guard on a server named Server1.
You have an administrative computer named Computer1 that runs Windows10. Computer 1 is configured to require Remote
Credential Guard.
You sign in to Computer1 as Contoso\User1.
You need to establish a remote Desktop session to Server1 as Contoso\ServerAdmin1.
A. Run the mstsc.exe /remoteGuard command.
B. Install the Universal Windows Platform (UWP) Remote Desktop application.
C. Sign in to Computer1 as Contoso\ServerAdmin1.
D. Turn on virtualization based security.

ANSWER: C
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard#reqs
QUESTION NO: 36
You have a file server named FS1 that runs Windows Server 2016.
You plan to disable SMB 1.0 on the server.

You need to verify which computers access FS1 by using SMB 1.0.
What should you run first?
A. Debug-FileShare
B. Set-FileShare
C. Set-SmbShare
D. Set-SmbServerConfiguration
E. Set-SmbClientConfiguration
ANSWER: D
Explanation:
QUESTION NO: 37
You need to ensure that the marketing department computers validate DNS responses from adatum.com.
Which setting should you configure in the Computer Configuration node of GP1?
A. TCPIP Settings from Administrative Templates
B. Connection Security Rule from Windows Settings

C. DNS Client from Administrative Templates
D. Name Resolution Policy from Windows Settings

ANSWER: D
Explanation:
References: https://technet.microsoft.com/en-us/library/ee649182(v=ws.10).aspx
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain functional level is Windows Server
2016. The domain contains a member server named Server1.
You test Code Integrity on Server1 in audit mode.
You need to enforce the Code Integrity levels on all the Windows Server 2016 servers in the domain.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Select and Place:
ANSWER:

Explanation:
References:
https://blogs.technet.microsoft.com/datacentersecurity/2018/03/10/default-code-integrity-policy-for-windows-server/
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a VPN server named VPN1.
You are deploying Advanced Threat Analytics (ATA) to the domain.
You install ATA Lightweigtht Gateway on a server named Server1.
You need to integrate VPN1 and ATA.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:

ANSWER:
Explanation:
References:
https://docs.microsoft.com/en-us/advanced-threat-analytics/vpn-integration-install-step
QUESTION NO: 40

the review screen.
You manage a file server that runs Windows Server 2016. The file server contains the volumes configured as shown in the
following table.
You need to encrypt DevFiles by using BitLocker Drive Encryption (BitLocker).
Solution: You run the manage-bde.exe command and specify the –lock parameter.
A. Yes
B. No
ANSWER: B
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-lock
QUESTION NO: 41
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1.
Server1 is configured as shown in the following table.
You plan to create a pilot deployment of Microsoft Advanced Threat Analytics (ATA).
You need to install the ATA Center on Server1.

A. Install Microsoft Security Compliance Manager (SCM).
B. Obtain an SSL certificate.
C. Assign an additional IPv4 address.
D. Remove Server1 from the domain.

ANSWER: C
Explanation:
References: https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata-step1
DRAG DROP
You have two servers named Server1 and Server2 that run Windows Server 2016. The servers are in a workgroup.
You need to create a security template that contains the security settings of Server1 and to apply the template to Server2.
The solution must minimize administrative effort.
Which snap-in should you use for each server? To answer, drag the appropriate snap-ins to the correct servers. Each snap-
in may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.
Select and Place:

ANSWER:
Explanation:
References: https://www.windows-server-2012-r2.com/security-templates.html

QUESTION NO: 43
has the Windows Server Update Services server role installed.
You need to configure Windows Server Update Services (WSUS) on Server5 to use SSL.
You install a certificate in the local Computer store.
Which two tools should you use? Each correct answer presents part of the solution.
A. Wsusutil
B. Netsh
C. Internet Information Services (IIS) Manager
D. Server Manager
E. Update Services
ANSWER: AE
Explanation:
References: https://technet.microsoft.com/en-us/library/hh852346(v=ws.11).aspx#bkmk_3.5.ConfigSSL
QUESTION NO: 44
Your network contains an Active Directory domain named contoso.com. The domain contains 1,000 client computers that
run Windows 8.1 and 1,000 client computers that run Windows 10.
You deploy a Windows Server Update Services (WSUS) server. You create a computer group for each organizational unit
(OU) that contains client computers. You configure all of the client computers to receive updates from WSUS.
You discover that all of the client computers appear in the Unassigned Computers computer group in the Update Services
console.
You need to ensure that the client computers are added automatically to the computer group that corresponds to the location
of the computer account in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
A. From Group Policy objects (GPOs), configure the Enable client-side targeting setting.
B. From the Update Services console, configure the Computers option.
C. From Active Directory Users and Computers, create a domain local distribution group for each WSUS computer group.
D. From Active Directory Users and Computers, modify the flags attribute of each OU.
ANSWER: AB
Explanation:
References:

https://technet.microsoft.com/en-us/library/dd252762.aspx https://technet.microsoft.com/en-
us/library/cc720433(v=ws.10).aspx
QUESTION NO: 45
You have a server named Server1 that runs Windows Server 2016. Server1 contains a folder named Folder1. Folder1 is
shared as Share1.
You need to enable SMB encryption for Share1.
What should you do?
A. From Shared Folders, modify the Security settings of Share1
B. From File and Storage Services in Server Manager, modify the properties of Share1
C. From File Explorer, modify the Advanced Sharing settings of Share1
D. From File Explorer, modify the Security settings of Folder1

ANSWER: B
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-security
QUESTION NO: 46
Solution: You deploy one Windows container to host all of the applications.
A. Yes
B. No

ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
QUESTION NO: 47
You need to identify whether any connection security rules are configured on Server1.
A. Get-NetIPSecRule
ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/netsecurity/get-netipsecrule?view=win10-ps
QUESTION NO: 48
You configure Just Enough Administration (JEA) on Server1.
You need to view a list of commands that will be available to a user named User1 when User1 establishes a JEA session to
Server1.
A. Get-PSSessionCapability
B. Trace-Command

C. Show-Command
D. Get-PSSessionConfiguration
ANSWER: A
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/get-pssessioncapability?view=powershell-
6&viewFallbackFrom=powershell-5.0.
QUESTION NO: 49
Your network contains an Active Directory forest named contoso.com. The functional level of the forest and the domain is
You plan to use Local Administrator Password Solution (LAPS) for all member servers. You need to prepare the forest for
LAPS.
A. Run the Set-AdmPwdComputerSelfPermission cmdlet.
B. Install the LAPS client-side extension on all domain controllers.
C. Run the Update-AdmPwdADSchema cmdlet.
D. Run the Set-AdmPwdAuditing cmdlet.
E. Deploy an enterprise certification authority (CA).

ANSWER: AC
Explanation:
References:
https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-1.html
HOTSPOT
You have a Hyper-V host named Server1 that runs Windows Server 2016. A new security policy states that all the virtual
machines must be encrypted.
Server1 hosts the virtual machines configured as shown in the following table.

An administrator runs the following commands:
Get-VM | Stop-VM
Get-VM | Update-VMVersion Get-VM | Start-VM
Hot Area:
ANSWER:
Explanation:
References:
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/virtualization/hyper-v/What-s-new-in-
Hyper-V-on-Windows.md

QUESTION NO: 51
Your network contains an Active Directory domain named contoso.com. The domain contains two DNS servers that run
Windows Server 2016. The servers host two zones named contoso.com and admin.contoso.com.
You sign both zones.
You need to ensure that all client computers in the domain validate the zone records when they query the zone.
What should you deploy?
A. a Microsoft Security Compliance manager (SCM) policy
B. a Name Resolution Policy Table (NRPT)
C. a zone transfer policy
D. a connection security rule

ANSWER: B
Explanation:
References: https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/
QUESTION NO: 52
following table.
Solution: You run the Lock-BitLocker cmdlet.
A. Yes
B. No

ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/bitlocker/lock-bitlocker?view=win10-ps
QUESTION NO: 53
You plan to enable Credential Guard on four servers. Credential Guard secrets will be bound to the TPM.
The servers run Windows Server 2016 and are configured as shown in the following table.
You need to identify which server you must modify to support the planned implementation.
Which server should you identify?
A. Server1
B. Server2
C. Server3
D. Server4
ANSWER: D
Explanation:
References: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements
HOTSPOT
You have a backup of a Group Policy object (GPO) named GPO1 that has the following settings:
Change the system time: User1
Minimum password length: 12 characters

Password must meet complexity requirements: Disabled
You have a backup of a GPO named GPO2 that has the following settings:
Password must meet complexity requirements: Not Defined
You create a GPO named GP03 that has the following settings:
Password must meet complexity requirements: Enabled
You import the GPO1 settings into GP03, and then you import the GPO2 settings into GPO3. You need to identify the GPO3
settings after the imports.
What should you identity? To answer, select the appropriate options of the answer area.
Hot Area:
ANSWER:

Explanation:
References: https://searchwindowsserver.techtarget.com/feature/Group-Policy-Management-Console
QUESTION NO: 55
Your network contains an Active Directory forest named corp.contoso.com.
You are implementing Privileged Access Management (PAM) by using a bastion forest named priv.contoso.com.
You need to create shadow groups in priv.contoso.com.
A. New-RoleGroup
B. New-PamRole
C. New-ADGroup
D. New-PamGroup
ANSWER: D
Explanation:
References: https://docs.microsoft.com/en-us/powershell/identitymanager/mimpam/vlatest/new-pamgroup

QUESTION NO: 56
A Group Policy object (GPO) named GPO1 is applied to all of the domain controllers. GPO1 has a Globally Unique Identifier
(GUID) of 6AC1786C-016F-11D2-945F00C04fB984F9.
You need to create a new baseline that contains the settings from GPO1.
A. Copy the \\contoso.com\sysvol\contoso.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} folder to Server1.
B. From Windows PowerShell, run the Backup-GPO cmdlet.
C. Modify the permissions of the \\contoso.com\sysvol\contoso.com\Policies\6AC1786-016F-11D2-945F-00C04fB984F9)

folder.
D. From Windows PowerShell, run the Copy-GPO cmdlet.

ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/backup-gpo?view=win10-ps
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains a user named User1 and a
computer named Computer1. Remote Server Administration Tools (RSAT) is installed on Computer1.
You need to add User1 as a data recovery agent in the domain.
Select and Place:

ANSWER:

Explanation:
References: https://msdn.microsoft.com/library/cc875821.aspx#EJAA
https://www.serverbrain.org/managing-security-2003/using-the-cipher-command-to-add-data-recovery-agent.html
QUESTION NO: 58
Your network contains an Active Directory forest named contoso.com. You deploy another Active Directory forest named
admin.contoso.com.
You create a trust relationship between the two forests. The trust relationship has the following configurations:
SID history is disabled
SID filtering is disabled
You need to implement Privileged Access Management (PAM) and to specify admin.contoso.com as an administrative
forest. What should you do?
A. Run netdom.exe and specify the /quarantine switch.
B. Enable SID filtering on the trust.
C. Run netdom.exe and specify the /transitive switch.

D. Enable SID history on the trust.
ANSWER: C
Explanation:
References: https://www.petri.com/windows-server-2016-set-privileged-access-management
QUESTION NO: 59
You have several servers that run Windows Server 2016. All the servers were recently configured to use a new Windows
Server Update Services (WSUS) server named WSUS1. WSUS1 is configured to download updates as shown in the exhibit.
(Click the Exhibit tab.)
You discover that the servers have out-of-date Windows Defender definitions. The servers receive security updates from
WSUS1.
You need to ensure that the servers receive the latest Windows Defender definitions.
What should you do?

A. Create a new computer group in WSUS
B. Create an auto-approval rule in WSUS
C. Modify the products and classifications in WSUS
D. Create a new Group Policy object (GPO) that contains the Automatic Updates settings
ANSWER: D
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-
schedule-windows-defender-antivirus
QUESTION NO: 60
You have a Hyper-V host named Hyper1 that has a virtual machine named FS1. FS1 is a file server that contains sensitive
data.
You need to secure FS1 to meet the following requirements:
Prevent console access to FS1.
Prevent data from being extracted from the VHDX file of FS1.
A. Disable all the Hyper-V integration services for FS1.
B. On Hyper1, enable BitLocker Drive Encryption (BitLocker) for the drive that contains the VHDX file for FS1.
C. Disable the virtualization extensions for FS1.
D. Enable shielding for FS1.
E. Enable BitLocker Drive Encryption (BitLocker) for all the volumes on FS1.
ANSWER: DE
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-
shielded-vms
QUESTION NO: 61
run Windows 10.

A security audit reveals that the network recently experienced a Pass-the-Hash attack. The attack was initiated from a client
computer and accessed Active Directory objects restricted to the members of the Domain Admins group.
You need to minimize the impact of another successful Pass-the-Hash attack on the domain.
What should you recommend?
A. Move the computer accounts of the domain controllers to a new organizational unit (OU). Remove the permissions to the
new OU from the Domain Admins group.
B. Configure the Domain Admins groups as a restricted group.
C. Remove all the members from the Domain Admins group, and then remove the Domain Admins group from all other
groups.
D. Instruct all administrators to use a restricted Remote Desktop connection when they sign in to a client computer
ANSWER: B
Explanation:
References: https://download.microsoft.com/download/7/7/a/77abc5bd-8320-41af-863c-6ecfb10cb4b9/mitigating%20pass-
the-hash%20(pth)%20attacks%20and%20other%
20credential%20theft%20techniques_english.pdf
HOTSPOT
You plan to implement a guarded fabric in TPM-trusted attestation mode. The fabric will contain a three-node Host Guardian
Service (HGS) cluster and four guarded hosts.
All the hosts will have matching hardware and will run the same workload.
You need to add the hosts to the HGS cluster.
What is the minimum number of times you must run each cmdlet to implement the HGS cluster? To answer, select the
appropriate options in the answer area.
Hot Area:

ANSWER:
Explanation:

References: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-tpm-
trusted-attestation-capturing-hardware
QUESTION NO: 63
Multiple resource properties are defined in the domain.
Server1 has a volume named Volume1.
You need to view the classification properties that have been configured on Volume1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer

ANSWER: A
Explanation:
References:
https://blog.netwrix.com/2018/05/22/microsoft-file-classification-infrastructure-fci-explained/
QUESTION NO: 64
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1
that runs Windows Server 2016.
You need to create Work Folders on Server1.

A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer

ANSWER: C
Explanation:
References:
https://blogs.technet.microsoft.com/canitpro/2015/01/19/step-by-step-creating-a-work-folders-test-lab-deployment-in-
windows-server-2012-r2/ https://technet.microsoft.com/en-us/library/dn265974(v=ws.11).aspx
QUESTION NO: 65
On Server1, administrators plan to use several scripts that have the .ps1 extension.
You need to ensure that when code is generated from the scripts, an event containing the details of the code is logged in the
Operational log.
Which Group Policy setting or settings should you configure?
A. Audit Process Creation and Audit Process Termination
B. Turn on PowerShell Transcription
C. Enable Protected Event Logging
D. Turn on PowerShell Script Block Logging

ANSWER: D
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/wmf/whats-new/script-logging
QUESTION NO: 66

the review screen.
Solution: You deploy 10 physical computers and configure them as virtualization hosts. You configure the operating system
on each host as a PAW. You create a guest virtual machine by using the customized Windows image.
A. Yes
B. No
ANSWER: B
Explanation:
References:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations
QUESTION NO: 67
The local administrator credentials of Server1 are managed by using the Local Administrator Password Solution (LAPS).
You need to retrieve the password of the Administrator account on Server1.
What should you do?
A. From Windows PowerShell on Server1, run the Get-ADFineGrainedPasswordPolicy cmdlet and specify the –Credential
parameter
B. From Active Directory Users and Computers, open the properties of Server1 and view the value of the ms-Mcs-AdmPwd
attribute
C. From Active Directory Users and Computers, open the properties of Administrator and view the value of the
userPassword attribute
D. From Windows PowerShell on Server1, run the Get-ADUser cmdlet and specify the –Credential parameter
ANSWER: B
Explanation:
References: http://woshub.com/manage-local-administrator-passwords-with-laps/

QUESTION NO: 68
following table.
Solution: You run the manage-bde.exe command and specify the –on parameter.
A. Yes
B. No
ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-on
QUESTION NO: 69
The network contains a server named Server1. Server1 is in a workgroup. Server1 contains sensitive data and will be
accessed by a domain-joined computer named Computer1.
You need to create connection security rules to encrypt the data sent between Server1 and Computer1.
You need to identify which authentication method to use for the connection security rules. The solution must use the most
secure method possible.
Which authentication method should you identify?
A. Kerberos V5
B. a computer certificate
C. a preshared key

D. NTLMv2
ANSWER: A
Explanation:
References: https://www.sciencedirect.com/topics/computer-science/connection-security-rule
https://blogs.msdn.microsoft.com/james_morey/2005/06/20/ipsec-and-certificate-authentication/
QUESTION NO: 70
Solution: You deploy 10 physical computers and configure each one as a virtualization host. You deploy the operating
system on each host by using the customized Windows image. On each host, you create a guest virtual machine and
configure the virtual machine as a PAW.
A. Yes
B. No
ANSWER: B
Explanation:
workstations
QUESTION NO: 71
You network contains an Active Directory forest named contoso.com. All domain controllers run Windows Server 2016.
Member servers run either Windows Server 2012 R2 or Windows Server 2016. Client computers run either Windows 8.1 or
Windows 10.

You need to ensure that when users access files in shared folders on the network, the files are encrypted when they are
transferred over the network.
Solution: You enable access-based enumeration on all the file shares.
A. Yes
B. No
ANSWER: B
Explanation:
HOTSPOT
repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is
exactly the same in each question in this series.
Start of repeated scenario.
End of repeated scenario.
You need to configure Nano1 as a Hyper-V host.
Which command should you run? To answer, select the appropriate options in the answer area.

Hot Area:
ANSWER:
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server

HOTSPOT
Your network contains an Active Directory domain named adatum.com. The domain contains a server named SAerver1 that
runs Windows Server 2016 and a group named Group1. A user named user1 is the only member of Group1.
You plan to implement Just Enough Administration (JEA) on Server1.
You create a role capacity file that contains the following content.
You create a session configuration that contains the following content.
You register a JEA endpoint by using the- Name Role1 parameter.
Hot Area:

ANSWER:
Explanation:
References:
https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-step/
https://docs.microsoft.com/en-us/powershell/jea/using-jea https://docs.microsoft.com/en-us/powershell/jea/role-capabilities
QUESTION NO: 74
You are creating a Nano Server image for the deployment of 10 servers.
You need to configure the servers as guarded hosts that use Trusted Platform Module (TPM) attestation.
Which three packages should you include in the Nano Server image? Each correct answer presents part of the solution.
A. Microsoft-NanoServer-SCVMM-Compute-Package
B. Microsoft-NanoServer-SecureStartup-Package

C. Microsoft-NanoServer-Compute-Package
D. Microsoft-NanoServer-ShieldedVM-Package
E. Microsoft-NanoServer-Storage-Package
F. Microsoft-NanoServer-SCVMM- Package
ANSWER: BCD
Explanation:
References: https://docs.microsoft.com/en-us/system-center/vmm/guarded-deploy-host?toc=/windows-server/virtualization/
https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server
QUESTION NO: 75
The network contains a server named Server1. Server1 is in a workgroup.
You need to create a backup of the local Group Policy on Server1 that you can import into a Group Policy object (GPO) in
the domain.
A. lgpo.exe
B. Local Group Policy Editor
C. Group Policy Management
D. Backup-GPO
ANSWER: A
Explanation:
References:
http://woshub.com/backupimport-local-group-policy-settings/
QUESTION NO: 76
Your network contains an Active Directory domain. All the computers in the domain are configured for the Local
Administrator Password Solution (LAPS). The Group Policy object (GPO) settings for LAPS are configured as shown in the
exhibit. (Click the Exhibit tab.)

You provide a technician with the local administrator password for a computer named Computer1.
What is the maximum amount of time the password will be valid?
A. 30 minutes
B. 3 days
C. 30 days
D. 365 days
ANSWER: C
Explanation:
References:
https://www.reddit.com/r/sysadmin/comments/712049/laps_password_expiration_time_password_age/
HOTSPOT
You network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Secure that contains all server.
You install Microsoft Security Compliance Manager (SCM) 4.0 on a server named Server1.
You need to export the SCM Print Server Security baseline and to deploy the baseline to a server named Server2.
Hot Area:

ANSWER:
Explanation:
References: http://www.techrepublic.com/blog/it-security/use-ms-security-compliance-manager-to-secure-your-windows-
environment/ https://technet.microsoft.com/en-us/library/hh489604.aspx
QUESTION NO: 78
You deploy Advanced Threat Analytics (ATA) to Server1.
You need to move the ATA database to a different folder.
Which configuration file should you modify?
A. Config.json
B. Web.config

C. Config.xml
D. Mongod.cfg
ANSWER: D
Explanation:
References: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-database-management
QUESTION NO: 79
You need to prevent NTLM authentication on Server1.
Solution: From a Group Policy, you configure the Kerberos Policy.
A. Yes
B. No
ANSWER: B
Explanation:
References: https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/
HOTSPOT
Your network contains two Active Directory forests named adatum.com and priv.adatum.com.
You deploy Microsoft Identity Manager (MIM) 2016 to the priv.adatum.com domain, and you implement Privileged Access
Management (PAM).
You create a PAM role named Group1 as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in
the graphic.
Hot Area:
ANSWER:

Explanation:
References:https://tlktechidentitythoughts.wordpress.com/2016/09/07/mim-2016-setting-up-privileged-access-management-
pam-in-an-existing-domain-using-the-built-inpam-tool/
QUESTION NO: 81
You need to encrypt the contents to Share1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer

ANSWER: A
Explanation:

References: https://msdn.microsoft.com/en-us/library/dd163562.aspx
QUESTION NO: 82
Your network contains an internal network and a perimeter network. The internal network contains an Active Directory forest
named contoso.com.
You deploy five servers to the perimeter network. All of the servers run Windows Server 2016 and are the members of a
workgroup.
You need to apply a security baseline named Perimeter.inf to the servers in the perimeter network. What should you use to
apply Perimeter.inf?
A. Security Configuration and Analysis
B. Group Policy Management
C. System Configuration
D. Server Manager
ANSWER: A
Explanation:
References:
https://4sysops.com/archives/security-compliance-manager-deploy-baselines/#deploy-a-baseline-to-a-workgroup-server
QUESTION NO: 83
A technician is testing the deployment of Credential Guard on Server1.
You need to verify whether Credential Guard is enabled on Server1.
What should you do?
A. From Control Panel, open Credential Manager, and review the list of Windows Credentials.
B. From System Information, review System Summary.
C. From a command prompt, run the tsecimp.exe command.
D. From Server Manager, click Local Server, and review the properties of Server1.
ANSWER: B
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage

QUESTION NO: 84
Solution: On Server1, you enable the Containers feature, and then you restart the server.
A. Yes
B. No
ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/deploy-containers-on-
server
QUESTION NO: 85
You need to identify the default action for the inbound traffic when Server1 connects to the domain.
A. Get-NetIPSecRule
ANSWER: C

Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallprofile?view=win10-ps
QUESTION NO: 86
the review screen.
Solution: You deploy one Hyper-V container to host all of the applications.
A. Yes
B. No
ANSWER: B
Explanation:
References:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
QUESTION NO: 87
Microsoft Advanced Threat Analytics (ATA) is deployed to the domain.
A database administrator named DBA1 suspects that her user account was compromised.
Which three events can you identify by using ATA? Each correct answer presents a complete solution.
A. Domain computers into which DBA1 recently signed.
B. Phishing attempts that targeted DBA1.

C. The last time DBA1 experienced a failed logon attempt.
D. Spam messages received by DBA1.
E. Servers that DBA1 recently accessed.

ANSWER: ACE
Explanation:
References: https://github.com/MicrosoftDocs/ATADocs/blob/master/ATADocs/suspicious-activity-guide.md
QUESTION NO: 88
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2016.
The domain contains a server named Server1 that has Microsoft Security Compliance Manager (SCM) 4.0 installed.
You export the baseline shown in the following exhibit.
You have a server named Server2 that is a member of a workgroup.
You copy the {2617e9b1-9672-492b-aefa-0505054848c2} folder to Server2.
You need to deploy the baseline settings to Server2.
What should you do?
A. Download, install, and then run the Lgpo.exe command.
B. From Group Policy Management, import a Group Policy object (GPO).
C. From Windows PowerShell, run the Restore-GPO cmdlet.
D. From Windows PowerShell, run the Import-GPO cmdlet.
E. From a command prompt, run the secedit.exe command and specify the/import parameter.

ANSWER: D
Explanation:
References: https://anytecho.wordpress.com/2015/05/22/importing-group-policies-using-powershell-almost/
QUESTION NO: 89
You work for a hosting company named Contoso, Ltd.
Contoso has multiple Hyper-V hosts that run Windows Server 2016.
You are configuring Software Defined Networking (SDN).
You need to configure Datacenter Firewall to control the traffic to virtual machines.
A. Set-Acl
B. Grant-VMConnectAccess
C. New-NetworkControllerAccessControlList
D. New-NetFirewallRule
ANSWER: C
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/networking/sdn/manage/configure-datacenter-firewall-acls
https://docs.microsoft.com/en-us/powershell/module/networkcontroller/new-networkcontrolleraccesscontrollist?view=win10-
ps
QUESTION NO: 90
run Windows 10.
A security audit reveals that the network recently experienced a Pass-the-Hash attack. The attack was initiated from a client
computer and accessed Active Directory objects restricted to the members of the Domain Admins group.
You need to minimize the impact of another successful Pass-the-Hash attack on the domain.
What should you recommend?
A. Instruct all users to sign in to a client computer by using a Microsoft account.
B. Move the computer accounts of all the client computers to a new organizational unit (OU). Remove the permissions to the
C. Instruct all administrators to use a local Administrators account when they sign in to a client computer.
D. Move the computer accounts of the domain controllers to a new organizational unit (OU). Remove the permissions to the

ANSWER: C
Explanation:
References: https://en.wikipedia.org/wiki/Pass_the_hash#Mitigations
DRAG DROP
Your network contains an Active Directory domain. The domain contains a server named Server1.
You install Advanced Threat Analytics (ATA) on Server1.
You need to configure ATA to detect suspicious activities in the domain.
Select and Place:
ANSWER:

Explanation:
References:
QUESTION NO: 92
Your network contains an Active Directory domain named contoso.com. The domain contains several shielded virtual
machines.
You deploy a new server named Server1 that runs Windows Server 2016.
You install the Hyper-V server role on Server1.
You need to ensure that you can host shielded virtual machines on Server1.
What should you install on Server1?
A. Host Guardian Hyper-V Support
B. the Windows Biometric Framework (WBF)
C. VM Shielding Tools for Fabric Management
D. BitLocker Network Unlock

ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-guarded-
host-prerequisites
QUESTION NO: 93

Solution: You deploy a separate Windows container for each application.
A. Yes
B. No
ANSWER: A
Explanation:
References:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
HOTSPOT
You manage a guarded fabric in TPM-trusted attestation mode.
You plan to create a virtual machine template disk for shielded virtual machines.
You need to create the virtual machine disk that you will use to generate the template.
How should you configure the disk? To answer, select the appropriate options in the answer area.
Hot Area:

ANSWER:
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-configuration-
scenarios-for-shielded-vms-overview https://docs.microsoft.com/en-us/system-center/dpm/what-s-new-in-dpm-
2016?view=sc-dpm-1801

HOTSPOT
The services on Server1 are shown in the following output.
Server1 has the AppLocker rules configured as shown in the exhibit. (Click the Exhibit button.)
Rule1 and Rule2 are configured as shown in the following table.
Hot Area:

ANSWER:
Explanation:
HOTSPOT
Your network contains two Active Directory forests named contoso.com and adatum.com. Contoso.com contains a Hyper-V
host named Server1. Server1 is a member of a group named HyperHosts. Adatum.com contains a server named Server2,
that is configured for Admin-trusted attestation. Server1 and Server2 run Windows Server 2016.
Contoso.com trusts adatum.com.
You plan to deploy shielded virtual machines to Server1.
Which component should you install and which cmdlet should you run on Server1? To answer, select the appropriate options
in the answer area.
Hot Area:

ANSWER:
Explanation:
References: https://blogs.technet.microsoft.com/datacentersecurity/2016/03/16/windows-server-2016-and-host-guardian-
service-for-shielded-vms/ https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-
fabric-guarded-host-prerequisites
QUESTION NO: 97

Solution: On Server1, you enable the Containers feature, and then you install the PowerShell for Docker module. You restart
the server.
A. Yes
B. No
ANSWER: A
Explanation:
server
QUESTION NO: 98
The domain contains two global groups named Group1 and Group2. A user named User1 is a member of Group1.
You have an organizational unit (OU) named OU1 that contains the computer accounts of computers that contain sensitive
data. A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1.
GPO1 has the User Rights Assignment configured as shown in the following table.
You need to prevent User1 from signing in to Computer1.
What should you do?
A. Remove User1 to Group2
B. In GPO1, add Group1 as a restricted group
C. On Computer1, modify the Allow log on locally user right
D. In GPO1, add Group2 as a restricted group

ANSWER: A
Explanation:
“Deny log on locally”

Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment Determines which
users are prevented from logging on at the computer.
This policy setting supercedes the Allow Log on locally policy setting if an account is subject to both policies.
Therefore, adding User1 to Group2 will let User1 to inherit both policy, and then prevent User1 to sign in to Computer1.
References:
https://technet.microsoft.com/en-us/library/cc957048.aspx
QUESTION NO: 99
Your network contains an Active Directory forest named contoso.com.
The network is connected to the Internet.
You have 100 point-of-sale (POS) devices that run Windows 10. The devices cannot access the Internet.
You deploy Microsoft Operations Management Suite (OMS).
You need to use OMS to collect and analyze data from the POS devices.
A. Deploy Windows Server Gateway to the network.
B. Install the OMS Log Analytics Forwarder on the network.
C. Install Microsoft Data Management Gateway on the network.
D. Install the Simple Network Management Protocol (SNMP) feature on the devices.
E. Add the Microsoft NDIS Capture service to the network adapter of the devices.
ANSWER: B
Explanation:
References: https://blogs.technet.microsoft.com/msoms/2016/03/17/oms-log-analytics-forwarder/
HOTSPOT
host named Server1. Server1 is a member of a group named HyperHosts. Adatum.com contains a server named Server2.
Server1 and Server2 run Windows Server 2016.
You plan to deploy shielded virtual machines to Server1.
in the answer area.

Hot Area:
ANSWER:
Explanation:
service-for-shielded-vms/
HOTSPOT
You have 10 Hyper-V hosts that run Windows Server 2016.
Each Hyper-V host has eight virtual machines that run a distributed web application named App1.
You plan to implement a Software Load Balancing (SLB) solution for client access to App1.

You deploy two new virtual machines named SLB1 and SLB2.
You need to install the required components on the Hyper-V hosts and the new servers for the planned implementation.
Which components should you install? To answer, select the appropriate options in the answer area.
Hot Area:
ANSWER:

Explanation:
References: https://blogs.technet.microsoft.com/tip_of_the_day/2016/06/28/tip-of-the-day-demystifying-software-
definednetworking-terms-the-components/ https://technet.microsoft.com/en-us/library/mt632286.aspx
QUESTION NO: 102
Solution: From Windows PowerShell, you run the New-ADAuthenticationPolicy cmdlet.
A. Yes

B. No
ANSWER: B
Explanation:
QUESTION NO: 103
the review screen.
Solution: You add User1 to the Backup Operators group on Server1 and Server2.
A. Yes
B. No
ANSWER: A
Explanation:
References:
https://technet.microsoft.com/en-us/library/cc771990(v=ws.11).aspx
QUESTION NO: 104

the review screen.
Your network contain an Active Directory domain named contoso.com. The domain contains a computer named Computer1
that runs Windows 10. Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally.
Computer1 runs an application named App1 that listens to port 8080.
You need to prevent connections to App1 when Computer1 is connected to the home network.
Solution: From Windows Firewall with Advanced Security, you create an inbound rule.
A. Yes
B. No
ANSWER: A
Explanation:
References:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/dd421709(v=ws.10)#what-is-an-inbound-rule
HOTSPOT
Your network contains an Active Directory domain. The domain contains the computers shown in the following table.
Server1 is a file server that has two shared folders named Share1 and Share2. Share1 has encryption enabled. Share2 has
encryption disabled. Domain users have read access to both shares.
From PowerShell, you run Set-SmbServerConfiguration –EncryptData $true –Force.
Hot Area:

ANSWER:
Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/smbshare/set-smbserverconfiguration?view=win10-ps
https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-security
HOTSPOT
Your data center contains 10 Hyper-V hosts that host 100 virtual machines.
You plan to secure access to the virtual machines by using the Datacenter Firewall service.
You have four servers available for the Datacenter Firewall service. The servers are configured as shown in the following
table.

You need to install the required server roles for the planned deployment.
Which server role should you deploy? To answer, select the appropriate options in the answer area.
Hot Area:
ANSWER:
Explanation:

References:
https://docs.microsoft.com/en-us/windows-server/networking/sdn/plan/installation-and-preparation-requirements-for-
deploying-network-controller
https://docs.microsoft.com/en-us/windows-server/networking/sdn/technologies/network-controller/install-the-network-
controller-server-role-using-server-manager
QUESTION NO: 107
following table.
Solution: You run the Enable-BitLocker cmdlet.
A. Yes
B. No
ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlocker?view=win10-ps
QUESTION NO: 108

Solution: You deploy one physical computer and configure it as Hyper-V host that runs Windows Server 2016. You create 10
virtual machines and configure each one as a
PAW.
A. Yes
B. No
ANSWER: B
Explanation:
workstations
QUESTION NO: 109
Your network contains an Active Directory forest named Corp. The forest functional level is Windows Server 2016.
You deploy a new forest named Priv and set the forest functional level to Windows Server 2016.
You need to implement Privileged Access Management (PAM).
What should you do next?
A. Install Microsoft Identity Manager (MIM) on a server in the Priv forest.
B. Install Microsoft Identity Manager (MIM) in the Corp forest.
C. Create shadow accounts in the Priv forest.
D. Create shadow accounts in the Corp forest.

ANSWER: C
Explanation:
References: https://www.petri.com/windows-server-2016-set-privileged-access-management
QUESTION NO: 110
and Server2. The domain has Dynamic Access Control enabled.
Server1 contains a folder named C:\Folder1. Folder1 is shared as Share1.

You need to audit all access to the contents of Folder1 from Server2. The solution must minimize the number of event log
entries.
Which two audit policies should you enable on Server1? Each correct answer presents part of the solution.
A. Global Object Access- File System
B. Object Access – Audit Detailed File Share
C. Object Access – Audit Other Object Access Events
D. Object Access – Audit File System
E. Object Access – Audit File Share

ANSWER: BE
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-share
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
QUESTION NO: 111
Your network contains an Active Directory domain named contoso.com. The domain contains 10 computers that are in an
organizational unit (OU) named OU1.
You deploy the Local Administrator Password Solution (LAPS) client to the computers. You link a Group Policy object (GPO)
named GPO1 to OU1, and you configure the LAPS password policy settings in GPO1.
You need to ensure that the administrator passwords on the computers in OU1 are managed by using LAPS.
A. Enable LDAP encryption on the domain controllers.
B. Restart the computers.
C. Modify the permissions on OU1.
D. Restart the domain controller that hosts the PDC emulator role.
E. Update the Active Directory Schema.

ANSWER: CE
Explanation:
References: https://www.techrepublic.com/article/pro-tip-securing-windows-local-administrator-password-with-laps/

QUESTION NO: 112
Your network contains an internal network and a perimeter network. The internal network contains an Active Directory forest
named contoso.com.
You deploy five servers to the perimeter network. All of the servers run Windows Server 2016 and are the members of a
workgroup.
You need to apply a security baseline named Perimeter.inf to the servers in the perimeter network.
What should you use to apply Perimeter.inf?
A. System Configuration
B. Microsoft Security Compliance manager (SCM) 4.0
C. Security Templates
D. Local Computer Policy

ANSWER: C
Explanation:
QUESTION NO: 113
You deploy the Host Guardian Service (HGS).
You have several Hyper-V that have older hardware and Trusted Platform Modules (TPMs) version 1.2.
You discover that the Hyper-V hosts cannot start shielded virtual machines.
You need to configure HGS to ensure that the older Hyper-V hosts can host shielded virtual machines.
What should you do?
A. Run the Set-HgsServer cmdlet and specify the –TrustActiveDirectory parameter.
B. Run the Clear-HgsServer cmdlet and specify the –Clustername parameter.
C. Run the Clear-HgsServer cmdlet and specify the –Force parameter.
D. Run the Set-HgsServer cmdlet and specify the –TrustTpm parameter.

ANSWER: A
Explanation:
service-for-shielded-vms/ https://docs.microsoft.com/en-us/powershell/module/hgsserver/set-hgsserver?view=win10-ps
QUESTION NO: 114
You are building a guarded fabric.

You need to configure Admin-trusted attestation.
A. Add-HgsAttestationHostGroup
B. Add-HgsAttestationTpmPolicy
C. Add-HgsAttestationTpmHost
D. Add-HgsAttestationCIPolicy
ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-add-
host-information-for-admin-trusted-attestation
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains multiple servers that run
multiple applications. Domain user accounts are used to authenticate access requests to the servers.
You plan to prevent NTLM from being used to authenticate to the servers.
You start to audit NTLM authentication events for the domain. You need to view all of the NTLM authentication events and to
identify which applications authenticate by using NTLM.
On which computers should you review the event logs and which logs should you review? To answer, select the appropriate
options in the answer area.
Hot Area:
ANSWER:

Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-
audit-ntlm-authentication-in-this-domain https://www.itprotoday.com/windows-78/access-denied-identifying-logon-attempts-
use-disabled-accounts
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains several Hyper-V hosts.
You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2016.
You need to configure Server22 as the primary Host Guardian Service server.
Which three cmdlets should you run in sequence? To answer move the appropriate cmdlets from the list of cmdlets to the
Select and Place:

ANSWER:

Explanation:
References: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-
setting-up-the-host-guardian-service-hgs
QUESTION NO: 117
The Microsoft Advanced Threat Analytics (ATA) Center service is installed on Server1.
The domain contains the users shown in the following table.

You are installing ATA Gateway on Server2.
You need to specify a Gateway Registration account.
Which account should you use?
A. User8
B. User5
C. User7
D. User3
ANSWER: D
Explanation:
References:
HOTSPOT
You plan to deploy three encrypted virtual machines that use Secure Boot. The virtual machines will be configured as shown
in the following table.
How should you protect each virtual machine? To answer, select the appropriate options in the answer area.

Hot Area:
ANSWER:
Explanation:
References:
https://cloudbase.it/hyperv-shielded-vms-part-1/
https://www.itprotoday.com/server-virtualization/difference-between-shielded-vm-and-encryption-supported-vm

QUESTION NO: 119
Your network contains an Active Directory domain named contoso.com. The domain contains multiple servers that run either
Windows Server 2012 or Windows Server 2012 R2.
You plan to implement Just Enough Administration (JEA) to manage all of the servers.
What should you install on each server to ensure that the servers can be managed by using JEA?
A. Remote Server Administration Tools (RSAT)
B. Management Odata Internet Information Services (IIS) Extension
C. Windows Management Framework 5.1
D. Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

ANSWER: C
Explanation:
References: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/prerequisites?view=powershell-6
QUESTION NO: 120
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as
shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are
protected by using BitLocker Drive Encryption (BitLocker).

You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named
OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named
GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You need to ensure that you can encrypt the operating system drive of VM1 by using BitLocker.
Which Group Policy should you configure?
A. Configure use of hardware-based encryption for operating system drives
B. Configure TPM platform validation profile for native UEFI firmware configurations
C. Require additional authentication at startup
D. Configure TPM platform validation profile for BIOS-based firmware configurations

ANSWER: C
Explanation:
References: https://www.dell.com/support/article/za/en/zadhs1/sln171842/using-the-group-policy-editor-to-enable-bitlocker-
authentication-in-the-pre-boot-environment-for-windows-7-88-1-10?lang=en
HOTSPOT
Your network contains an Active Directory domain named adatum.com. The domain contains a file server named Server1
You have an organizational unit (OU) named OU1 that contains Server1.
You create a Group Policy object (GPO) named GPO1 and link GPO1 to OU1.
A user named User1 is a member of group named Group1. The properties of User1 are shown in the User1 exhibit. (Click
the Exhibit button.)

User1 has permissions to two files on Server1 configured as shown in the following table.

From Auditing Entry for Global File SACL, you configure the advanced audit policy settings in GPO1 as shown in the SACL
exhibit. (Click the Exhibit button.)
Hot Area:
ANSWER:

Explanation:
References: http://sourcedaddy.com/windows-7/auditing-file-and-folder-access.html
QUESTION NO: 122

You enable deep script block logging for Windows PowerShell.
In which event log will PowerShell code that is generated dynamically appear?
A. Applications and Services Logs/Windows PowerShell
B. Windows Logs/Security
C. Applications and Services Logs/Microsoft/Windows/PowerShell/Operational
D. Windows Logs/Application
ANSWER: C
Explanation:
References: https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-7
QUESTION NO: 123
Your network contains an Active Directory Domain named contoso.com. The domain contains 10 servers that run Windows
Server 2016 and 800 client computers that run Windows 10.
You need to configure the domain to meet the following requirements:
Users must be locked out from their computer if they enter an incorrect password twice.
Users must only be able to unlock a locked account by using a one-time password that is sent to their mobile phone.
You deploy all the components of Microsoft Identity Manager (MIM) 2016.
Which three actions should you perform before you deploy the MIM add-ins and extensions? Each correct answer presents
part of the solution.
A. Deploy a Multi-Factor Authentication provider and copy the required certificates to the MIM server.
B. From a Group Policy object (GPO), configure Public Key Policies.
C. From the MIM Portal, configure the Owner Approval Workflow.
D. Deploy a Multi-Factor Authentication provider and copy the required certificates to the client computers.
E. From the MIM Portal, configure the Password Reset AuthN Workflow.
F. From a Group Policy object (GPO), configure Security Settings.

ANSWER: AEF
Explanation:
References: https://docs.microsoft.com/en-us/microsoft-identity-manager/working-with-self-service-password-reset

QUESTION NO: 124
You have a server named Server1.
You need to configure Windows Defender to perform a full scan every day at 21:00.
What should you do?
A. From Control Panel, configure the Security and Maintenance settings
B. Run the Set-ScheduledJob cmdlet
C. From the Setting app, modify the Windows Defender settings
D. Run the Set-MpPreference cmdlet

ANSWER: D
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=win10-ps
QUESTION NO: 125

You need to create a Role Capability file on Server3. Which file should you create?
A. File1.ini
B. File1.ps1
C. File1.xml
D. File1.psrc
ANSWER: D
Explanation:
References: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/role-capabilities?view=powershell-7
QUESTION NO: 126
Windows Defender on Server1 has the following configurations.

Server1 has the following files:
C:\Folder1\File1.exe C:\Folder2\File2.bat
C:\Folder2\File3.com
Which files will be scanned for malware?
A. File1.exe and File3.com only
B. File2.bat only
C. File1.exe, File2.bat, and File3.com
D. File1.exe only
E. File2.bat and File3.com only
F. File3.com only
ANSWER: E
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-
exclusions-windows-defender-antivirus
QUESTION NO: 127

You need to ensure that you can deploy a shielded virtual machine to Server4.
Which server role should you deploy?
A. Hyper-V
B. Device Health Attestation
C. Network Controller
D. Host Guardian Service

ANSWER: D
Explanation:
HOTSPOT
A user named User1 is a member of the local Administrators group.
Server1 has the AppLocker rules configured as shown in the exhibit. (Click the Exhibit button.) Exhibit:
Rule1 and Rule2 are configured as shown in the following table.

You verify that User1 is unable to run App2.exe on Server1.
Which changes will allow User1 to run D:\Folder1\Program.exe and D:\Folder2\App2.exe? To answer select the appropriate
options in the answer area.
Hot Area:
ANSWER:
Explanation:

References: https://technet.microsoft.com/en-us/library/ee449492(v=ws.11).aspx
HOTSPOT
You are implementing Privileged Access Management (PAM) for an Active Directory forest named contoso.com.
You install a bastion forest named adatum.com, and you establish a trust between the forests.
You need to create a group in contoso.com that will be used by Microsoft Identity Manager to create groups in adatum.com.
How should you configure the group? To answer, select the appropriate options in the answer area.
Hot Area:
ANSWER:

Explanation:
References: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
DRAG DROP
You configure Just Enough Administration (JEA).
You need to ensure that a non-administrator user can perform the following actions:
Restart Internet Information Services (IIS)
Restart a custom service named Service1.
How should you complete the role configuration file? To answer, select the appropriate options in the answer area.
Select and Place:
ANSWER:

Explanation:
References:
https://docs.microsoft.com/en-us/powershell/jea/role-capabilities
HOTSPOT

You need to create an Encrypting File System (EFS) data recovery certificate and then add the certificate as an EFS data
recovery agent on Server5.
What should you use on Server5? To answer, select the appropriate options in the answer area.
Hot Area:
ANSWER:
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-
an-efs-dra-certificate https://www.rootusers.com/configure-efs-recovery-agent/
QUESTION NO: 132

You implement the Host Guardian Service (HGS) configured for admin-trusted attestation.
You install the Hyper-V server role on Server1.
You need to add Server1 to the guarded hosts.
What should you do?
A. On Server1, install the Host Guardian Hyper-V Support feature and a computer certificate from a trusted certification
authority (CA).
B. On Server1, install the Device Health Attestation server role and a computer certificate from a trusted certification
authority (CA).
C. Install the Host Guardian Hyper-V Support feature on Server1 and add Server1 to a domain security group.
D. Install the Device Health Attestation server role on Server1 and add Server1 to a domain security group.
ANSWER: C
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-guarded-
host-prerequisites https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-
admin-trusted-attestation-creating-a-security-group
QUESTION NO: 133
Your network contains an Active Directory domain named contoso.com. The domain contains an organizational unit (OU)
named OU1.
OU1 contains a server named Server1. The properties of Server1 are shown in the Server1 exhibit. (Click the Server1 tab.)

You create a Group Policy object (GPO) linked to OU1. You configure the GPO as shown in the LAPS exhibit. (Click the
LAPS tab.)
You need to ensure that the password of the local Administrator of Server1 is managed by using Local Administrator
Password Solution (LAPS).
A. Reset-AdmPwdPassword
B. Set-AdmPwdComputerSelfPermission

C. Update-AdmPwdADschema
D. Set-AdmPwdResetPasswordPermission
ANSWER: C
Explanation:
References:
http://techgenix.com/deploying-laps/
QUESTION NO: 134
TCP port 8080.
Solution: You run the New-NetFirewallRule -DisplayName "Rule1" -Direction Inbound -LocalPort 8080 -Protocol TCP -Action
Allow -Profile Domain command.
A. Yes
B. No
ANSWER: B
Explanation:
HOTSPOT
Your network contains an Active Directory forest named contoso.com.
The forest has Microsoft Identity Manager (MIM) 2016 deployed.
You implement Privileged Access Management (PAM).
You need to request privileged access from a client computer in contoso.com by using PAM.

How should you complete the Windows PowerShell script? To answer, select the appropriate options in the answer area.
Hot Area:
ANSWER:
Explanation:
References:
https://technet.microsoft.com/en-us/library/mt604089.aspx https://technet.microsoft.com/en-us/library/mt604084.aspx
QUESTION NO: 136
A technician is testing the deployment of Credential Guard on Server1.
You need to verify whether Credential Guard is enabled on Server1.

What should you do?
A. From a command prompt, run the credwiz.exe command.
B. From Task Manager, review the processes listed on the Details tab.
C. From Server Manager, click Local Server, and review the properties of Server1.
D. From Windows PowerShell, run the Get-WsManCredSSP cmdlet.
E. From a command prompt, run the tsecimp.exe command.
F. From Control Panel, open Credential Manager, and review the list of Windows Credentials.
ANSWER: B
Explanation:
References: https://yungchou.wordpress.com/2016/10/10/credential-guard-made-easy-in-windows-10-version-1607/
QUESTION NO: 137
Dynamic Access Control is configured. A resource property named Property1 was created in the domain.
You need to ensure that Property1 is set to a value of Big for all of the files in Volume1 that are larger than 10 MB.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer

ANSWER: H
Explanation:

HOTSPOT
You run the Windows PowerShell commands as shown in the following exhibit.
the graphic.
Hot Area:
ANSWER:
Explanation:
service-for-shielded-vms/ https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-
fabric-troubleshoot-hgs
QUESTION NO: 139

Solution: From Windows Firewall in the Control Panel, you add an application and allow the application to communicate
through the firewall on a Private network.
A. Yes
B. No
ANSWER: B
Explanation:
References: http://www.online-tech-tips.com/windows-10/adjust-windows-10-firewall-settings/
QUESTION NO: 140
TCP port 8080.
Solution: You run the New-NetFirewallRule –DisplayName "Rule1" –Direction Inbound –Program "D:\Apps\App1.exe" –
Action Allow -Profile Domain command.
A. Yes

B. No
ANSWER: A
Explanation:
QUESTION NO: 141
the review screen.
Your network contains an Active Directory domain named contoso.com. All client computers run Windows 10.
You plan to deploy a Remote Desktop connection solution for the client computers.
You have four available servers in the domain that can be configured as Remote Desktop servers. The servers are

You need to ensure that all Remote Desktop connections can be protected by using Remote Credential Guard.
Solution: You deploy the Remote Desktop connection solution by using Server1.
A. Yes
B. No
ANSWER: B
Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard
QUESTION NO: 142
All DNS servers host an Active Directory-integrated zone for the domain that is DNSSEC-signed. All the DNS servers have a
trust anchor installed for a DNS zone named fabrikam.com.
For all the computers in the domain, you configure a name resolution policy that enforces DNSSEC validation for the
contoso.com and fabrikam.com DNS namespaces.
You need to verify whether the trust anchor is valid.
What should you do?
A. On a domain-joined computer, run Resolve-DnsName to query a DNS server that hosts the fabrikam.com zone for a DNS
record in the fabrikam.com zone.
B. On a domain-joined computer, run Resolve-DnsName to query a domain controller for a DNS record in the fabrikam.com
zone.
C. On a domain-joined computer, run Get-DnsServerZone.
D. On a domain controller, run Get-DnsServerDnsZoneSetting.

ANSWER: A
Explanation:
References:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-
2012/dn593652(v%3Dws.11)
QUESTION NO: 143
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named
Server5 that runs Windows Server 2016.
You need to configure Server5 as a Just Enough Administration (JEA) endpoint.
A. Generate a random Globally Unique Identifier (GUID).
B. Create and export a Windows PowerShell session.
C. Create and register a session configuration file.
D. Deploy Microsoft Identity Manager (MIM) 2016.
E. Create a maintenance Role Capability file.

ANSWER: CE
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/jea/session-configurations https://docs.microsoft.com/en-us/powershell/jea/role-
capabilities
HOTSPOT
host named Server1. Server1 is a member of a group named HyperHosts. Adatum.com contains a server named Server2.
Server1 and Server2 run Windows Server 2016.
You plan to deploy shielded virtual machines to Server1 and to configure Admin-trusted attestation on Server2.
in the answer area.
Hot Area:

ANSWER:
Explanation:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-admin-trusted-
attestation-creating-a-security-group
QUESTION NO: 145
You configure Just Enough Administration (JEA) on Server1.
When will JEA limit the tasks that can be performed on Server1?
A. when you run winrs.exe and specify Server1 as the remote endpoint
B. when you run psexec.exe and specify \\Server1 as the remote system

C. when you run Enter-PSSession and specify Server1 and the –ComputeName parameter
D. when establishing a Remote Desktop connection to Server1

ANSWER: D
Explanation:
References:
https://www.red-gate.com/simple-talk/sysadmin/powershell/powershell-just-enough-administration/
QUESTION NO: 146
Your network contains two Active Directory forests named corp.contoso.com and priv.contoso.com. Both forests have only a
single domain. The priv.contoso.com domain contains a server named Server1 that runs Windows Server 2016.
You install Microsoft Identity Manager (MIM) 2016 on Server1.
You plan to deploy MIM-based Privileged Access Management (PAM) between the two forests.
You run New-PAMTrust in the priv.contoso.com domain.
You need to configure the trust relationship between the forests to support the PAM deployment.
Which three settings should you configure for the trust? Each correct answer presents part of the solution.
A. quarantine to no
B. enablesidhistory to yes
C. transitive to no
D. enablepimtrust to yes
E. foresttransitive to no
ANSWER: ABD
Explanation:
References:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-priv-corp-forests
QUESTION NO: 147

You need to ensure that you can view Windows PowerShell code that was generated dynamically and executed on the
computers in OU1.
What should you configure in GP1?
A. Object Access/Audit Application Generated from the advanced audit policy
B. Turn on PowerShell Script Block Logging from the PowerShell settings
C. Turn on Module Logging from the PowerShell settings
D. Object Access/Audit Other Object Access Events from the advanced audit policy
ANSWER: B
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/wmf/whats-new/script-logging
QUESTION NO: 148
You have several virtual machines that run in a hosted data center on Hyper-V hosts.

The hosting provider recently updated the service offering in its Hyper-V environment to include a new Host Guardian
Service (HSG).
You plan to use the Shielding Data File Wizard to create a data file that will include password information and an RDP file.
The file will be used to create new shielded virtual machines in the fabric of the hosting provider.
What do you require from the hosting provider to complete the wizard?
A. an XML file that contains the names of all the Hyper-V hosts in the fabric.
B. an XML file that contains virtual machine configuration data from the Hyper-V hosts
C. a CER file that contains a certificate from the provider
D. an XML file that contains guardian metadata

ANSWER: D
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-tenant-creates-
shielding-data
DRAG DROP
You have two servers named Server1 and Server2 that run Windows Server 2016 and are in a workgroup. Server1 is used
as a reference computer to configure the security baseline for the other computers in the workgroup.
You need to apply the Group Policy computer settings of Server1 to Server2.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
Select and Place:
ANSWER:

Explanation:
References:
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
QUESTION NO: 150
Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012.
All servers run Windows Server 2016.
You create a new bastion forest named admin.contoso.com. The forest functional level of admin.contoso.com is Windows
Server 2012 R2.
You need to implement a Privileged Access Management (PAM) solution.
A. Raise the forest functional level of admin.contoso.com.
B. Deploy Microsoft Identify Management (MIM) 2016 to admin.contoso.com.
C. Configure contoso.com to trust admin.contoso.com.
D. Deploy Microsoft Identity Management (MIM) 2016 to contoso.com.
E. Raise the forest functional level of contoso.com.
F. Configure admin.contoso.com to trust contoso.com.

ANSWER: BC
Explanation:
References: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/hardware-software-requirements
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
QUESTION NO: 151

Server1 is configured as a domain controller.
You configure Server1 as a Just Enough Administration (JEA) endpoint. You configure the required JEA rights for a user
named User1.
You need to tell User1 how to manage Active Directory objects from Server2.
What should you tell User1 to do first on Server2?
A. From a command prompt, runntdsutil.exe.
B. From Windows PowerShell, run the Import-Module cmdlet.
C. From Windows PowerShell, run the Enter-PSSession cmdlet.
D. Install the management consoles for Active Directory, and then launch Active Directory Users and Computers.
ANSWER: C
Explanation:
References: https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-step/
QUESTION NO: 152
the review screen.
A. Yes
B. No

ANSWER: A
Explanation:
References:
QUESTION NO: 153
Solution: From Group Policy Management, you create software restriction policy.
A. Yes
B. No
ANSWER: B
Explanation:
References: https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx
HOTSPOT
You have a file server named Server1 that runs Windows Server 2016.
You plan to configure Server1 for Just Enough Administration (JEA).
You need to log all the Windows PowerShell activities that relate to creating and managing storage on Server1.
How should you complete the command? To answer, select the appropriate options in the answer area.

Hot Area:
ANSWER:
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs?view=powershell-5.1
QUESTION NO: 155

Solution: You create a Group Policy object (GPO), you link the GPO to the Servers OU, and then you modify the Users
Rights Assignment in the GPO.
A. Yes
B. No
ANSWER: B
Explanation:
QUESTION NO: 156
You have a guarded fabric and a Host Guardian Service server named HGS1.
You deploy a Hyper-V host named Hyper1, and configure Hyper1 as part of the guarded fabric.
You plan to deploy the first shielded virtual machine.
You need to ensure that you can run the virtual machine on Hyper1.
What should you do?
A. On HGS1, run the Export-HgsKeyProtectionState cmdlet, and then run the Import-HgsGuardian cmdlet.
B. On Hyper1, run the Invoke-WebRequest cmdlet, and then run the Import-HgsGuardian cmdlet.
C. On the virtual machine, retrieve the metadata of the guarded fabric, and then import the metadata.
D. On Hyper1, run the Export-HgsKeyProtectionState cmdlet, and then run the Import-HgsGuardian cmdlet.
ANSWER: B
Explanation:

References: https://blogs.technet.microsoft.com/datacentersecurity/2016/06/06/step-by-step-creating-shielded-vms-without-
vmm/
QUESTION NO: 157
You need to view all of the inbound rules on Server1.
A. Get-NetIPSecRule
ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=win10-ps
QUESTION NO: 158
You implement Log Analytics in Microsoft Operations Management Suite (OMS) on all servers that run Windows Server
2016.
You need to generate a daily report that identifies which servers restarted during the last 24 hours.
Which query should you use?
A. EventLog:Application EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
B. EventLog:System EventId:6009 Type:Event TimeGenerated>NOW+24HOURS
C. EventLog:System EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
D. EventLog:Application EventId:6009 Type:Event TimeGenerated>NOW+24HOURS

ANSWER: C

Explanation:
You have a Hyper-V host named Server1 that runs Windows Server 2016.
Server1 hosts the virtual machines configured as shown in the following table.
All the virtual machines have two volumes named C and D.
You plan to implement BitLocker Drive Encryption (BitLocker) on the virtual machines.
Which virtual machines can have their volumes protected by using BitLocker? To answer, select the appropriate options in
the answer area.
Hot Area:

ANSWER:

Explanation:
References: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/deploy/upgrade-virtual-machine-version-
in-hyper-v-on-windows-or-windows-server http://www.shulerent.com/2012/09/04/locking-down-a-virtual-machine-with-
bitlocker/
QUESTION NO: 160
the review screen.
TCP port 8080.

Solution: You configure an inbound rule that allows the TCP protocol on port 8080 and applies to all profiles.
A. Yes
B. No
ANSWER: B
Explanation:
QUESTION NO: 161
correct for more than one question in the series.
Each question is independent of the other questions in this series. Information and details provided in a question apply only
to that question.
runs Windows Server 2016 and a Nano Server named Nano1.
Nano1 has two volumes named C and D.
You are signed in to Server1.
You need to configure Data Deduplication on Nano1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer

ANSWER: C
Explanation:
References: https://technet.microsoft.com/en-us/library/hh831434(v=ws.11).aspx
QUESTION NO: 162

Your network contains an Active Directory domain named contoso.com. The domain contains a certification authority (CA).
You need to implement code integrity policies and sign them by using certificates issued by the CA.
You plan to use the same certificate to sign policies on multiple computers.
You duplicate the Code Signing certificate template and name the new template CodeIntegrity.
How should you configure the CodeIntegrity template?
A. Enable the Allow private key to be exported setting and modify the Key Usage extension.
B. Disable the Allow private key to be exported setting and modify the Application Policies extension.
C. Disable the Allow private key to be exported setting and disable the Basic Constraints extension.
D. Enable the Allow private key to be exported setting and enable the Basic Constraints extension
ANSWER: D
Explanation:
References: https://blogs.technet.microsoft.com/ukplatforms/2017/05/04/create-code-integrity-signing-certificate/
QUESTION NO: 163

All computers receive updates from Server1.
You create an update rule named Update1.
You need to implement BitLocker Network Unlock for all of the laptops. Which server role should you deploy to the network?
A. Host Guardian Service
B. Device Health Attestation
C. Windows Deployment Services
D. Network Controller
ANSWER: C
Explanation:
References: https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock
QUESTION NO: 164
Solution: From Windows PowerShell, you run the Disable-WindowsOptionalFeature cmdlet.
A. Yes
B. No
ANSWER: B
Explanation:
QUESTION NO: 165

You have an organizational unit (OU) named Administration that contains the computer account of Server1.
You import the Active Directory module to Server1.
You create a Group Policy object (GPO) named GPO1. You link GPO1 to the Administration OU.
You need to log an event each time an Active Directory cmdlet is executed successfully from Server1.
What should you do?
A. From Advanced Audit Policy in GPO1, configure auditing for directory service changes.
B. Run the Add-NetEventProvider-Name “Microsoft-Active-Directory” –MatchAnyKeyword PowerShell command
C. From Advanced Audit Policy in GPO1, configure auditing for other privilege use events.
D. From Administrative Templates in GPO1, configure a Windows PowerShell policy.

ANSWER: D
Explanation:
References:
https://www.petri.com/enable-powershell-logging
QUESTION NO: 166
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1
You plan to create a subfolder in Share1 for each domain user.
You need to limit each user to using 100 MB of data in their respective subfolder. The solution must enable the users to be
notified when they use 80 percent of the available space in the subfolder.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer


ANSWER: H
Explanation:
References: https://4sysops.com/archives/file-server-resource-manager-fsrm-part-3-quota-management/
QUESTION NO: 167
Server1 has a generation 2 virtual machine named VM1 that runs Windows 10.
You need to ensure that you can turn on BitLocker Drive Encryption (BitLocker) for drive C on VM1.
What should you do?
A. From the settings of VM1, configure Integration Services
B. From Server1, configure the Enforce drive encryption type on fixed data drives Group Policy setting.
C. From the settings of VM1, enable a Trusted Platform Module(TPM).
D. From the settings of VM1, enable Secure Boot.

ANSWER: C
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-
settings-for-hyper-v
QUESTION NO: 168
Your network contains an Active Directory domain named contoso.com. The domain contains four servers. The servers are
You need to manage FS1 and FS2 by using Just Enough Administration (JEA).
What should you do before you can implement JEA?
A. Install Microsoft.NET Framework 4.6.2 on FS2.

B. Install Microsoft.NET Framework 4.6.2 on FS1.
C. Install Windows Management Framework 5.0 on FS2.
D. Upgrade DC1 to Windows Server 2016.

ANSWER: C
Explanation:
References: https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-step/
QUESTION NO: 169
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Center on server named Server1 and the ATA Gateway on a server named Server2.
You need to ensure that Server2 can collect NTLM authentication events.
What should you configure?
A. the domain controllers to forward Event ID 4776 to Server2
B. the domain controllers to forward Event ID 1000 to Server1
C. Server2 to forward Event ID 1026 to Server1
D. Server1 to forward Event ID 1000 to Server 2

ANSWER: A
Explanation:
References: http://winrook.blogspot.co.za/2015/12/configuring-windows-event-forwarding.html
QUESTION NO: 170
in the review screen. You deploy Windows Server 2016 to a server named Server1.
Solution: On Server1, you enable the Containers feature, and then you install the Hyper-V server role. You restart the server.
A. Yes
B. No

ANSWER: B
Explanation:
server
QUESTION NO: 171
Server1 has a generation 2 virtual machine named VM1 that runs Windows 10.
You need to ensure that you can turn on BitLocker Drive Encryption (BitLocker) for drive C on VM1.
What should you do?
A. From VM1, configure the require additional authentication at startup Group Policy setting.
B. From the settings of VM1, enable Secure Boot.
C. From Server1, install the BitLocker feature.
D. From VM1, configure the Enforce drive encryption type on fixed data drives Group Policy setting.
ANSWER: A
Explanation:
Reference: https://www.dell.com/support/article/za/en/zadhs1/sln171842/using-the-group-policy-editor-to-enable-bitlocker-
authentication-in-the-pre-boot-environment-forwindows-7-8-8-1-10?lang=en
QUESTION NO: 172

You need to disable SMB 1.0 on Server2.
What should you do?
A. From File Server Resource Manager, create a classification rule.
B. From the properties of each network adapter on Server2, modify the bindings.
C. From Windows PowerShell, run the Set-SmbClientConfiguration cmdlet.
D. From Server Manager, remove a Windows feature.

ANSWER: D
Explanation:
References: https://support.microsoft.com/en-za/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-
windows-vista,-windows-server-2008,-windows-7,-windowsserver-2008-r2,-windows-8,-and-windows-server-2012
QUESTION NO: 173
You deploy a server named Server1 that runs Windows Server 2016. Server1 is in a workgroup.
You need to collect the logs from Server1 by using Log Analytics in Microsoft Operations Management Suite (OMS).
A. Create an event subscription
B. Create a Data Collector-Set
C. Install Microsoft Monitoring Agent on Server1
D. Join Server1 to the domain

ANSWER: C
Explanation:
References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
HOTSPOT

The hardware configuration on Server1 meets the requirements for Credential Guard.
You need to enable Credential Guard on Server1.
Hot Area:
ANSWER:
Explanation:

References: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-manage#hardware-
readiness-tool
QUESTION NO: 175
Solution: From Group Policy Management, you create an AppLocker rule.
A. Yes
B. No
ANSWER: B
Explanation:
References: https://technet.microsoft.com/en-us/library/dd759068(v=ws.11).aspx
QUESTION NO: 176
You discover that the members of a group named FinanceAdministartors can view the password of the local Administrator
accounts on the servers in an organizational unit (OU) named FinanceServers.
You need to prevent the FinanceAdministartors members from viewing the local administrators ‘passwords on the servers in
FinanceServers. Which permission should you remove from FinanceAdministartors?
A. all extended rights
B. read all properties
C. read permissions

D. list contents
ANSWER: A
Explanation:
References: https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/
QUESTION NO: 177
A central access policy named Policy1 is deployed to the domain.
You need to apply Policy1 to Volume1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer

ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy--
demonstration-steps-#BKMK_1.4
QUESTION NO: 178

the review screen.
A. Yes
B. No
ANSWER: B
Explanation:
References:
QUESTION NO: 179
Your network contains an Active Directory domain named contoso.com. The domain contains five servers. All servers run
A new security policy states that you must modify the infrastructure to meet the following requirements: Limit the rights of
administrators.
Minimize the attack surface of the forest.
Support Multi-Factor authentication for administrators.
You need to recommend a solution that meets the new security policy requirements.
What should you recommend deploying?
A. an administrative forest
B. domain isolation

C. an administrative domain in contoso.com
D. the Local Administrator Password Solution (LAPS)

ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-
access-reference-material#ESAE_BM
QUESTION NO: 180
The forest contains 20 member servers that are configured as file servers. All domain controllers run Windows Server 2016.
You create a new forest named contosoadmin.com.
You need to use the Enhanced Security Administrative Environment (ESAE) approach for the administration of the resources
in contoso.com.
A. Configure contoso.com to trust contosoadmin.com.
B. From the properties of the trust, enable selective authentication.
C. Configure contosoadmin.com to trust contoso.com.
D. From the properties of the trust, enable forest-wide authentication.
E. Configure a two-way trust between both forests.

ANSWER: AB
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-
access-reference-material#esae-administrative-forest-designapproach
QUESTION NO: 181

You plan to implement BitLocker Drive Encryption (BitLocker) on the operating system volumes of the application servers.
You need to ensure that the BitLocker recovery keys are stored in Active Directory.
Which Group Policy setting should you configure?
A. System cryptography: Force strong key protection for user keys stored on the computer
B. Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
C. System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
D. Choose how BitLocker-protected operating system drives can be recovered.

ANSWER: B
Explanation:
References: https://technet.microsoft.com/en-us/library/jj679890(v=ws.11).aspx#BKMK_rec3
QUESTION NO: 182
You plan to run shielded virtual machines.
You are implementing TPM attestation mode for a guarded fabric.
You create a Code Integrity policy named Integrity1.xml.
You need to ensure that you can apply the Code Integrity policy to Hyper-V hosts.
A. Add-SignerRule
B. Add-HgsAttestationTpmHost

C. Set-HVCIOptions
D. ConvertFrom-CIPolicy
ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-tpm-
trusted-attestation-capturing-hardware#create-and-apply-a-codeintegrity-policy
QUESTION NO: 183
Solution: You create a Group Policy object (GPO), link it to the Operations Users OU, and modify the Users Rights
Assignment in the GPO.
A. Yes
B. No
ANSWER: B
Explanation:
QUESTION NO: 184
The forest contains a single domain. The domain contains multiple Hyper-V hosts.

You plan to deploy guarded hosts.
You deploy a new server named Server22 to a workgroup.
You need to configure Server22 as a Host Guardian Service server.
What should you do before you initialize the Host Guardian Service on Server22?
A. Install the Active Directory Domain Services server role on Server22.
B. Obtain a certificate.
C. Raise the forest functional level.
D. Join Server22 to the domain.

ANSWER: D
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-
prepare-for-hgs#prerequisites-for-the-host-guardian-service
QUESTION NO: 185
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named FS1 that
runs Windows Server 2016. FS1 has a share named SecureFolder.
You need to track all users who access the contents of SecureFolder.
A. From the Default Domain Controller Group Policy object (GPO), enable Audit object access.
B. From File Explorer, modify the Advanced security settings of SecureFolder.
C. From File Explorer, modify the Advanced sharing settings of SecureFolder.
D. Create a Group Policy object (GPO) and enable Audit object access.
ANSWER: BD
Explanation:
References:
https://www.rootusers.com/configure-file-access-auditing-in-windows-server-2016/
QUESTION NO: 186
You download Microsoft Security Compliance Toolkit 1.0 and all the security baselines.

You need to deploy one of the security baselines to all the computers in an organizational unit (OU) named OU1.
What should you do?
A. Run 1gpo.exe and specify the /g parameter. From Policy Analyzer, click Add.
B. From Group Policy Management, create and link a Group Policy object (GPO). Select the GPO and run the Import
Settings Wizard.
C. From Group Policy Management, click Group Policy Objects, and then click Manage Backups…
D. From Group Policy Management, create and link a Group Policy object (GPO). Run 1gpo.exe and specify the /g
parameter.
ANSWER: B
Explanation:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-
using-group-policy
QUESTION NO: 187
You implement Just Enough Administration (JEA) on several file servers that run Windows Server 2016. The Role Capability
file from a server named Server5 contains the following code.
Which action can be performed by a user who connects to Server5?
A. View the NTFS permissions of any folder.
B. Stop any process.
C. Create a new file share.
D. Modify the properties of any share.

ANSWER: D
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/role-capabilities?view=powershell-7
https://technet.microsoft.com/en-us/itpro/powershell/windows/smbshare/set-smbshare

HOTSPOT
Your network contains an Active Directory named contoso.com
The domain contains the computers configured as shown in the following table.
Server1 has a share named Share1 that has the following configurations.
Server1, Computer1, and Computer2 have the connection security rules configured as shown in the exhibit. (Click the Exhibit
button.) Exhibit:

Hot Area:
ANSWER:
Explanation:
QUESTION NO: 189

the review screen.
A. Yes
B. No
ANSWER: B
Explanation:
References:
HOTSPOT
Your network contains several Windows container hosts.
You plan to deploy three custom .NET applications.
You need to recommend a deployment solution for the applications. Each application must:
Be accessible by using a different IP address.
Have access to a unique file system. Start as quickly as possible.
What should you recommend? To answer, select the appropriate options in the answer area.
Hot Area:

ANSWER:
Explanation:
References: https://docs.microsoft.com/en-us/dotnet/standard/modernize-with-azure-and-containers/modernize-existing-
apps-to-cloud-optimized/deploy-existing-net-apps-as-windowscontainers
https://blogs.msdn.microsoft.com/msgulfcommunity/2015/06/20/what-is-windows-server-containers-and-hyper-v-containers/
QUESTION NO: 191
Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All domain
controllers run Windows Server 2016.
You deploy a second Active Directory forest named admin.contoso.com. The forest contains a domain member server
named Server1. Server1 has Microsoft Identity Manager (MIM) 2016 deployed.
You need to implement Privileged Access Management (PAM) and to use admin.contoso.com as an administrative forest.

A. From Server1, run the New-PAMTrust cmdlet.
B. From a domain controller in contoso.com, run the New-PAMDomainConfiguration cmdlet.
C. From a domain controller in admin.contoso.com, run the New-PAMTrust cmdlet.
D. From a domain controller in contoso.com, run the New-PAMTrust cmdlet.
E. From a domain controller in admin.contoso.com, run the New-PAMDomainConfiguration cmdlet.
F. From Server1, run the New- PAMDomainConfiguration cmdlet.

ANSWER: AF
Explanation:
References: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-priv-corp-forests
HOTSPOT
You need to ensure that you can implement the Local Administrator Password Solution (LAPS) for the finance department
computers.

What should you do in the contoso.com forest? To answer, select the appropriate options in the answer area.
Hot Area:
ANSWER:
Explanation:
References: https://learn-powershell.net/2016/10/08/setting-up-local-administrator-password-solution-laps/
QUESTION NO: 193
You create a Microsoft Operations Management Suite (OMS) workspace.
You need to connect several computers directly to the workspace.

Which two pieces of information do you require? Each correct answer presents part of the solution.
A. the ID of the workspace
B. the name of the workspace
C. the URL of the workspace
D. the key of the workspace

ANSWER: AD
Explanation:
References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
HOTSPOT
You plan to deploy an application named App1.exe.
You need to verify whether Control Flow Guard is enabled for App1.exe.
Which command should you run? To answer, select the appropriate options in the answer area.
Hot Area:
ANSWER:
Explanation:
References: https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
QUESTION NO: 195

Your network contains two single-domain Active Directory forests named contoso.com and contosoadmin.com.
Contosoadmin.com contains all of the user accounts used to manage the servers in contoso.com.
You need to recommend a workstation solution that provides the highest level of protection from vulnerabilities and attacks.
What should you include in the recommendation?
A. Provide a Privileged Access Workstation (PAW) for each user account in both forests. Join each PAW to the contoso.com
domain.
B. Provide a Privileged Access Workstation (PAW) for each user in the contoso.com forest. Join each PAW to the
contoso.com domain.
C. Provide a Privileged Access Workstation (PAW) for each administrator. Join each PAW to the contoso.com domain.
D. Provide a Privileged Access Workstation (PAW) for each administrator. Join each PAW to the contosoadmin.com domain.
ANSWER: D
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-
workstations
QUESTION NO: 196
Your network has an internal network and a perimeter network. Only the servers on the perimeter network can access the
Internet. You create a Microsoft Operations Management Suite (OMS) instance in Microsoft Azure.
You deploy Microsoft Monitoring Agent to all the servers on both the networks.
You discover that only the servers on the perimeter network report to OMS.
You need to ensure that all the servers report to OMS.
What should you do?
A. Install a Web Application Proxy on the perimeter network and install an OMS Gateway on the internal network. Publish the
OMS Gateway from the Web Application Proxy.
B. Install a Web Application Proxy and an OMS Gateway on the perimeter network. Publish the OMS Gateway from the Web
Application Proxy.
C. Configure the network firewalls to allow the internal servers to access the IP addresses of the Azure OMS instance by
using TCP port 443.
D. On the internal servers, run the Add-AzureRmUsageConnect cmdlet and specify the –AdminUri parameter.
ANSWER: A
Explanation:
References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway

HOTSPOT
You have a client computer named Computer1 that runs Windows 10 Enterprise.
You plan to implement Windows Defender Device Guard.
You enable Device Guard on Computer1, and you create a code integrity policy.
You need to audit the code integrity policy.
What should you do? To answer select the appropriate options in the answer area.
Hot Area:
ANSWER:

Explanation:
References:
https://blogs.technet.microsoft.com/ukplatforms/2017/04/04/getting-started-with-windows-10-device-guard-part-1-of-2/#audit-
policies
QUESTION NO: 198
You need to view the password of the local administrator of a server named Server5.
A. Computer Management
B. Accounts from the Settings app
C. Server Manager
D. Active Directory Users and Computers

ANSWER: D
Explanation:
References: https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solution-
lapsimplementation-hints-and-security-nerd-commentaryincludingminithreat-model/
QUESTION NO: 199
You enable and configure PowerShell Script Block Logging.
You need to view which script blocks were executed by using Windows PowerShell scripts.
What should you do?
A. Open the log files in %LocalAppData%\Microsoft\Windows\PowerShell
B. View the Microsoft-Windows-PowerShell/Operational event log
C. View the Windows PowerShell event log
D. Open the log files in %SYSTEMROOT%/Logs

ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script

QUESTION NO: 200
Your network contains several secured subnets that are disconnected from the Internet.
One of the secured subnets contains a server named Server1 that runs Windows Server 2016.
You implement Log Analytics in Microsoft Operations Management Suite (OMS) for the servers that connect to the Internet.
You need to ensure that Log Analytics can collect logs from Server1.
A. Install Microsoft Monitoring Agent on Server1.
B. Install the OMS Log Analytics Forwarder on Server1.
C. Create a scheduled task on Server1.
D. Install the OMS Log Analytics Forwarder on a server that has Internet connectivity.
E. Create an event subscription on a server that has Internet connectivity.

ANSWER: AE
Explanation:
References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway
QUESTION NO: 201
Solution: From a Group Policy, you configure the Security Options.
A. Yes
B. No
ANSWER: A
Explanation:

QUESTION NO: 202
You need to ensure that AppLocker rules will apply to the marketing department computers. What should you do?
A. From the properties of OU2, modify the COM+ partition Set.
B. In GP2, configure the Startup type for the Application Identity service.
C. In GP2, configure the Startup type for the Application Management service.
D. From the properties of OU2, modify the Security settings.

ANSWER: B
Explanation:
References: https://docs.microsoft.com/en-us/windows/device-security/applocker/configure-the-application-identity-service

HOTSPOT
You have Hyper-V hosts that each has a Software Defined Networking (SDN) deployment. The network uses a virtual subnet
of 192.168.0.0/24.
You create an access control list (ACL) and apply the ACL to the virtual subnets shown in the following table.
the table.
Hot Area:
ANSWER:
Explanation:
References:

https://docs.microsoft.com/en-us/windows-server/networking/sdn/manage/use-acls-for-traffic-flow


Microsoft 70-744 203q

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Microsoft 70-744 203q

Hochgeladen von

Copyright:

Verfügbare Formate

Securing Windows Server 2016

Your network contains an Active Directory domain named contoso.com.

A. Modify the membership of Group3.

B. Modify the membership of Group2.

C. Modify the membership of Group1.

D. Modify the membership of Group4.

E. In GPO1, modify the Allow log on locally user right.

DumpsArena - Pass Your Next Certification Exam Fast!

You deploy Windows Server 2016 to a server named Server1.

Does this meet the goal?

You import the Active Directory module to Server1.

DumpsArena - Pass Your Next Certification Exam Fast!

B. Run the(Get-Module ActiveDirectory).LogPipelineExecutionDetails = $falsecommand.

C. Run the(Get-Module ActiveDirectory).LogPipelineExecutionDetails = $truecommand.

E. From Administrative Templates in GPO1, configure an Event Logging policy.

The domain contains the users shown in the following table.

You are installing ATA Gateway on Server2.

You need to specify a Gateway Registration account.

Which account should you use?

DumpsArena - Pass Your Next Certification Exam Fast!

User1 runs whoami/claims and receives the following output.

What should you do?

C. From Active Directory Administrative Center, add a claim type.

QUESTION NO: 7 - DRAG DROP

Your network contains an Active Directory domain named contoso.com.

You plan to implement encryption on a file server named Server1.

Server1 has TPM 2.0 and uses Secure Boot.

Server1 has the volumes configured as shown in the following table.

DumpsArena - Pass Your Next Certification Exam Fast!

G. The solution must use the highest level of security possible.

NOTE: Each correct selection is worth one point.

Select and Place:

DumpsArena - Pass Your Next Certification Exam Fast!

The network uses the 172.16.0.0/16 address space.

Does this meet the goal?

QUESTION NO: 9 - HOTSPOT

You need to configure Windows Defender to meet the following requirements:

NOTE: Each correct selection is worth one point.

DumpsArena - Pass Your Next Certification Exam Fast!

DumpsArena - Pass Your Next Certification Exam Fast!

Which audit policy setting should you configure in the GPO?

A. File system in Global Object Access Auditing

B. Audit Detailed File Share

C. Audit Other Account Logon Events

DumpsArena - Pass Your Next Certification Exam Fast!

How should you configure the session configuration file?

A. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Contoso\Network Configuration Operators.

B. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Contoso\Network Configuration Operators.

C. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Network Configuration Operators.

D. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Network Configuration Operators.

You have a server named Server1.

What should you configure?

A. protected event logging

B. script block logging

DumpsArena - Pass Your Next Certification Exam Fast!

What should you do?

A. On FinanceServer5, register AdmPwd.dll.

B. On FinanceServer5, install the LAPS Windows PowerShell module.

FS1 has the shared folders shown in the following table.

What should you do?

DumpsArena - Pass Your Next Certification Exam Fast!

Your network contains an Active Directory domain.

You plan to implement Dynamic Access Control.

NOTE: Each correct selection is worth one point.