70-744.pdf

Vendor: Microsoft
Exam Code: 70-744
Exam Name: Securing Windows Server 2016
Version: 18.071

Important Notice
Product
Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within
One year after your purchase.
You can login member center and download the latest product anytime. (Product downloaded
from member center is always the latest.)
PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam
again.
Feedback
We devote to promote the product quality and the grade of service to ensure customers interest.
If you have any questions about our product, please provide Exam Number, Version, Page
Number, Question Number, and your Login Account to us, please contact us at
support@passleader.com and our technical experts will provide support in 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently.
If anyone who share the file we will disable the free update and account access.
Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final
explanation for this statement.
Order ID: ****************
PayPal Name: ****************
PayPal ID: ****************

Get Latest & Actual 70-744 Exam's Question and Answers from Passleader.
http://www.passleader.com
2
QUESTION 1
Note: This question is part of a series of question that use the same or similar answer
choices. An answer choice may be correct for more than one question in the series. Each
question is Independent of the other questions in this series. Information and details
provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com.
The domain contains a file server named Server1 that runs Windows Server 2016.
Server1 has a volume named Volume1.
Dynamic Access Control is configured. A resource property named Property1 was created in the
domain.
You need to ensure that Property1 is set to a value of Big for all of the files in Volume1 that are
larger than 10 MB.
Which tool should you use?
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
F. Computer Management
G. System Configuration
H. File Server Resource Manager (FSRM)
Answer: H
Explanation:
In FSRM, "Large Files" creates a list of files conforming to a specified file spec that are a
specified size or larger.
QUESTION 2
Note: This question is part of a series of questions that present the same scenario. Each
question In the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution. After you answer a question in this section, you will NOT be able to
return to It. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com.
All servers run Windows Server 2016. The forest contains 2,000 client computers that run
Windows 10.
All client computers are deployed (rom a customized Windows image.
You need to deploy 10 Pnvileged Access Workstations (PAWs).
The solution must ensure that administrators can access several client applications used by all
users.
Solution: You deploy 10 physical computers and configure each wie as a virtualization host.
You deploy the operating system on each host by using the customized Windows image.
On each host you create a guest virtual machine and configure the virtual machine as a PAW.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:

3
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-
access/privileged-access-workstations
QUESTION 3
The forest functional level is Windows Server 2012. All servers run Windows Server 2016.
You create a new bastion forest named admin.contoso.com.
The forest functional level of admin.contoso.com is Windows Server 2012 R2.
You need to implement a Privileged Access Management (PAM) solution.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Raise the forest functional level of admm.contoso.com.
B. Deploy Microsoft Identify Management (MIM) 2016 to admin.contoso.com.
C. Configure contoso.com to trust admin.contoso.com.
D. Deploy Microsoft Identity Management (MIM) 2016 to contoso.com.
E. Raise the forest functional level of contoso.com.
F. Configure admin.contoso.com to trust contoso.com.
Answer: AC
Explanation:
Bastion forests should always be upgraded to current version. It defeats the purpose otherwise.
You need a one way transitive trust from your production to your bastion.
QUESTION 4
Your network contains an Active Directory domain named conioso.com.
The domain contains 1,000 client computers that run Windows 8.1 and 1,000 client computers
that run Windows 10.
You deploy a Windows Server Update Services (WSUS) server.
You create a computer group tor each organizational unit (OU) that contains client computers.
You configure all of the client computers to receive updates from WSUS.
You discover that all of the client computers appear m the Unassigned Computers computer
group in the Update Services console.
You need to ensure that the client computers are added automatically to the computer group that
corresponds to the location of the computer account in Active Directory.
A. From Group Policy objects (GPOs), configure the Enable client-side targeting setting.
B. From the Update Services console, configure the Computers option.
C. From Active Directory Users and Computers, create a domain local distribution group for each
WSUS computer group.
D. From Active Directory Users and Computers, modify the flags attnbute of each OU.
E. From the Update Services console, run the WSUS Server Configuration Wizard.
Answer: AB
Explanation:
https://technet.microsoft.com/en-us/library/dd252762.aspx
https://technet.microsoft.com/en-us/library/cc720433(v=ws.10).aspx
QUESTION 5
Note: This question Is part of a series of questions that use the same or similar answer

4
question is Independent of the other questions in this series. Information and details
The domain contains a server named Server1 that runs Windows Server 2016.
Server1 has a shared folder named Share1.
You need to encrypt the contents of Share1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: C
Explanation:
You can encrypt files from > file and storage services > share > properties of the folder and then
setting, there is an encrypt data access checkbox which is unchecked by default.
QUESTION 6
Note: This question is part of a series of questions that use the same scenario. For your
convenience, the scenario is repeated in each question. Each question presents a different
goal and answer choices, but the text of the scenario is exactly the same in each question
in this series.
Start of repeated scenario
The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the
marketing department.
You have an OU named Finance that contains the computers in the finance department.
You have an OU named AppServers that contains application servers.
A Group Policy object (GPO) named GP1 is linked to the Marketing OU.
A GPO named GP2 is linked to the AppServers OU.

5
You install Windows Defender on Nano1.
End of repeated scenario
You need to ensure that you can deploy a shielded virtual machine to Server4.
Which server role should you deploy?
A. Hyper-V
B. Device Health Attestation
C. Network Controller
D. Host Guardian Service
Answer: D
Explanation:
A guarded fabric consists of:
1 host guardian service (hgs)
1 or more guarded hosts (in this case Server4)
A set of shielded VMs.
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-
vm/guarded-fabric-and-shielded-vms
QUESTION 7
The domain contains four servers.
The servers are configured as shown in the following table.
You need to manage FS1 and FS2 by using Just Enough Administration (JEA).
What should you do before you can implement JEA?
A. Install Microsoft .NET Framework 4.6.2 on FS2.
B. Install Microsoft .NET Framework 4.6.2 on FS1.
C. Install Windows Management Framework 5.0 on FS2.
D. Upgrade FS2 to Windows Server 2016.
Answer: C
Explanation:
JEA is incorporated into Windows Server 2016 and Windows 10, and is also incorporated into
Windows Management Framework 5.0, which you can download and install on computers
running Windows Server 2012 R2.
QUESTION 8
You are deploying Microsoft Advanced Threat Analytics (ATA).
You create a user named User1.
You need to configure the user account of User1 as a Honeytoken account.
Which information must you use to configure the Honeytoken account?

6
A. the SAM account name of User1
B. the Globally Unique Identifier (GUID) of User1
C. the SID of User1
D. the UPN of User1
Answer: C
Explanation:
To configure a Honeytoken user you will need the SID of the user account, not the user name.
https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/working-with-detection-
settings
QUESTION 9
Your network contains two single-domain Active Directory forests named contoso.com and
contosoadmin.com.
Contosoadmin.com contains all of the user accounts used to manage the servers in contoso.com.
You need to recommend a workstation solution that provides the highest level of protection from
vulnerabilities and attacks.
What should you include in the recommendation?
A. Provide a Privileged Access Workstation (PAW) for each user account in both forests.
Join each PAW to the contoso.com domain.
B. Provide a Pnvileged Access Workstation (PAW) for each user in the contoso.com forest.
C. Provide a Pnvileged Access Workstation (PAW) for each administrator.
D. Provide a Pnvileged Access Workstation (PAW) for each administrator.
Join each PAW to the contosoadmin.com domain.
Answer: D
Explanation:
Dedicated administrative forests allow organizations to host administrative accounts,
workstations, and groups in an environment that has stronger security controls than the
production environment.
https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-
privileged-access-reference-material#ESAE_BM
QUESTION 10
convenience, the scenario b repeated in each question. Each question presents a different
in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of
the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown m the following table.

7
You need to disable SMB 1.0 on Server2.
What should you do?
A. From File Server Resource Manager, create a classification rule.
B. From the properties of each network adapter on Server2. modify the bindings.
C. From Windows PowerShell, run the Set -SmbClientConfiguration cmdlet.
D. From Server Manager, remove a Windows feature.
Answer: C
Explanation:
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
QUESTION 11
The domain contains 1,000 client computers that run Windows 10.
A security audit reveals that the network recently experienced a Pass-the-Hash attack.
The attack was initiated from a client computer and accessed Active Directory objects restricted
to the members of the Domain Admins group.
You need to minimize the impact of another successful Pass-the-Hash attack on the domain.
What should you recommend?
A. Instruct all users to sign in to a client computer by using a Microsoft account.
B. Move the computer accounts of all the client computers to a new organizational unit (OU).
Remove the permissions to the new OU from the Domain Admins group.
C. Instruct all administrators to use a local Administrators account when they sign in to a client
computer.
D. Move the computer accounts of the domain controllers to a new organizational unit (OU).
Remove the permissions to the new OU from the Domain Admins group.
Answer: A
Explanation:

8
For this question, the best answer would be to log in using a Microsoft account. The Windows
Hello service uses a virtual LSASS that is protected from caching credentials. But that is only for
Windows 10 with Fall Creators Update 1607 or Server 2016. Which it does not mention. Again,
this question is missing one of the possible choices, which was the correct answer. Without that
choice, the next best answer would be to use a Microsoft Account with Win 10 along with update
1607 which added LSASS virtualization.
QUESTION 12
in this series.
You have an OU named finance that contains the computers in the finance department.
You need to exclude D:Folder1 on Nano1 from being scanned by Windows Defender.
Which cmdlet should you run?
A. Set-StorageSetting
B. Set-FsrmFileScreenException
C. Set-MpPreference
D. Set-DtcAdvancedSetting
Answer: C
Explanation:
-ExclusionPath: Specifies an array of file paths to exclude from scheduled and real-time
scanning.
You can specify a folder to exclude all the files under the folder.

9
https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
QUESTION 13
in this series.
You need to ensure that the marketing department computers validate DNS responses from
adatum.com.
Which setting should you configure in the Computer Configuration node of GP1?
A. TCPIP Settings from Administrative Templates
B. Connection Security Rule from Windows Settings
C. DNS Client from Administrative Templates
D. Name Resolution Policy from Windows Settings
Answer: D
Explanation:
The NRPT is a table that contains rules that you can configure to specify DNS settings or special
behavior for names or namespaces.The NRPT can be configured using the Group Policy
Management Editor under Computer ConfigurationPoliciesWindows SettingsName Resolution
Policy, or with Windows PowerShell. If a DNS query matches an entry in the NRPT, it is handled
according to settings in the policy.Queries that do not match an NRPT entry are processed
normally.

10
You can use the NRPT to require that DNSSEC validation is performed on DNS responses for
queries in the namespaces that you specify.
QUESTION 14
Note: This question is port of a series of questions that use the same or similar answer
choices. An answer choice may be correct for more than one question In the series. Each
question is Independent of the other questions In this series. Information and details
Vour network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2016 and a Nano Server
named Nano1.
Nano1 has two volumes named C and D.
You are signed in to Server1.
You need to configure Data Deduplication on Nano1.

11
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: C
Explanation:
Enable Data Deduplication by using Server Manager
https://technet.microsoft.com/en-us/windows-server-docs/storage/data-deduplication/install-
enable
QUESTION 15
Note: This question It part of a series of questions that present the same scenario. Each
question In the series contains a unique solution that might meet the stated goats. Some
The domain contains a computer named Computer1 that runs Windows 10.
Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally.
Computer1 runs an application named App1 that listens to port 8080.
You need to prevent connections to App1 when Computer1 is connected to the home network.
Solution: From Group Policy Management you create a software restriction policy.
A. Yes
B. No
Answer: B
Explanation:
The network profiles and the ports can be managed by using advanced windows firewall settings
and software restriction polices cannot full fill the needs .
QUESTION 16
The domain contains five file servers that run Windows Server 2016.
You have an organizational unit (OU) named Finance that contains all of the servers.
You create a Group Policy object (GPO) and link the GPO to the Finance OU.
You need to ensure that when a user in the finance department deletes a file from a file server,
the event is logged.
The solution must log only users who have a manager attribute of Ben Smith.
Which audit policy setting should you configure in the GPO?
A. File system in Global Object Access Auditing

12
B. Audit Detailed File Share
C. Audit Other Account Logon Events
D. Audit File System in Object Access
Answer: A
Explanation:
Only Global Object Access Auditing can read user attributes.
QUESTION 17
Note: Thb question Is part of a series of questions that present the same scenario. Each
correct solution. After you answer a question in this section, you
willNOTbeabletorrturntoit.Asa result, these questions will not appear in the review screen.
The domain contains multiple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network to meet the
following requirements:
- The resources of the applications must be isolated from the physical
host
- Each application must be prevented from accessing the resources of
the other applications.
- The configurations of the applications must be accessible only from
the operating system that hosts the application.
Solution: You deploy one Windows container to host all of the applications.
A. Yes
B. No
Answer: B
Explanation:
Isolation occurs at the container level. Multiple applications in the same container would share the
same resources.
http://windowsitpro.com/windows-server-2016/differences-between-windows-containers-and-
hyper-v-containers-windows-server-201
QUESTION 18
in this series.

13
You plan to implement BitLocker Drive Encryption (BitLocker) on the operating system volumes of
the application servers.
You need to ensure that the BitLocker recovery keys are stored in Active Directory.
Which Group Policy setting should you configure?
A. System cryptography; Force strong key protection (or user keys stored on the computer
B. Store Bittocker recovery information in Active Directory Domain Services (Windows Server 2008
and Windows Vista)
C. System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing
D. Choose how BitLocker-protected operating system drives can be recovered
Answer: D
Explanation:
Answer B is only applicable if using Win 2008 NON R2 Edition. Since is states we are using 2008
R2 the correct answer is D.
QUESTION 19
question in the series contains a unique solution that might meet the stated goals. Some
return to it. As a result, these questions will not appear in the review screen.
All servers run Windows Server 2016.
All client computers run Windows 10.
The relevant objects in the domain are configured as shown in the following table.

14
You need to assign User1 the right to restore files and folders on Server1, and Server2.
Solution: You add User1 to the Backup Operators group in contoso.com.
A. Yes
B. No
Answer: B
Explanation:
No, Server1 and Server2 uses local group "Backup Operators" for granting backup and restore
rights to normal users.
The solution would let User1 to backup files and folders on domain controllers for contoso.com
instead.
QUESTION 20
Your network contains an Active Directory domain named contoio.com.
You have an organizational unit (OU) named Administration that contains the computer account
of Server1.
You import the Active Directory module to Served1.
You create a Group Policy object (GPO) named GPO1.
You link GPO1 to the Administration OU.
You need to log an event each time an Active Directory cmdlet is executed succesfully from
Served.
What should you do?
A. From Advanced Audit Policy in GPO1 configure auditing for directory service changes.
B. Run the (Get-Module ActiveDirectory).LogPipelineExecutionDetails - $false command.
C. Run the (Get-Module ActivcDirectory).LogPipelineExecutionDetails = $true command.
D. From Advanced Audit Policy in GPO1 configure auditing for other privilege use events.
Answer: C
QUESTION 21
All domain controllers run Windows Server 2016.
The domain contains a server named Serverl that has Microsoft Security Compliance Manager
(SCM) 4.0 installed.
You export the baseline shown in the following exhibit.

15
You have a server named Server2 that is a member of a workgroup.
You copy the (2617e9b1-9672-492b-aefa-0505054848c2) folder to Server2.
You need to deploy the baseline settings to Server2.
What should you do?
A. Download, install, and then fun the Lgpo.exe command.
B. From Group Policy Management import a Group Policy object (GPO).
C. From Windows PowerShell, run the Restore-GPO cmdlet.
D. From Windows PowerShell, run the Import-GPO cmdlet.
E. From a command prompt run the secedit.exe command and specify the /import parameter.
Answer: A
Explanation:
Server2 is a non-domain joined computer using the the GPO pack feature.
Source: https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
LGPO.exe replaces the no-longer-maintained LocalGPO tool that shipped with the Security
Compliance Manager (SCM).
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-
utility-v1-0/
QUESTION 22
Note: This question b part of a series of questions that use the same or simitar answer
question is independent of the other questions in this series. Information and details
You need to ensure that all access to Share1 uses SMB Encryption.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer

16
H. File Server Resource Manager (FSRM)>
Answer: C
Explanation:
https://technet.microsoft.com/en-us/library/dn551363(v=ws.11).aspx
See section "To enable SMB Encryption by using Server Manager"
QUESTION 23
The forest functional level is Windows Server 2012.
The forest contains a single domain.
The domain contains multiple Hyper-V hosts.
You plan to deploy guarded hosts.
You deploy a new server named Server22 to a workgroup.
You need to configure Server22 as a Host Guardian Service server.
What should you do before you initialize the Host Guardian Service on Server22?
A. Install the Active Directory Domain Services server role on Server22.
B. Obtain a certificate.
C. Raise the forest functional level.
D. Join Server22 to the domain.
Answer: D
Explanation:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-
vm/guarded-fabricchoose-where-to-install-hgs
The only technical requirement for installing HGS in an existing forest is that it be added to the
root domain;non-root domains are not supported.
QUESTION 24
You create a Microsoft Operations Management Suite (OMS) workspace.
You need to connect several computers directly to the workspace.
Which two pieces of information do you require? Each correct answer presents part of the
solution.
A. the ID of the workspace
B. the name of the workspace
C. the URL of the workspace
D. the key of the workspace
Answer: AD
Explanation:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
QUESTION 25
Note: This question b part of a series of questions that present the same scenario. Each
return to it. As a result, these questions will not appear In the review screen.

17
Your network contains an Active Directory domain named contow.com. All servers run Windows
Server 2016. All client computers run Windows 10.
You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You create a Group Policy object (GPO), link it to the Operations Users OU, and modify
the Users Rights Assignment in the GPO.
A. Yes
B. No
Answer: A
Explanation:
Yes, in "User Rights Assignment" section of a GPO, two settings for assigning backup and
restore user rights are available as follow:
QUESTION 26
Note: This question is part of a scries of questions that present the same scenario. Each
correct solution. After you answer a question In this section, you will NOT be able to
return to It. As a result, these questions will not appear In the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains

18
mulbple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network; to meet the
- The resources of the applications must be isolated from the physical
host.
Solution: You deploy a separate Windows container for each application.
A. Yes
B. No
Answer: A
Explanation:
By using Windows Container-The resources of the applications must be isolated from the
physical host (ACHIEVED, as a single containercould only access its own resources, but not
others)-Each application must be prevented from accessing the resources of the other
applications. (ACHIEVED, as asingle container could only access its ownresources, but not
others)-The configurations of the applications must be accessible only from the operating system
that hosts theapplication. (ACHIEVED, you can use DockerFile orDockerRun to push
configurations to containers from the Container Host OS)
QUESTION 27
Note: This question Is part of a series of questions that use the same or similar answer
A central access policy named Policyl is deployed to the domain.
You need to apply Policyl to Volume1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: A
Explanation:
"File Explorer" = "Windows Explorer".

19
https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-
access-policydemonstration- steps-#BKMK_1.4
QUESTION 28
Note: This question Is part of a series of questions that present the same scenario. Each
return to It. As a result, these questions will not appear In the review screen.
Your network contains an Active Directory domain named contoso.com. All servers run Windows
You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You create a Group Policy object (GPO), you link the GPO to the Servers OU, and then
you modify the Users Rights Assignment in the GPO.
Does this meet the goat?
A. Yes
B. No
Answer: A
QUESTION 29
You install the Windows Server Update Services server role on a member server named Server1.
Server1 runs Windows Server 2016.
You need to ensure that a user named Used can perform the following tasks:
- View the Windows Server Update Services (WSUS) configuration.
- Generate WSUS update reports.
The solution must use the principle of least privilege.
What should you do on Server1?
A. Modify the permissions of the ReportWebService virtual folder from the WSUS Administration
website.
B. Add User1 to the WSUS Reporters local group.
C. Add User1 to the WSUS Administrators local group.
D. Run wsusutil.exe and specify the postinstall parameter.
Answer: B
Explanation:
WSUS Reporters have read only access to the WSUS database and configuration

20
When a user with "WSUS Reporters" membership, he can view configuration and generate
reports as follow:

21
QUESTION 30
correct solution. After you answer a question In this section, you will NOT be able to return
to It. As a result, these questions will not appear in the review screen.
Yout network contains an Active Directory domain named contoso.com.
Solution: From Group Policy Management you create a software restriction policy.
A. Yes
B. No
Answer: B
Explanation:
The network profiles and the ports can be managed by using advanced windows firewall settings
and software restriction polices cannot full fill the needs .
QUESTION 31
Note: This question ts part of a series of questions that present the same scenario. Each

22
Your network contains an Active Directory forest named contoso.com. All servers run Windows
Server 2016.
The forest contains 2,000 client computers that run Windows 10. All client computers are
deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs). The solution must ensure that
administrators can access several client applications used by all users.
Solution: You deploy one physical computer and configure it as a Hyper-V host that runs
Windows Server 2016.
You create 10 virtual machines and configure each one as a PAW.
A. Yes
B. No
Answer: B
Explanation:
"The PAW architecture does not allow for hosting an admin VM on a user workstation, but a user
VM with a standard corporate image can be hosted on a PAW host to provide personnel with a
single PC for all responsibilities.
QUESTION 32
The domain contains a server named Server5 that has the Windows Server Update Services
server role installed.
You need to configure Windows Server Update Services (WSUS) on Server5 to use SSI.
You install a certificate in the local Computer store.
Which two tools should you use? Each correct answer presents part of the solution.
A. Wsusutil
B. Netsh
C. Internet Information Services (IIS) Manager
D. Server Manager
E. Update Services
Answer: AC
Explanation:
https://technet.microsoft.com/en-us/library/hh852346(v=ws.11).aspx#bkmk_3.5.ConfigSSL
http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/
QUESTION 33
Note: Thts question is part of a series of questions that present the same scenario. Each

23
Computerl runs an application named App1 that listens to port 8080.
Solution: From Windows Firewall in the Control Panel, you add an application and allow the
application to communicate through the firewall on a Private network.
A. Yes
B. No
Answer: A
QUESTION 34
Your network contains an Active Directory domain named contoso.com. The domain contains five
servers. All servers run Windows Server 2016.
A new secunty policy states that you must modify the infrastructure to meet the following
requirements:
- Limit the nghts of administrators.
- Minimize the attack surface of the forest
Support Multi-Factor authentication for administrators.
You need to recommend a solution that meets the new secunty policy requirements.
What should you recommend deploying?
A. an administrative forest
B. domain isolation
C. an administrative domain in contoso.com
D. the Local Administrator Password Solution (LAPS)
Answer: A
Explanation:
You have to "-Minimize the attack surface of the forest", then you must create another forest for
administrators.
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-
privilegedaccess-reference-material#ESAE_BM
This section contains an approach for an administrative forest based on the Enhanced Security
Administrative Environment (ESAE) reference architecture deployed by Microsoft's cyber security
professional services teams to protect customers against cyber security attacks.Dedicated
administrative forests allow organizations to host administrative accounts, workstations, and
groups in an environment that has stronger security controls than the production environment.
QUESTION 35
Note: Thb question is part of a series of questions th?present the same scenario. Each
Your network contains an Active Directory forest named contoso.com. All servers run Windows
Server 2016.

24
The forest contains 2,000 client computers that run Windows 10. All client computers are
deployed from a customized Windows image.
You need to deploy 10 Pnvileged Access Workstations (PAWs). The solution must ensure that
administrators can access several client applications used by all users.
Solution: You deploy 10 physical computers and configure them as PAWs.
You deploy 10 additional computers and configure them by using the customized Windows
image.
A. Yes
B. No
Answer: A
Explanation:
QUESTION 36
The domain contains two servers named Server1 and Server2 that run Windows Server 2016.
Server1 is configured as a domain controller.
You configure Server1 as a Just Enough Administration (JEA) endpoint.
You configure the required JEA rights for a user named User1.
You need to tell User1 how to manage Active Directory objects from Server2.
What should you tell User1 to do first on Server2?
A. From a command prompt, run ntdsutil.exe.
B. From Windows PowerShell, run the Import-Module cmdlet.
C. From Windows PowerShell run the Enter-PSSession cmdlet.
D. Install the management consoles for Active Directory, and then launch Active Directory Users and
Computer.
Answer: C
Explanation:
"Enter-PSSession -ComputerName localhost -ConfigurationName demo1ep. You should see
your prompt change to [localhost]: indicating that you are now in the special constrained session
configuration. Run Get-Command. Observe the limited set of commands available".
https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-
step/
QUESTION 37
The domain contains a server named Serve1, that runs Windows Server 2016.
A technician is testing the deployment of Credential Guard on Server1.
You need to verify whether Credential Guard is enabled on Server1.
What should you do?
A. From a command prompt fun the credwiz.exe command.
B. From Task Manager, review the processes listed on the Details tab.
C. From Server Manager, click Local Server, and review the properties of Server!
D. From Windows PowerShell, run the Get-WsManCredSSP cmdlet.

25
Answer: B
Explanation:
https://yungchou.wordpress.com/2016/10/10/credential-guard-made-easy-in-windows-10-version-
1607/
The same as before, once Credential Guard is properly configured, up and running.
You should find in Task Manager the `Credential Guard' process and `lsaiso.exe' listed in the
Detailspage as below.
QUESTION 38
The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network.
You deploy a new server named FinanceServer5, and join FinanceServerS to the domain.
You need to ensure that the passwords of the local administrators of FinanceServer5 are
available to the LAPS administrators.
What should you do?
A. On FinanceServerS, register AdmPwd.dll.
B. On FmanceServerS, install the LAPS Windows PowerShell module.
C. In the domain, modify the permissions for the computer account of FmanceServer5.
D. In the domain, modify the permissions of the Domain Controllers organizational unit (OU).
Answer: B
QUESTION 39

26
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Center on server named Server1 and the ATA Gateway on a server named
Served.
You need to ensure that Server2 can collect NTLM authentication events.
What should you configure?
A. the domain controllers to forward Event ID 4776 to Server2
B. the domain controllers to forward Event ID 1000 to Server1
C. Server2 to forward Event ID 1026 to Server1
D. Server1 to forward Event ID 1000 to Server2
Answer: A
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-architecture
ATA monitors your domain controller network traffic by utilizing port mirroring to an ATA Gateway
using physicalor virtual switches.If you deploy the ATA Lightweight Gateway directly on your
domain controllers, it removes the requirement forport mirroring.In addition, ATA can leverage
Windows events (forwarded directly from your domain controllers orfrom a SIEM server) and
analyze the data for attacksand threats.See the GREEN line in the following figure, forward event
ID 4776 which indicates NTLM authenticationis being used to ATA Gateway Server2.

27
QUESTION 40
Note: This question is part of a series of questions that use the same or similar answer
question Is independent of the other questions in this series. Information and details
You need to create Work Folders on Server1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: C
Explanation:
https://blogs.technet.microsoft.com/canitpro/2015/01/19/step-by-step-creating-a-work-folders-test-
lab-deployment-in-windows-server-2012-r2/
https://technet.microsoft.com/en-us/library/dn265974(v=ws.11).aspx
QUESTION 41
Your network contains an Active Directory forest named conloso.com.
The network is connected to the Internet.
You have 100 point-of-sale (POS) devices that run Windows 10.
The devices cannot access the Internet.
You deploy Microsoft Operations Management Suite (OMS).
You need to use OMS to collect and analyze data from the POS devices.
What should you do first?
A. Deploy Windows Server Gateway to the network.
B. Install the OMS Log Analytics Forwarder on the network.
C. Install Microsoft Data Management Gateway on the network.
D. Install the Simple Network Management Protocol (SNMP) feature on the devices.
E. Add the Microsoft NDJS Capture service to the network adapter of the devices.
Answer: B
Explanation:
https://blogs.technet.microsoft.com/msoms/2016/03/17/oms-log-analytics-forwarder/
QUESTION 42
The domain contains a server named Server1.
Server1 is configured as shown in the following table.

28
You plan to create a pilot deployment of Microsoft Advanced Threat Analytics (ATA).
You need to install the ATA Center on Server1.
A. Install Microsoft Security Compliance Manager (SCM).
B. Obtain an SSL certificate.
C. Assign an additional IPv4 address.
D. Remove Server1 from the domain.
Answer: B
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites
ATA Center which is the first component to be deployed on Server1, requires the use of SSL
protocol tocommunicate with ATA GatewayTo ease the installation of ATA, you can install self-
signed certificates during installation.Post deployment you should replace the self-signed with a
certificate from an internal Certification Authority tobe used by the ATA Center.Make sure the
ATA Center and ATA Gateways have access to your CRL distribution point.If the they don't have
Internet access, follow the procedure to manually import a CRL, taking care to install theall the
CRL distribution points for the whole chain.
QUESTION 43
Note: This question Is part of a series of questions that present the same scenario. Each
multiple Hyper-V hosts.
You need to deploy several critical line-to-business applications to the network to meet the
- The resources of the applications must be isolated (rom the physical
host.
Solution: You deploy a separate Hyper-V container for each application.
A. Yes
B. No
Answer: A
Explanation:

29
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
QUESTION 44
Hotspot Question
You have an organizational unit (OU) named Secure that contains all servers.
You install Microsoft Security Compliance Manager (SCM) 4.0 on a server named Server1.
You need to export the SCM Pnnt Server Secunty baseline and to deploy the baseline to a server
named Server2.
What should you do? To answer, select the appropnate options in the answer area.
Answer:
Explanation:
Format to use to export the baseline: GPO Backup (folder) Tool to use to import the baseline:
Group Policy Management When the security settings is exported from SCM 4 in a GPO (folder)
format, with a long GUID name

30
You have to import it to GPO by using "Group Policy Management", right-click the GPO and use
"ImportSettings" button
Do not confuse with security template .inf files. Only security template .INF file (which is a single
file, not afolder) could be imported to a GPO by GroupPolicy Object Editor
QUESTION 45
Hotspot Question
The services on Server1 are shown in the following output.
Sefver1 has the AppLocker rules configured as shown in the exhibit (Click the Exhibit button.)

31
Rule1 and Rule2 are configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:

32
Explanation:
On Server1, User1 can run D:Folder2App1.exe : Yes
On Server1, User1 can run D:Folder1Program1.exe : Yes
If Program1 is copied from D:Folder1 to D:Folder2, User1 can run Program1.exe on Server1 :
Yes
https://docs.microsoft.com/en-us/windows/device-security/applocker/configure-the-application-
identity-service
The Application Identity service determines and verifies the identity of an app. Stopping this
service willprevent AppLocker policies from being enforced.In this question, Server1's Application
Identity service is stopped, therefore, no more enforcement onAppLocker rules, everyone could
run everything on Server1.
QUESTION 46
Hotspot Question
Your network contains an Active Directory domain named adatum.com.
You have an organizational unit (OU) named OU1 that contains Server1.
You create a Group Policy object (GPO) named GPO1 and link GPO1 to OU1.
A user named User1 is a member of group named Group1.
The properties of User1 are shown in the User1 exhibit (Click the Exhibit button.)

33
User1 has permissions to two files on Server1 configured as shown in the following table.
From Auditing Entry for Global File SACL, you configure the advanced audit policy settings in
GPO1 as shown in the SACL exhibit (Click the Exhibit button.)

34
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:

35
Explanation:
http://sourcedaddy.com/windows-7/auditing-file-and-folder-access.html
QUESTION 47
Hotspot Question
The forest has Microsoft Identity Manager (MIM) 2016 deployed.
You implement Privileged Access Management (PAM).
You need to request privileged access from a client computer in contoso.com by using PAM.
How should you complete the Windows PowerShell script? To answer, select the appropriate
options in the answer area.
Answer:

36
Explanation:
$PAM = Get-PAMRoleForRequest | ? {$_,DisplayName -eq "CorpAdmins" } New- PAMRequest -
role $PAM
QUESTION 48
Hotspot Question
in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of
the forest and the domain is Windows Server 2008 R2.

37
You need to ensure that you can implement the Local Administrator Password Solution (LAPS)
(or the finance department computers.
What should you do in the contoso.com forest? To answer, select the appropriate options in the
answer area.
Answer:
Explanation:
Windows PowerShell module to import: AdmPwd.PS
Windows PowerShell cmdlet to use: update-AdmPwdADSchema
https://flamingkeys.com/deploying-the-local-administrator-password-solution-part-2/
QUESTION 49
Hotspot Question
You plan to deploy three encrypted virtual machines that use Secure Boot.
The virtual machines will be configured as shown in the following table.

38
How should you protect each virtual machine? To answer, select the appropriate options in the
answer area.
Answer:

39
Explanation:
VM1: A shielded virtual machine
VM2: An encryption-supported virtual machine
VM3: An encryption-supported virtual machine
Shielded VM Prevents Virtual Machine connection and PowerShell Direct, it prevent the Hyper-V
host to interactin any means with the Shielded VM.
vm/guarded-fabric-andshielded-vms
QUESTION 50
Hotspot Question
Your network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains a Hyper-V host named Server1.

40
Server1 is a member of a group named HyperHosts. Adatum.com contains a server named
Server2. Server1 and Server2 run Windows Server 2016.
Contoso.com trusts adatum.com.
You plan to deploy shielded virtual machines to Server1 and to configure Admin-trusted
attestation on Server2.
Which component should you install and which cmdlet should you run on Server2? To answer,
select the appropriate options in the answer area.
Answer:
Explanation:
Component to install on Server1: The Host Guardian Hyper-V Support feature
Cmdlet to run on Server1: Set-HgsClientConfiguration Key for this question is Admin-trusted
attestation or (AD mode) for guarded fabric "Server1.contoso.com", whileServer2.adatum.com is
running the Host Guardian Service.

41
vm/guarded-fabricguarded-host-prerequisites
vm/guarded-fabricconfirm-hosts-can-attest-successfully
QUESTION 51
The New-CIPolicy cmdlet creates a Code Integrity policy as an .xml file. If you do NOT supply
either driver files or rules what will happen?
A. The cmdlet performs a system scan
B. An exception/warning is shown because either one is required
C. Nothing
D. The cmdlet searches the Code Integrity Audit log for drivers
Answer: A
Explanation:
If you do not supply either driver files or rules, this cmdlet performs a system scan similar to the
Get-SystemDriver cmdlet.

42
The cmdlet generates rules based on Level. If you specify the Audit parameter, this cmdlet scans
the Code Integrity Audit log instead.
QUESTION 52
Read the following statement carefully and answer YES or NO.
You create a rule "Allow Everyone to run Windows except Registry Editor" that allows everyone in
the organization to run Windows but does not allow anyone to run Registry Editor.
The effect of this rule would prevent users such as help desk personnel from running a program
that is necessary for their support tasks.
To resolve this problem, you create a second rule that applies to the Helpdesk user group: "Allow
Helpdesk to run Registry Editor."
However, if you created a deny rule that did not allow any users to run Registry Editor, would the
deny rule override the second rule that allows the Helpdesk user group to run Registry Editor?
A. NO
B. YES
Answer: B
Explanation:
For example, the rule "Allow Everyone to run Windows except Registry Editor" allows everyone in
the organization to run Windows but does not allow anyone to run Registry Editor. The effect of
this rule would prevent users such as help desk personnel from running a program that is
necessary for their support tasks. To resolve this problem, create a second rule that applies to the
Helpdesk user group: "Allow Helpdesk to run Registry Editor." If you create a deny rule that does
not allow any users to run Registry Editor, the deny rule will override the second rule that allows
the Helpdesk user group to run Registry Editor.
https://technet.microsoft.com/en-us/library/dd759068(v=ws.11).aspx
QUESTION 53
A shielding data file (also called a provisioning data file or PDK file) is an encrypted file that a
tenant or VM owner creates to protect important VM configuration information.
A fabric administrator uses the shielding data file when creating a shielded VM, but is unable to
view or use the information contained in the file.
Which information can be stored in the shielding data file?
A. Administrator credentials
B. All of these
C. A Key Protector
D. Unattend.xml
Answer: B
QUESTION 54
You're creating new a GPO for WSUS settings so that client computers retrieve updates from
your company's official WSUS server.
In the Group Policy Management Editor you have drilled down to Computer
ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Update and
have right clicked the "Specify intranet Microsoft update service location" and chosen Edit.
If the FQDN for your WSUS server is CONTOSO-WSUS1.contoso.com, which URL would you
enter into the field?
A. http://CONTOSO-WSUS1.contoso.com:443

43
B. http://CONTOSO-WSUS1.contoso.com:21
C. http://CONTOSO-WSUS1.contoso.com:80
D. http://CONTOSO-WSUS1.contoso.com:8530
Answer: D
Explanation:
The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer
(HTTPS) port is 8531.
If you're unsure which port WSUS is using for client communication, right-click the WSUS
Administration site in IIS Manager, and then click Edit Bindings.
QUESTION 55
Windows PowerShell is a task-based command-line shell and scripting language designed
especially for system administration.
Windows Defender comes with a number of different Defender-specific cmdlets that you can run
through PowerShell to automate common tasks.
Which Cmdlet would you run first if you wanted to perform an offline scan?
A. Start-MpWDOScan
B. Start-MpScan
C. Set-MpPreference -DisableRestorePoint $true
D. Set-MpPreference -DisablePrivacyMode $true
Answer: A
Explanation:
Some malicious software can be particularly difficult to remove from your PC. Windows Defender
Offline (Start-MpWDOScan) can help to find and remove this using up-to-date threat definitions.
QUESTION 56
_____ enables easier management for BitLocker enabled desktops and servers in a domain
environment by providing automatic unlock of operating system volumes at system reboot when
connected to a wired corporate network. This feature requires the client hardware to have a
DHCP driver implemented in its UEFI firmware.
A. Network Unlock
B. EFS recovery agent
C. JEA
D. Credential Guard
Answer: A
Explanation:
https://technet.microsoft.com/en-us/library/jj574173(v=ws.11).aspx
See last sentence of first paragraph: "This feature requires the client hardware to have a DHCP
driver implemented in its UEFI firmware"
QUESTION 57
This question relates to Windows Firewall and related technologies.
These rules use IPsec to secure traffic while it crosses the network.
You use these rules to specify that connections between two computers must be authenticated or
encrypted.
What is the name for these rules?

44
A. Connection Security Rules
B. Firewall Rules
C. TCP Rules
D. DHP Rules
Answer: A
QUESTION 58
Windows Firewall rules can be configured using PowerShell.
The "Set-NetFirewallProfile" cmdlet configures settings that apply to the per-profile configurations
of the Windows Firewall with Advanced Security.
What is the default setting for the AllowInboundRules parameter when managing a GPO?
A. FALSE
B. NotConfigured
Answer: B
Explanation:
The default setting when managing a computer is True. When managing a GPO, the default
setting is NotConfigured. The NotConfigured value is only valid when configuring a Group Policy
Object (GPO). This parameter removes the setting from the GPO, which results in the policy not
changing the value on the computer when the policy is applied.
QUESTION 59
The "Network Security: Restrict NTLM: NTLM authentication in this domain" policy setting allows
you to deny or allow NTLM authentication within a domain from this domain controller.
Which value would you choose so that the domain controller will deny all NTLM authentication
logon attempts using accounts from this domain to all servers in the domain.
The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless
the server name is on the exception list in the Network security: Restrict NTLM: Add server
exceptions in this domain policy setting.
A. Deny for domain accounts
B. Deny for domain accounts to domain servers
C. Deny all
D. Deny for domain servers
Answer: B
QUESTION 60
Encryption-supported VMs are intended for use where the fabric administrators are fully trusted.
For example, an enterprise might deploy a guarded fabric in order to ensure VM disks are
encrypted at-rest for compliance purposes.
Shielded VMs are intended for use in fabrics where the data and state of the VM must be
protected from both fabric administrators and untrusted software that might be running on the
Hyper-V hosts.
Is the Virtual Machine Connection (Console), HID devices (e.g. keyboard, mouse) ON or OFF for
Encryption Supported VM's?
A. Off

45
B. On
Answer: B
Explanation:
Shielded VMs will never permit a VM console connection whereas a fabric administrator can turn
this protection on or off for encryption supported VMs.
QUESTION 61
Updates typically consist of new versions of files that already exist on the computer that is being
updated. On a binary level, these existing files might not differ very much from updated versions.
The _________ feature identifies the exact bytes between versions, creates and distributes
updates of only those differences, and then merges the existing file together with the updated
bytes.
A. Background Intelligent Transfer Service
B. Express installation files
C. Filters
D. Deferred download
Answer: B
Explanation:
You can use express installation files to limit the bandwidth that is consumed on the local
network, because WSUS transmits only the delta applicable to a particular version of an updated
component. However, this comes at the cost of additional bandwidth between your WSUS server,
any upstream WSUS servers, and Microsoft Update, and requires additional local disk space. By
default, WSUS does not use express installation files.
QUESTION 62
The AppLocker Microsoft Management Console (MMC) snap-in is organized into areas called
rule collections. It can differentiate between various file types and formats.
Do you know which of the following is NOT a script file format?
A. .cmd
B. .com
C. .js
D. .bat
Answer: B
Explanation:
A .com (and .exe) is an executable file, the others are all scripts.
QUESTION 63
One solution to help reduce the potential for stolen data is to encrypt sensitive files by using
Encrypting File System (EFS) to increase the security of your data. Encryption is the application
of a mathematical algorithm to make data unreadable except to those users who have the
required key. EFS is a Microsoft technology that lets you encrypt data on your computer, and
control who can decrypt, or recover, the data. When files are encrypted, user data cannot be read
even if an attacker has physical access to the computer's data storage.
Which certificate allows the holder to recover encrypted files and folders throughout a domain or
other scope, no matter who encrypted them.

46
A. File Recovery certificate
B. Encrypting File System certificate
Answer: A
QUESTION 64
Complete the two missing terms in the paragraph below:
Consider some IT professionals in a department that runs many servers. They decide they want
their servers to run only software signed by the providers of their software and drivers, that is, the
companies that provide their hardware, operating system, antivirus, and other important software.
They know that their servers also run an internally written application that is unsigned but is rarely
updated. They want to allow this application to run.
To create the code integrity policy, they build a reference server on their standard hardware, and
install all of the software that their servers are known to run. Then they run New-CIPolicy with -
Level ________ (to allow software from their software providers) and -Fallback ________ (to
allow the internal, unsigned application).
A. Publisher, Hash
B. WHQLPublisher, Hash
C. LeafCertificate, Hash
D. RootCertificate, Hash
Answer: A
QUESTION 65
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small
configuration issue will be the root cause of the failure.
Which utility would you use to verify group policy is reaching the clients properly?
A. gpfixup.exe
B. pnputil.exe
C. ktmutil.exe
D. gpresult.exe
Answer: D
Explanation:
Gpresult displays the Resultant Set of Policy (RSoP) information for a remote user and computer.
QUESTION 66
You deploy the Host Guardian Service (HGS).
You have several Hyper-V hosts that have older hardware and Trusted Platform Modules (TPMs)
version 1.2.
You discover that the Hyper-V hosts cannot start shielded virtual machines.
You need to configure HGS to ensure that the older Hyper-V hosts can host shielded virtual
machines.
What should you do?
A. Run the Set-HgsServer cmdlet and specify the -TrustTpm parameter.
B. Run the Set-HgsServer cmdlet and specify the -TrustActiveDirectory parameter.
C. Run the Clear-HgsServer cmdlet and specify the -Clustername parameter

47
D. Run the Clear-HgsServer cmdlet and specify the -Force parameter.
E. It is not possible to enable older Hyper-V hosts to run Shielded virtual machines
Answer: E
Explanation:
Requirements and LimitationsThere are several requirements for using Shielded VMs and the
HGS:One bare metal host:
You can deploy the Shielded VMs and the HGS with just one host. However,
Microsoftrecommends that you cluster HGS for high availability.
Windows Server 2016 Datacenter Edition: The ability to create and run Shielded VMs and the
HGS is onlysupported by Windows Server 2016 DatacenterEdition.
For Admin-trusted attestation mode: You only need to have server hardware capable of running
Hyper-V inWindows Server 2016 TP5 or higher.
For TPM-trusted attestation: Your servers must have TPM 2.0 and UEFI 2.3.1 and they must boot
in UEFImode. The hosts must also have secure boot enabled.
Hyper-V role: Must be installed on the guarded host.HGS Role:
Must be added to a physical host. Generation 2 VMs. A fabric AD domain. An HGS AD, which in
Windows Server 2016 TP5 is a separate AD infrastructure from your fabric AD.
QUESTION 67
multiple servers that run either Windows Server 2012 or Windows Server 2012 R2.
You plan to implement Just Enough Administration (JEA) to manage all of the servers.
What should you install on each server to ensure that the servers can be managed by using JEA?
A. Remote Server Administration Tools (RSAT)
B. Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
C. Management Odata Internet Information Services (IIS) Extension
D. Windows Management Framework 5.0
Answer: D
Explanation:
https://msdn.microsoft.com/en-us/library/dn896648.aspx
Get JEAThe current release of JEA is available on the following platforms:
Windows Server
Windows Server 2016 Technical Preview 5 and higher Windows Server 2012 R2, Windows
Server 2012, and Windows Server 2008 R2* with Windows Management Framework 5.0 installed
QUESTION 68
You have the servers configured as shown in the following table.
You purchase a Microsoft Azure subscription, and you create three Microsoft Operations
Management Suite (OMS) workspaces named Workspace1, Workspace2, and Workspace3
You need to deploy Microsoft Monitoring Agent to the servers to meet the following requirements:

48
- Antimalware data from all the servers must be visible in Workspace1.
- Security and audit data from the domain controllers and the
virtualization hosts must be visible in Workspace2.
- System update data from all the servers in all the workgroups must be
visible in Workspace3
How many OMS agents should you deploy?
A. 10
B. 33
C. 73
D. 45
Answer: C
Explanation:
All the servers" mean all 5 domain controllers, plus all member servers (physical and virtual,
domain andworkgroup) and virtualization hosts, so there are noexemptions. All servers in the
above table mentioned must install OMS Microsoft Monitoring agents
QUESTION 69
You need to prevent direct .NET scripts invoked by interactive Windows PowerShell sessions
from running on the servers.
What should you do for each server?
A. Create an AppLocker rule.
B. Create a Code Integrity rule.
C. Disable PowerShell Remoting.
D. Modify the local Kerberos policy settings.
Answer: C
QUESTION 70
The domain contains a server named Server1 that has Microsoft Security Compliance Manager
(SCM) 4.0 installed.
The domain contains domain controllers that run Windows Server 2016.
A Group Policy object (GPO) named GPO1 is applied to all of the domain controllers.
GPO1 has a Globally Unique Identifier (GUID) of 7ABCDEFG-1234-5678-90AB-005056123456.
You need to create a new baseline that contains the settings from GPO1.
A. Copy the contoso.comsysvolcontoso.comPolicies{7ABCDEFG-1234-5678-90AB-
005056123456} folder to Server1.
B. From Group Policy Management, create a backup of GPO1.
C. From Windows PowerShell, run the Copy-GPO cmdlet
D. Modify the permissions of the
contoso.comsysvolcontoso.comPolicies{7ABCDEFG-1234-5678-90AB- 005056123456}
Answer: B
Explanation:

49
https://technet.microsoft.com/en-us/library/hh489604.aspx
You can import current settings from your GPOs and compare these to the Microsoft
recommended bestpractices.Start with a GPO backup that you would commonly create in the
Group Policy Management Console(GPMC).Take note of the folder to which the backup is saved.
In SCM, select GPO Backup, browse to the GPO folder's Globally Unique Identifier (GUID) and
select aname for the GPO when it's imported.SCM will preserve any ADM files and GP
Preference files (those with non-security settings that SCM doesn'tparse) you're storing with your
GPO backups. It saves them in a subfolder within the user's public folder.
When you export the baseline as a GPO again, italso restores all the associated files.
QUESTION 71
The network contains an Active Directory domain named contoso.com.
All servers run Windows Server 2016. All client computers run Windows 10 and are domain
members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of
application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing
department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You need to ensure that you can view Windows PowerShell code that was generated dynamically
and executed on the computers in OU1.
What would you configure in GP1?
A. Object AccessAudit Application Generated from the advanced audit policy
B. Turn on PowerShell Script Block Logging from the PowerShell settings
C. Turn on Module Logging from the PowerShell settings
D. Object AccessAudit Other Object Access Events from the advanced audit policy
Answer: B
Explanation:
https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script

50
While Windows PowerShell already has the LogPipelineExecutionDetails Group Policy setting to
log theinvocation of cmdlets, PowerShell's scripting language hasplenty of features that you might
want to log and/or audit.The new Detailed Script Tracing feature lets you enable detailed tracking
and analysis of Windows PowerShellscripting use on a system. After you enable detailed script
tracing, Windows PowerShell logs all script blocks to the ETW event log,Microsoft-Windows-
PowerShell/Operational.If a script block creates another script block (for example, a script that
calls the Invoke-Expression cmdlet on astring), that resulting script block is logged as well.
Logging of these events can be enabled through the Turn on PowerShell Script Block Logging
Group Policysetting (in Administrative Templates -> WindowsComponents -> Windows
PowerShell).
QUESTION 72
You network contains an Active Directory forest named contoso.com.
All domain controllers run Windows Server 2016 Member servers run either Windows Server
2012 R2 or Windows Server 2016.
Client computers run either Windows 8.1 or Windows 10.
You need to ensure that when users access files in shared folders on the network, the files are
encrypted when they are transferred over the network.
Solution: You enable access-based enumeration on all the file shares.
A. Yes
B. No
Answer: B
Explanation:
Access-Based Enumeration does not help encrypting network file transfer.
QUESTION 73
You need to prevent NTLM authentication on Server1.
Solution: From a Group Policy, you configure the Security Options.
A. Yes
B. No
Answer: A
Explanation:
https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/
QUESTION 74
Your network contains an internal network and a perimeter network.
The internal network contains an Active Directory forest named contoso.com.
You deploy five servers to the perimeter network.
All of the servers run Windows Server 2016 and are the members of a workgroup.
You need to apply a security baseline named Perimeter.inf to the servers in the perimeter
network.
What should you use to apply Perimeter.inf?
A. Local Computer Policy

51
B. Security Configuration Wizard (SCW)
C. Group Policy Management
D. Server Manager
Answer: A
Explanation:
https://docs.microsoft.com/en-us/windows-server/get-started/deprecated-features
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-
utility-v1-0/
https://msdn.microsoft.com/en-us/library/bb742512.aspx

52
QUESTION 75
You enable and configure PowerShell Script Block Logging.
You need to view which script blocks were executed by using Windows PowerShell scripts.
What should you do?
A. View the Microsoft-Windows-PowerShell/Operational event log.
B. Open the log files in %LocalAppData%MicrosoftWindowsPowerShell.
C. View the Windows PowerShell event log.
D. Open the log files in %SYSTEMROOT%Logs.
Answer: A
Explanation:
After you enable detailed script tracing, Windows PowerShell logs all script blocks to the event
log, MicrosoftWindows-PowerShell/Operational.

53
QUESTION 76
The domain contains four global groups named Group1, Group2, Group3, and Group4.
A user named User1 is a member of Group3.
You have an organizational unit (OU) named OU1 that contains computer accounts.
A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account
named Computer1.
GPO1 has the User Rights Assignment configured as shown in the following table:
You need to ensure that User1 can access the shares on Computer1. What should you do?
A. Modify the membership of Group1.
B. In GPO1, modify the Access this computer from the network user right
C. Modify the Deny access to this computer from the network user right.
D. Modify the Deny log on locally user right
Answer: B
QUESTION 77
You are building a guarded fabric.
You need to configure Admin-trusted attestation.
Which cmdlet should you use?

54
A. Add-HgsAttestationHostGroup
B. Add-HgsAttestationTpmHost
C. Add-HgsAttestationCIPolicy
D. Add-HgsAttestationTpmPolicy
Answer: A
Explanation:
Authorize Hyper-V hosts using Admin-trusted attestation
vm/guarded-fabric-addhost-information-for-admin-trusted-attestation
QUESTION 78
You implement a single-domain administrative forest named admin.contoso.com that has
Enhanced Security Administrative Environment (ESAE) deployed.
You have an administrative user named Admin1 in admin.contoso.com.
You need to ensure that Admin1 can manage the domain controllers in contoso.com.
To which group should you add Admin1?
A. ContosoDomain Admins
B. AdminAdministrators
C. AdminDomain Admins
D. ContosoAdministrators
Answer: D
Explanation:
admin.contoso.com (NetBIOS domain name "ADMIN") is the administrative
domain.contoso.com (NetBIOS domain name "CONTOSO" ) is the corporate resource domain.
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-
privilegedaccess-reference-material

55
QUESTION 79
You have a server named Server1 that runs Windows Server 2016.
You need to identify whether ICMP traffic is exempt from IPsec on Server1.
A. Get-NetIPSecRule
B. Get-NetFirewallRule
C. Get-NetFirewallProfile
D. Get-NetFirewallSetting
E. Get-NetFirewallPortFilter
F. Get-NetFirewallAddressFilter
G. Get-NetFirewallSecurityFilter
H. Get-NetFirewallApplicationFilter
Answer: D
Explanation:
The Get-NetFirewallSetting cmdlet retrieves the global firewall settings of the target computer.
The NetFirewallSetting object specifies properties that apply to the firewall and IPsec settings, no

56
matter whichnetwork profile is currently in use. The global configurations include viewing the
active profile, exemptions, specified certification validation levels,and user and computer
authorization lists.
QUESTION 80
You need to ensure that App1.exe can accept connections only when Computer1 is connected to
the corporate network.
Solution: You run the command New-NetFirewallRule -DisplayName "Rule1" -Direction Inbound -
Program "D:AppsApp1.exe" -Action Allow -Profile Domain
A. Yes
B. No
Answer: A
Explanation:
Tested correct cmdlet, worked, and the profile "Domain" for corporate network is also correct.

57
QUESTION 81
The domain contains several Hyper-V hosts.
You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2016.
You need to configure Server22 as the primary Host Guardian Service server.
Which three cmdlets should you run in sequence?
A. Install-HgsServer
B. Install-Module
C. Install-Package
D. Enable-WindowsOptionalFeature
E. Install-ADDSDomainController
F. Initialize-HgsServer
Answer: AEF
Explanation:
Correct order of actions: 1.
Install-ADDSDomainController, as Server22 is a workgroup computer, create a new domain on it
first.2. Install-HgsServer3. Initialize-HgsServer
vm/guarded-fabricsetting-up-the-host-guardian-service-hgs

58
vm/guarded-fabricinstall-hgs-defaultInstall-HgsServer
vm/guarded-fabricinitialize-hgs-tpm-mode-defaultInitialize-HgsServer
QUESTION 82
The local administrator credentials of Server1 are managed by using the Local Administrator
Password Solution (LAPS).
You need to retrieve the password of the Administrator account on Server1.
What should you do?
A. From Windows PowerShell on Server1, run the Get-ADFineGrainedPasswordPolicy cmdlet and
specify the -Credential parameter.
B. From Windows PowerShell on Server1, run the Get-ADUser cmdlet and specify the - Credential
parameter.
C. From Active Directory Users and Computers, open the properties at Server1 and view the value
at the msMcs-AdmPwd attribute
D. From Active Directory Users and Computers, open the properties of Administrator and view the
value of the userPassword attribute
Answer: C
Explanation:
The "ms-Mcs-AdmPwd" attribute of a computer account in Active Directory Users and Computers
stores thelocal Administrator password of a computer, which is configured by LAPS.

59
QUESTION 83
The domain contains a DNS server named Server1 that runs Windows Server 2016.
A domain-based Group Policy object (GPO) is used to configure the security policy of Server1.
You plan to use Security Compliance Manager (SCM) 4.0 to compare the security policy of
Server1 to the WS2012 DNS Server Security 1.0 baseline.
You need to import the security policy into SCM. What should you do first?
A. From Security Configuration and Analysis, use the Export Template option.
B. Run the Copy-GPO cmdlet and specify the -TargetName parameter.
C. Run the Backup-GPO cmdlet and specify the-Path parameter.
D. Run the secedit.exe command and specify the/export parameter.
Answer: C
Explanation:
https://technet.microsoft.com/en-us/library/ee461052.aspx
Backup-GPO cmdlet and specify the -Path parameter creates a GPO backup folder with GUID
name and issuitable to import to SCM 4.0
QUESTION 84
The forest contains three domains. All domain controllers run Windows Server 2016.
You deploy a second Active Directory forest named admin.contoso.com.

60
The forest contains a domain member server named Server1.
Server1 has Microsoft Identity Manager (MIM) 2016 deployed.
You need to implement Privileged Access Management (PAM) and to use admin.contoso.com as
an administrative forest.
Which two actions should you perform? Each correct answers presents part of the solution.
A. From a domain controller in contoso.com. run the New-PAMTrust cmdlet.
B. From Server1, run the New-PAMDomainConfiguration cmdlet
C. From a domain controller in admin.contoso.com, run the New-PAMTrust cmdlet.
D. From a domain controller in contoso.com, run the New-PAMDomainConfiguration cmdlet.
E. From a domain controller in admin.contoso.com, run the New-PAMDomainConfiguration cmdlet
F. From Server1, run the New-PAMTrust cmdlet
Answer: BF
Explanation:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-
for-pam
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-
priv-corpforests
QUESTION 85

61
You need to configure Nano1 as a Hyper-V Host. Which command should you run?
A. Add-WindowsFeature Microsoft-NanoServer-Compute-Package
B. Add-WindowsFeature Microsoft-NanoServer-Guest-Package
C. Add-WindowsFeature Microsoft-NanoServer-Host-Package
D. Add-WindowsFeature Microsoft-NanoServer-ShieldedVM-Package
E. Install-Package Microsoft-NanoServer-Compute-Package
F. Install-Package Microsoft-NanoServer-Guest-Package
G. Install-Package Microsoft-NanoServer-Host-Package
H. Install-Package Microsoft-NanoServer-ShieldedVM-Package I. Install-WindowsFeature Microsoft-
NanoServer-Compute-Package J. Install-WindowsFeature Microsoft-NanoServer-Guest-Package
K. Install-WindowsFeature Microsoft-NanoServer-Host-Package L. Install-WindowsFeature
Microsoft-NanoServer-ShieldedVM-Package
Answer: E
Explanation:
https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server#BKMK_online
The Nano Server package "Microsoft-NanoServer-Compute-Package" includes the Hyper-V role
for a NanoServer host.Moreover, the Install-WindowsFeature or Add-WindowsFeature cmdlet are
NOT available on a Nano Server.
QUESTION 86
You need to identity whether any connection security rules are configured on Server1.
A. Get-NetIPSecRule

62
Answer: A
Explanation:
https://technet.microsoft.com/en-us/itpro/powershell/windows/netsecurity/get-netipsecrule
Get-NetIPSecRule displays the existence and details of Connection Security Rules, as
connection securityrules implements IPsec between computers (not usingtunnel endpoints) or
sites (using tunnel endpoints)
QUESTION 87
You implement Log Analytics in Microsoft Operations Management Suite (OMS) on all servers
that run Windows Server 2016.
You need to generate a daily report that identifies which servers restarted during the last 24
hours.
Which query should you use?
A. EventLog=Application EventId:6009 Type:Event TimeGenerated>NOW+24HOURS
B. EventLog=Application EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
C. EventLog=System EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
D. EventLog=System EventId:6009 Type:Event TimeGenerated>NOW+24HOURS
Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-searches
Computer restart events are stored in "System" eventlog instead of Application even log."NOW-
24HOURS" clause matches all events generated in the last 24 hours.
QUESTION 88
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,

63
these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. All servers run Windows
You need to assign User1 the right to restore files and folders on Server1, and Server2.
Solution: You add User1 to the Backup Operators group on Server1 and Server2.
A. Yes
B. No
Answer: A
Explanation:
Backup OperatorsMembers of this group can back up and restore files on a computer, regardless
of any permissions thatprotect those files.This is because the right to perform a backup takes
precedence over all file permissions. Members of thisgroup cannot change security settings.
QUESTION 89
The network uses the 172.16.0.0/16 address space.
Computer1 has an application named App1.exe that is located in D:Apps.
App1.exe is configured to accept connections on TCP port 8080.
Solution: You configure an inbound rule that allows the TCP protocol on port 8080, uses a scope
of 172. 16.0.0/16 for local IP addresses, and applies to a private profile.
A. Yes
B. No
Answer: B
Explanation:
"You need to ensure that App1.exe can accept connections only when Computer1 is connected
to thecorporate network.", you should create the firewall rule for"Domain" profile instead, not the
"Private" profile.
https://technet.microsoft.com/en-us/library/getting-started-wfas-firewall-profiles-
ipsec(v=ws.10).aspx

64
QUESTION 90
All client computers run Windows 10 and are domain members.
department.
You need to implement BitLocker Network Unlock for all of the laptops. Which server role should
you deploy to the network?
A. Network Controller

65
B. Windows Deployment Services
C. Host Guardian Service
D. Device Heath Attestation
Answer: B
Explanation:
https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-how-to-enable-
network-unlock
Network Unlock core requirementsNetwork Unlock must meet mandatory hardware and software
requirements before the feature canautomatically unlock domain joined systems.
Theserequirements include:You must be running at least Windows 8 or Windows Server
2012.Any supported operating system with UEFI DHCP drivers can be Network Unlock clients.
A server running the Windows Deployment Services (WDS) role on any supported server
operatingsystem.BitLocker Network Unlock optional feature installed on any supported server
operating system.A DHCP server, separate from the WDS server.Properly configured
public/private key pairing.Network Unlock Group Policy settings configured.
QUESTION 91
department.
You need to ensure that AppLocker rules will apply to the marketing department computers.
What should you do?
A. From the properties of OU2, modify the Security settings.
B. In GP2, configure the Startup type for the Application Identity service.

66
C. From the properties of OU2, modify the COM+ partition Set
D. In GP2, configure the Startup type for the Application Management service.
Answer: B
Explanation:
https://docs.microsoft.com/en-us/windows/device- security/applocker/configure-the-application-
identity-service
Because AppLocker uses this service "Application Identity" to verify the attributes of a file, you
must configure it to start automatically in at least one Group Policyobject (GPO) that applies
AppLocker rules.
QUESTION 92
The domain contains a server named Server1.
On Server1, administrators plan to use several scripts that have the .ps1 extension.
You need to ensure that when code is generated from the scripts, an event containing the details
of the code is logged in the Operational log.
Which Group Policy setting or settings should you configure?
A. Enable Protected Event Logging
B. Audit Process Creation and Audit Process Termination
C. Turn on PovverShell Script Block Logging
D. Turn on PowerShell Transcription
Answer: C
Explanation:
The new Detailed Script Tracing feature lets you enable detailed tracking and analysis of
Windows PowerShellscripting use on a system.After you enable detailed script tracing, Windows
PowerShell logs all script blocks to the ETW event log,Microsoft-Windows-
PowerShell/Operational.If a script block creates another script block (for example, a script that
calls the Invoke-Expression cmdlet on astring), that resulting script block is logged as
well.Logging of these events can be enabled through the Turn on PowerShell Script Block
Logging GroupPolicy setting(in GPO Administrative Templates -> Windows Components ->
Windows PowerShell).Answer D is incorrect, since Transcription (Start-Transcript -path
<FilePath>) uses a custom output locationinstead of Event Viewer Operational Log
QUESTION 93
in this series.

67
You have an OU named finance that contains the computers in the finance department You have
an OU named AppServers that contains application servers.
You need to ensure that when a configuration change is made on Nano2, Nano2 will revert back
to the original configuration automatically.
A. Enable File History for all volumes.
B. Install the Microsoft-NanoServer-DSC-Package optional package
C. Install the Microsoft-NanoServer-DCB-Package optional package
D. Enable System Protection on all volumes
E. Deploy Microsoft System Center 2016 ?Data Protection Manager (DPM)
Answer: B
Explanation:
Using PowerShell DSC (Desire State Configuration) to mitigate configuration drift on Nano Server
requiresadditional steps, like installing the support package "Microsoft- NanoServer-DSC-
Package"https://docs.microsoft.com/en-us/powershell/dsc/nanodscDSC on Nano Server is an
optional package in the NanoServerPackages folder of the Windows Server 2016media.The
package can be installed when you create a VHD for a Nano Server by specifying Microsoft-
NanoServerDSC-Package as the value of the Packagesparameter of the New-NanoServerImage
function, or the following PowerShell cmdlets on a live Nano server"Nano2".Import-
PackageProvider NanoServerPackageInstall- package Microsoft-NanoServer-DSC-Package -
ProviderName NanoServerPackage -Force
QUESTION 94
You have a server named Server1 that runs Windows Server 2016. Server1 has the Windows
Server Update Services server role installed.
Windows Server Update Services (WSUS) updates for Server1 are stored on a volume named D.
The hard disk that contains volume D fails.
You replace the hard disk. You recreate volume D and the WSUS folder hierarchy in the volume.
You need to ensure that the updates listed in the WSUS console are available in the WSUS
folder. What should you run?
A. wsusutil.exe /import
B. wsusutil.exe /reset

68
C. Set-WsusServerSynchronization
D. Invoke-WsusServerCleanup
Answer: B
Explanation:
https://technet.microsoft.com/en-us/library/cc720466%28v=ws.10%29.aspx?f=255&MSPPError=-
2147217396
WSUSutil.exe is a tool that you can use to manage your WSUS server from the command line.
WSUSutil.exeis located in the %drive%Program FilesUpdateServicesTools folder on your
WSUS server.You can run specific commands with WSUSutil.exe to perform specific functions,
as summarized in thefollowing table.The syntax you would use to run WSUSutil.exe with specific
commands follows the table.
QUESTION 95

69
department.
You need to create a Role Capability file on Server3.
Which file should you create?
A. File1.xml
B. File1.ini
C. File1.ps1
D. File1.psrc
Answer: D
QUESTION 96
You need to identify whether any inbound rules on Server1 require that users be authenticated
before they can connect to the server.
A. Get-NetIPSecRule
G. Get-NetFirewallApplicationFilter
Answer: B

70
Explanation:
The complete cmdlet to perform the required action:
QUESTION 97
You are implementing Privileged Access Management (PAM) for an Active Directory forest
named contoso.com.
You install a bastion forest named adatum.com, and you establish a trust between the forests.
You need to create a group in contoso.com that will be used by Microsoft Identity Manager to
create groups in adatum.com.
How should you configure the group? Choose Two.
A. Group name: ADATUM$$$
B. Group name: CONTOSO$$$
C. Group name: CONTOSO_Adatum$
D. Group name: MIM$
E. Group type: a domain local distribution group
F. Group type: a domain local security group
G. Group type: a global distribution group
H. Group type: a universal distribution group
I. Group type: a universal security group
Answer: BF
Explanation:
Production forest is contoso.comBastion forest is adatum.com
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
A security group on the local domain (contoso.com)There must be a group in the existing domain,
whose name is the NetBIOS domain name followed bythree dollar signs, e.g.,
CONTOSO$$$.The group scope must be domain local and the group type must be Security.
This is needed for groups to be created in the dedicated administrative forest (adatum.com) with
the sameSecurity identifier as groups in this domain(contoso.com).Create this group with the
followingNew-ADGroup -name `CONTOSO$$$' -GroupCategory Security -GroupScope
DomainLocal -SamAccountName `CONTOSO$$$'After this, MIM could create "Shadow Group" in
bastion adatum.com forest.
QUESTION 98
You need to identify whether IPsec tunnel authorization is configured on Server1.
A. Get-NetIPSecRule

71
Answer: A
Explanation:
https://technet.microsoft.com/en-us/itpro/powershell/windows/netsecurity/get-netipsecrule
QUESTION 99
You need to view all of the inbound rules on Server1.
A. Get-NetIPSecRule

72
Answer: B
Explanation:
Get-NetFirewallRule -Direction Inbound <-- view inbound rules for all profiles
The following examples shows inbound rule for specific firewall profile.Get- NetFirewallRule -
Direction Inbound | where {$_.Profile -eq "Domain"}Get-NetFirewallRule - Direction Inbound |
where {$_.Profile -eq "Public"}Get-NetFirewallRule -Direction Inbound | where {$_.Profile -eq
"Private"}
QUESTION 100
Your network contains an Active Directory domain.
Microsoft Advanced Threat Analytics (ATA) is deployed to the domain.
A database administrator named DBA1 suspects that her user account was compromised.
Which three events can you identify by using ATA? Each correct answer presents a complete
solution.
A. Spam messages received by DBA1.
B. Phishing attempts that targeted DBA1
C. The last time DBA1 experienced a failed logon attempt
D. Domain computers into which DBA1 recently signed.
E. Servers that DBA1 recently accessed.
Answer: CDE
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata- threats
Suspicious authentication failures (Behavioral brute force)
Attackers attempt to use brute force on credentials to compromise accounts. ATA raises an alert
when abnormal failed authentication behavior is detected.Abnormal behaviorLateral movement is
a technique often used by attackers, to move between devices and areas in the victim'snetwork
to gain access to privileged credentials orsensitive information of interest to the attacker. ATA is
able to detect lateral movement by analyzing thebehavior of users, devices and their relationship
inside thecorporate network, and detect on any abnormal access patterns which may indicate a
lateral movementperformed by an attacker.
QUESTION 101
The hardware configuration on Server1 meets the requirements for Credential Guard.
You need to enable Credential Guard on Server. What should you do? Choose Two.
A. Component to install: The Host Guardian Service server role
B. Component to install: The Hyper-V server role
C. Component to install: The VM Shielding Tools for Fabric Management feature
D. Group Policy setting to configure: Access Credential Manager as a trusted provider
E. Group Policy setting to configure: Network Security: Configure encryption types allowed for
Kerberos
F. Group Policy setting to configure: Turn on Virtualization Based Security
Answer: BF
Explanation:
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-
requirements

73
The Virtualization-based security requires:-64-bit CPU-CPU virtualization extensions plus
extended page tables-Windows hypervis or
manage#hardware-readiness-tool

74
QUESTION 102
The domain contains a member server named Servers that runs Windows Server 2016.
You need to configure Servers as a Just Enough Administration (JEA) endpoint.
A. Create and export a Windows PowerShell session.
B. Deploy Microsoft Identity Manager (MIM) 2016
C. Create a maintenance Role Capability file
D. Generate a random Globally Unique Identifier (GUID)
E. Create and register a session configuration file.
Answer: CE
Explanation:
https://docs.microsoft.com/en-us/powershell/jea/role-capabilities
https://docs.microsoft.com/en-us/powershell/jea/register-jea
QUESTION 103
You configure Just Enough Administration (JEA) on Server1.
You need to view a list of commands that will be available to a user named User1 when User1
establishes a JEA session to Server1.
A. Trace-Command
B. Get-PSSessionCapability
C. Get-PSSessionConfiguration
D. Show-Command
Answer: B
Explanation:
The Get-PSSessionCapability cmdlet gets the capabilities of a specific user on a constrained
sessionconfiguration.Use this cmdlet to audit customized session configurations for users.Starting
in Windows PowerShell 5.0, you can use the RoleDefinitions property in a session configuration

75
(.pssc)file.Using this property lets you grant users different capabilities on a single constrained
endpoint based on groupmembership.The Get-PSSessionCapability cmdlet reduces complexity
when auditing these endpoints by letting youdetermine the exact capabilities granted to a
user.This command is used by I.T. Administrator (The "You" mention in the question) to verify
configuration for aUser.
QUESTION 104
You have a file server named Server1 that runs Windows Server 2016.
A new policy states that ZIP files must not be stored on Server1.
An administrator creates a file screen filter as shown in the following output
You need to prevent users from storing ZIP files on Server1, what should you do?
A. Enable Quota Management on all the drives.
B. Add a template to the filter.
C. Change the filter to active.
D. Configure File System (Global Object Access Auditing).
Answer: C
Explanation:
"Active : False", then it is a Passive Filescreen filther which will not block unwanted file types.
QUESTION 105
The forest functional level is Windows Server 2012.
The forest contains 20 member servers that are configured as file servers.
You create a new forest named contosoadmin.com.
You need to use the Enhanced Security Administrative Environment (ESAE) approach for the
administration of the resources in contoso.com.
A. From the properties of the trust, enable selective authentication.
B. Configure contosoadmin.com to trust contoso.com.
C. Configure contoso.com to trust contosoadmin.com.
D. From the properties of the trust, enable forest-wide authentication.
E. Configure a two-way trust between both forests.
Answer: AC

76
QUESTION 106
Solution: From Windows PowerShell, you run the Disable-WindowsOptionalFeature cmdlet.
A. Yes
B. No
Answer: B
Explanation:
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName
smb1protocol)Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
However, the question asks about Server!On Server, the PowerShell approach (Remove-
WindowsFeature FS-SMB1):Remove-WindowsFeature FS-SMB1
Even if SMB1 is removed, SMB2 and SMB3 could still run NTLM authentication! Therefore,
answer is a"NO".
QUESTION 107

77
Solution: You configure an inbound rule that allows the TCP protocol on port 8080 and applies to
all profiles.
A. Yes
B. No
Answer: B
Explanation:
the corporatenetwork.
Therefore, you should not create firewall rule for all three profiles.
QUESTION 108
You have a guarded fabric and a Host Guardian Service server named HGS1.
You deploy a Hyper-V host named Hyper1, and configure Hyper1 as part of the guarded fabric.
You plan to deploy the first shielded virtual machine.
You need to ensure that you can run the virtual machine on Hyper1.
What should you do?
A. On Hyper1, run the Invoke-WebRequest cmdlet, and then run the Import-HgsGuardian cmdlet.
B. On HGS1, run the Invoke-WebRequest cmdlet, and then run the Import-HgsGuardian cmdlet.
C. On Hyper1, run the Export-HgsKeyProtectionState cmdlet, and then run the Import- HgsGuardian
cmdlet.
D. On HGS1, run the Export-HgsKeyProtectionState cmdlet, and then run the Import- HgsGuardian
cmdlet
Answer: A
Explanation:
https://blogs.technet.microsoft.com/datacentersecurity/2016/06/06/step-by-step-creating-
shielded-vms-withoutvmm/
QUESTION 109
All servers in the domain run Windows Server 2016.All client computers run Windows 10.
Your company has deployed the Local Administrator Password Solution (LAPS).
Client computers in the finance department are located in an organizational unit (OU) named
Finance.
Each finance computer has a custom administrative account named FinAdmin.
You discover that the FinAdmin accounts are not managed by LAPS.
You need to ensure that the FinAdmin accounts are managed by LAPS. What should you do?
A. On the finance computers, register the AdmPwd.ps Windows PowerShell module and then run
the ResetAdmPwdPassword cmdlet
B. Modify the Password Policy in a Group Policy object (GPO).
C. Modify the LAPS settings in a Group Policy object (GPO).
D. On the finance computers. rename the FinAdmin accounts to Administrator.
Answer: C
Explanation:
Use the GPO Setting "Name of administrator account to manage" for LAPS to manage
secondaryadministrative accounts which is not named as "Administrator"

78
QUESTION 110
The domain contains a server named
Server1 that runs Windows Server 2016.
You have an organizational unit (OU) named Administration that contains the computer account
of Server1.
You import the Active Directory module to Server1.
You create a Group Policy object (GPO) named GPO1. You link GPO1 to the Administration OU.
You need to log an event each time an Active Directory cmdlet executed successfully from
Server1.
What should you do?
A. From Advanced Audit Policy in GPO1. configure auditing for other privilege use events.
B. Run the Add-NetEventProvider -Name "Microsoft-Active-Directory" -MatchAnyKeyword
PowerShell command.
C. From Advanced Audit Policy in GPO1, configure auditing for directory service changes.
D. From Administrative Templates in GPO1, configure a Windows PowerShell policy.
Answer: D
Explanation:
In the following GPO location, you can enable the setting "Turn on Module Logging" to record an
event eachtime the PowerShell executes a cmdlet of a specificPowerShell module, for example
"ActiveDirectory"."Computer ConfigurationAdministrative TemplatesWindows
ComponentsWindows PowerShell"
QUESTION 111
The domain contains several shielded virtual machines.
You deploy a new server named Server1 that runs Windows Server 2016.
You install the Hyper-V server role on Server1.
You need to ensure that you can host shielded virtual machines on Server1.
What should you install on Server1?
A. Host Guardian Hyper-V Support
B. BitLocker Network Unlock
C. the Windows Biometric Framework (WBF)
D. VM Shielding Tools for Fabric Management
Answer: A
Explanation:

79
This questions mentions "The domain contains several shielded virtual machines.", which
indicates a workingHost Guardian Service deployment was completed.
vm/guarded-fabricguarded-host-prerequisites
For a new Hyper-V server to utilize an existing Host Guardian Service, install the "Host Guardian
Hyper-VSupport".
QUESTION 112
You network contains an Active Directory forest named contoso.com.
All domain controllers run Windows Server 2016 Member servers run either Windows Server
2012 R2 or Windows Server 2016.
Client computers run either Windows 8.1 or Windows 10.
Solution: You enable SMB encryption on all the computers in domain.
A. Yes
B. No
Answer: A
Explanation:
SMB Encryption could be enabled on a per-computer wide basis, after you have enabled SMB
encryption on aserver-level basis, you could not disable encryptionfor any specific shared folder.
To enable Global level encryption on the server:Set- SmbServerConfiguration -EncryptData 1
QUESTION 113

80
members.
department.
You enable deep script block logging for Windows PowerShell.
In which event log will PowerShell code that is generated dynamically appear?
A. Applications and Services Logs/Microsoft/Windows/PowerShell/Operational
B. Windows Logs/Security
C. Applications and Services Logs/Windows PowerShell
D. Windows Logs/Application
Answer: A
Explanation:
While Windows PowerShell already has the LogPipelineExecutionDetails Group Policy setting to
log theinvocation of cmdlets, PowerShell's scripting language hasplenty of features that you might
want to log and/or audit.The new Detailed Script Tracing feature lets you enable detailed tracking
and analysis of Windows PowerShellscripting use on a system.After you enable detailed script
tracing, Windows PowerShell logs all script blocks to the ETW (event tracing forwindows) event
log ?Microsoft-WindowsPowerShell/Operational.If a script block creates another script block (for
example, a script that calls the Invoke-Expression cmdlet on astring), that resulting script block is
logged as well.Logging of these events can be enabled through the Turn on PowerShell Script
Block Logging Group Policysetting (in Administrative Templates -> WindowsComponents ->
Windows PowerShell).
QUESTION 114
Your network contains several Windows container hosts..
You plan to deploy three custom .NET applications.
You need to recommend a deployment solution for the applications.

81
Each application must:
- be accessible by using a different IP address.
- have access to a unique file system.
- start as quickly as possible.
What should you recommend? Choose Two.
A. Type of container: Hyper-V
B. Type of container: Windows
C. Number of containers: 1
D. Number of containers: 2
E. Number of containers: 3
Answer: BE
QUESTION 115
You implement Just Enough Administration (JEA) on several file servers that run Windows Server
2016.
The Role Capability file from a server named Server5 contains the following code.
Which action can be performed by a user who connects to Server5?
A. Create a new file share.
B. Modify the properties of any share.
C. Stop any process.
D. View the NTFS permissions of any folder.
Answer: B
Explanation:
Focus on the 3rd Visible Cmdlets in this question `SmbShareSet-*'
The PowerShell "SmbShare" module has the following "Set-*" cmdlets, as reported by "Get-
Command -ModuleSmbShare" command:-
The "Set-SmbShare" cmdlet is then visible on Server5's JEA endpoint, and allows JEA users to
modify theproperties of any file share.

82
https://technet.microsoft.com/en- us/itpro/powershell/windows/smbshare/set-smbshare
QUESTION 116
Solution: You run the New-NetFirewallRule -DisplayName "Rule1" -Direction Inbound -LocalPort
8080 -Protocol TCP -Action allow -Profile Domain Command.
A. Yes
B. No
Answer: B
QUESTION 117
Your network contains several secured subnets that are disconnected from the Internet.
One of the secured subnets contains a server named Server1 that runs Windows Server 2016.
You implement Log Analytics in Microsoft Operations Management Suite (OMS) for the servers
that connect to the Internet.
You need to ensure that Log Analytics can collect logs from Server1.
A. Install the OMS Log Analytics Forwarder on a server that has Internet connectivity.
B. Create an event subscription on a server that has Internet connectivity.
C. Create a scheduled task on Server1.
D. Install the OMS Log Analytics Forwarder on Server1.
E. Install Microsoft Monitoring Agent on Server1.
Answer: AE
Explanation:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway
OMS Log Analytics Forwarder = OMS GatewayIf your IT security policies do not allow computers
on your network to connect to the Internet, such as point ofsale (POS) devices, or servers
supporting IT services,but you need to connect them to OMS to manage and monitor them, they
can be configured to communicatedirectly with the OMS Gateway (previous called "OMSLog
Analytics Fowarder") to receive configuration and forward data on their behalf.
You have to also install Microsoft Monitoring Agent on Server1 to generate and send events to
the OMSGateway,since Server1 does not have direct Internet connectivity.
QUESTION 118
The domain contains two organizational units (OUs) named ProdOU and TestOU.
All production servers are in ProdOU. All test servers are in TestOU. A server named Server1 is
in TestOU.
You have a Windows Server Update Services (WSUS) server named WSUS1 that runs Windows
Server 2016.
All servers receive updates from WSUS1.

83
WSUS is configured to approve updates for computers in the Test computer group automatically.
Manual approval is required for updates to the computers in the Production computer group.
You move Server1 to ProdOU, and you discover that updates continue to be approved and
installed automatically on Server1.
You need to ensure that all the servers in ProdOU only receive updates that are approved
manually.
What should you do?
A. Turn off auto-restart for updates during active hours by using Group Policy objects (GPOs).
B. Configure client-side targeting by using Group Policy objects (GPOs).
C. Create computer groups by using the Update Services console.
D. Run wuauclt.exe /detectnow on each server after the server is moved to a different OU.
Answer: B
Explanation:
Updates in WSUS are approved against "Computer Group" , not AD OUs.
For this example, to prevent Server1 to install automatically approved updates,you have to
remove Server1 from "Test" computer group and add Server1 into "Production" computer group
inWSUS console, manually or use the WSUS GPOClient-Side Targeting feature.
https://technet.microsoft.com/en-
us/library/cc720450%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
With client- side targeting, you enable client-computers to add themselves to the computer
groups you create inthe WSUS console. You can enable client-side targeting through Group
Policy (in an Active Directory network environment) or byediting registry entries (in a non-Active
Directorynetwork environment) for the client computers. When the WSUS client computers
connect to the WSUS server, they will add themselves into thecorrect computer group. Client-side
targeting is an excellent option if you have many client computers and want to automate the
processof assigning them to computer groups.
First, configure WSUS to allow Client Site Targeting.
Secondly, configure GPO to affect "ProdOU" , so that Server1 add itself to "Production" computer
group.
https://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus

84
QUESTION 119
The domain contains multiple servers that run multiple applications.
Domain user accounts are used to authenticate access requests to the servers.
You plan to prevent NTLM from being used to authenticate to the servers.
You start to audit NTLM authentication events for the domain.
You need to view all of the NTLM authentication events and to identify which applications
authenticate by using NTLM.
On which computers should you review the event logs and which logs should you review?

85
A. Computers on which to review the event logs: Only client computers
B. Computers on which to review the event logs: Only domain controllers
C. Computers on which to review the event logs: Only member servers
D. Event logs to review: Applications and Services LogsMicrosoftWindowsDiagnostics-
NetworkingOperational
E. Event logs to review: Applications and Services LogsMicrosoftWindowsNTLMOperational
F. Event logs to review: Applications and Services LogsMicrosoftWindowsSMBClientSecurity
G. Event logs to review: Windows LogsSecurity
H. Event logs to review: Windows LogsSystem
Answer: AE
Explanation:
Do not confuse this with event ID 4776 recorded on domain controller's security event log!!!
This question asks for implementing NTLM auditing when domain clients is connecting to
memberservers! See below for further information.
https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/network-
security-restrict-ntlmaudit-ntlm-authentication-in-this-domain
Via lab testing, most of the NTLM audit logs are created on Windows 10 clients, except that you
use WindowsServer 2016 OS as clients (but this is unusual)

86
QUESTION 120
Your company has an accounting department.
The network contains an Active Directory domain named contoso.com. The domain contains 10
servers.
You deploy a new server named Server11 that runs Windows Server 2016.
Server11 will host several network applications and network shares used by the accounting
department.
You need to recommend a solution for Server11 that meets the following requirements:
- Protects Server11 from address spoofing and session hijacking
- Allows only the computers in We accounting department to connect to
Server11
What should you recommend implementing?
A. AppLocker rules
B. Just Enough Administration (JEA)
C. connection security rules
D. Privileged Access Management (PAM)
Answer: C
Explanation:
In IPsec connection security rule, the IPsec protocol verifies the sending host IP address by
utilize integrityfunctions like Digitally signing all packets.If unsigned packets arrives Server11,
those are possible source address spoofed packets, when usingconnection security rule in-
conjunction with inbound firewallrules, you can kill those un-signed packets with the action "Allow
connection if it is secure" to prevent spoofingand session hijacking attacks.
QUESTION 121
You have a Hyper-V host named Server1 that runs Windows Server 2016.
Server1 has a generation 2 virtual machine named VM1 that runs Windows 10.
You need to ensure that you can turn on BitLocker Drive Encryption (BitLocker) for drive C:
on VM1. What should you do?
A. From Server1, install the BitLocker feature.
B. From Server1, enable nested virtualization for VM1.
C. From VM1, configure the Require additional authentication at startup Group Policy setting.
D. From VM1, configure the Enforce drive encryption type on fixed data drives Group Policy setting.
Answer: C
Explanation:
https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
If you don't use TPM for protecting a drive, there is no such Virtual TPM or VM Generation, or VM
Configurationversion requirement, you can even use Bitlockerwithout TPM Protector with earlier
versions of Windows.How to Use BitLocker Without a TPMYou can bypass this limitation through
a Group Policy change. If your PC is joined to a business or schooldomain, you can't change the
Group Policy settingyourself. Group policy is configured centrally by your network
administrator.To open the Local Group Policy Editor, press Windows+R on your keyboard, type
"gpedit.msc" into the Rundialog box, and press Enter.Navigate to Local Computer Policy >
Computer Configuration > Administrative Templates > WindowsComponents > BitLocker Drive
Encryption > OperatingSystem Drives in the left pane.

87
Double-click the "Require additional authentication at startup" option in the right pane.
Select "Enabled" at the top of the window, and ensure the "Allow BitLocker without a compatible
TPM(requires a password or a startup key on a USBflash drive)" checkbox is enabled here.Click
"OK" to save your changes. You can now close the Group Policy Editor window. Your change
takes effectimmediately--you don't even need to reboot.
QUESTION 122
Your network contains an Active Directory forest named corp.contoso.com.
You are implementing Privileged Access Management (PAM) by using a bastion forest named
priv.contoso.com.
You need to create shadow groups in priv.contoso.com.

88
A. New-RoleGroup
B. New-ADGroup
C. New-PamRole
D. New-PamGroup
Answer: D
Explanation:
https://social.technet.microsoft.com/wiki/contents/articles/33363.mim-2016-privileged-access-
managementpam-faq.aspx
https://docs.microsoft.com/en- us/powershell/identitymanager/mimpam/vlatest/new-pamgroup
QUESTION 123
The Microsoft Advanced Threat Analytics (ATA) Center service is installed on Server1.
The domain contains the users shown in the following table.
You are installing ATA Gateway on Server2.
You need to specify a Gateway Registration account.
Which account should you use?
A. User1
B. User2
C. User3
D. User4
E. User5
F. User6
G. User7
H. User8
Answer: F
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-role-groups

89
The user who installed ATA will be able to access the management portal (ATA Center) as
members of the"Microsoft Advanced Threat Analytics Administrators"local group on the ATA
Center server.
QUESTION 124
A user named User1 is a member of the local Administrators group.
Server1 has the AppLocker rules configured as shown in follow:

90
Rule1 and Rule2 are configured as shown in the following table:
You verify that User1 is unable to run App2.exe on Server1.
Which changes will allow User1 to run D:Folder1Program.exe and
D:Folder2App2.exe? Choose Two.
A. User1 can run D:Folder1Program.exe if Program.exe is moved to another folder
B. User1 can run D:Folder1Program.exe if Program.exe is renamed
C. User1 can run D:Folder1Program.exe if Program.exe is updated
D. User1 can run D:Folder2App2.exe if App2.exe is moved to another folder
E. User1 can run D:Folder2App2.exe if App2.exe is renamed
F. User1 can run D:Folder2App2.exe if App2.exe is upgraded
Answer: AF
Explanation:
https://technet.microsoft.com/en-us/library/ee449492(v=ws.11).aspx
For "D:Folder1Program.exe", it is originally explicitly denied due to Rule1, when moving the
"Program,exe" outof "D:Folder1", it does not match Rule1.Assume that "Program.exe" is
moved to "D:Folder2", it matches an Explicit Allow rule for group "BUILTINAdministrators"
which User1 is a member of, therefore Ais correct.For "App2",exe, it matches a Explicit Deny rule
using its File Hash (created File content), no matter where youmove it to, or how you rename it, it
would still matchRule2.Only changing the file content of App2.exe would let it no longer match the
explicit deny hash-based rule"Rule2".By upgrading its version and content, it will generate a new
hash. so F is correct.
QUESTION 125

91
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Gateway on a server named Server1.
To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect
events.
You need to configure the query filter for event subscriptions on Server1.
How should you configure the query filter? Choose two
A. Event log to configure: Application
B. Event log to configure: Directory Services
C. Event log to configure: Security
D. Event log to configure: System
E. Event ID to include: 1000
F. Event ID to include: 1009
G. Event ID to include: 1025
H. Event ID to include: 4776
I. Event ID to include: 4997
Answer: CH
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection
To enhance detection capabilities, ATA needs the following Windows events: 4776, 4732, 4733,
4728, 4729,4756, 4757.These can either be read automatically by the ATA Lightweight Gateway
or in case the ATA LightweightGateway is not deployed,it can be forwarded to the ATA Gateway
in one of two ways, by configuring the ATA Gateway to listen for SIEMevents or by configuring
Windows Event Forwarding.

92
Event ID: 4776 NTLM authentication is being used against domain controllerEvent ID: 4732 A
User is Added to Security-Enabled DOMAIN LOCAL Group,Event ID: 4733 A User is removed
from Security-Enabled DOMAIN LOCAL GroupEvent ID: 4728 A User is Added or Removed from
Security-Enabled Global GroupEvent ID: 4729 A User is Removed from Security-Enabled
GLOBAL GroupEvent ID: 4756 A User is Added or Removed From Security-Enabled Universal
GroupEvent ID: 4757 A User is Removed From Security- Enabled Universal Group
QUESTION 126
The domain contains 10 computers that are in an organizational unit (OU) named OU1.
You deploy the Local Administrator Password Solution (LAPS) client to the computers.
You link a Group Policy object (GPO) named GPO1 to OU1, and you configure the LAPS
password policy settings in GPO1.
You need to ensure that the administrator passwords on the computers in OU1 are managed by
using LAPS.

93
A. Restart the domain controller that hosts the PDC emulator role.
B. Update the Active Directory Schema.
C. Enable LDAP encryption on the domain controllers.
D. Restart the computers.
E. Modify the permissions on OU1.
Answer: BE
QUESTION 127
You plan to deploy an application named App1.exe.
You need to verify whether Control Flow Guard is enabled for App1.exe.
Which command should you run?
A. Dumpbin.exe /dependents /locadconfig App1.exe
B. Dumpbin.exe /headers /locadconfig App1.exe
C. Dumpbin.exe /relocations /locadconfig App1.exe
D. Dumpbin.exe /symbols /locadconfig App1.exe
E. Sfc.exe /dependents /locadconfig App1.exe
F. Sfc.exe /headers /locadconfig App1.exe
G. Sfc.exe /relocations /locadconfig App1.exe
H. Sfc.exe /symbols /locadconfig App1.exe
I. Sigverif.exe /dependents /locadconfig App1.exe
J. Sigverif.exe /headers /locadconfig App1.exe
K. Sigverif.exe /relocations /locadconfig App1.exe
L. Sigverif.exe /symbols /locadconfig App1.exe
M. Verifier.exe /dependents /locadconfig App1.exe
N. Verifier.exe /headers /locadconfig App1.exe
O. Verifier.exe /relocations /locadconfig App1.exe
P. Verifier.exe /symbols /locadconfig App1.exe
Answer: B
Explanation:
ttps://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to
combat memorycorruption vulnerabilities.By placing tight restrictions on where an application can
execute code from, it makes it much harder for exploitsto execute arbitrary code through
vulnerabilitiessuch as buffer overflows.To verify if Control Flow Guard is enable for a certain
application executable:-Run the dumpbin.exe tool (included in the Visual Studio 2015 installation)
from the Visual Studio commandprompt with the /headers and /loadconfig options:dumpbin.exe
/headers /loadconfig test.exe.The output for a binary under CFG should show that the header
values include "Guard", and that the loadconfig values include "CF Instrumented" and "FID
tablepresent".1

94
QUESTION 128
The domain contains 10 servers that run Windows Server 2016 and 800 client computers that run
Windows 10.
You need to configure the domain to meet the following requirements:
- Users must be locked out from their computer if they enter an
incorrect password twice.
- Users must only be able to unlock a locked account by using a one-
time password that is sent to their mobile phone.
You deploy all the components of Microsoft Identity Manager (MIM) 2016.

95
Which three actions should you perform before you deploy the MIM add-ins and extensions?
Each correct answer presents part of the solution.
A. From a Group Policy object (GPO), configure Public Key Policies
B. Deploy a Multi-Factor Authentication provider and copy the required certificates to the MIM
server.
C. From the MIM Portal, configure the Password Reset AuthN Workflow.
D. Deploy a Multi-Factor Authentication provider and copy the required certificates to the client
computers.
E. From a Group Policy object (GPO), configure Security Settings.
Answer: BCE
Explanation:
-Users must be locked out from their computer if they enter an incorrect password twice. (E)
-Users must only be able to unlock a locked account by using a one-time password that is sent to
their mobilephone. (B and C), detailed configuration process inthe following web page.
https://docs.microsoft.com/en-us/microsoft-identity-manager/working-with-self-service-
passwordreset#prepare-mim-to-work-with-multi-factor-authentication
QUESTION 129
department.
You need to ensure that you can encrypt the operating system drive of VM1 by using BitLocker.
Which Group Policy should you configure?

96
A. Configure use of hardware-based encryption for operating system drives
B. Configure TPM platform validation profile for native UEFI firmware configurations
C. Require additional authentication at startup
D. Configure TPM platform validation profile for BIOS-based firmware configurations
Answer: C
Explanation:
As there is not a choice "Enabling Virtual TPM for the virtual machine VM1", then we have to use
a fall-backmethod for enabling BitLocker in VM1.
https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
QUESTION 130
The Job Title attribute for a domain user named User1 has a value of Sales Manager.
User1 runs whoami /claims and receives the following output:
Kerberos support for Dynamic Access Control on this device has been disabled.
You need to ensure that the security token of User1 has a claim for Job Title.
What should you do?
A. From Windows PowerShell, run the New-ADClaimTransformPolicy cmdlet and specify the -Name

97
parameter
B. From Active Directory Users and Computers, modify the properties of the User1 account.
C. From Active Directory Administrative Center, add a claim type.
D. From a Group Policy object (GPO), configure KDC support for claims, compound authentication,
and Kerberos armoring.
Answer: C
Explanation:
From the output, obviously, a claim type is missing (or disabled) so that the domain controller is
not issuingtickets with the "Job Title" claim type.
QUESTION 131
You deploy a server named Server1 that runs Windows Server 2016. Server1 is in a workgroup.
You need to collect the logs from Server1 by using Log Analytics in Microsoft Operations
Management Suite (OMS).
A. Join Server1 to the domain.
B. Create a Data Collector Set.
C. Install Microsoft Monitoring Agent on Server1.
D. Create an event subscription.
Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
You need to install and connect Microsoft Monitoring Agent for all of the computers that you
You can install the OMS MMA on stand-alone computers, servers, and virtual machines.
QUESTION 132

98
The domain contains two DNS servers that run Windows Server 2016.
The servers host two zones named contoso.com and admin.contoso.com.
You sign both zones.
You need to ensure that all client computers in the domain validate the zone records when they
query the zone.
What should you deploy?
A. a Microsoft Security Compliance Manager (SCM) policy
B. a zone transfer policy
C. a Name Resolution Policy Table (NRPT)
D. a connection security rule
Answer: C
Explanation:
You should use Group Policy NRPT to for a DNS Client to perform DNSSEC validation of DNS
zone records.
QUESTION 133
The domain contains two global groups named Group1 and Group2.
A user named User1 is a member of Group1.
computers that contain sensitive data.
A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account
named Computer1.

99
GPO1 has the User Rights Assignment configured as shown in the following table.
You need to prevent User1 from signing in to Computer1. What should you do?
A. From Default Domain Policy, modify the Allow log on locally user right
B. On Computer1, modify the Deny log on locally user right.
C. From Default Domain Policy, modify the Deny log on locally user right
D. Remove User1 to Group2.
Answer: D
Explanation:
https://technet.microsoft.com/en-us/library/cc957048.aspx
"Deny log on locally"Computer ConfigurationWindows SettingsSecurity SettingsLocal
PoliciesUser Rights AssignmentDetermines which users are prevented from logging on at the
computer.This policy setting supercedes the Allow Log on locally policy setting if an account is
subject to bothpolicies.Therefore, adding User1 to Group2 will let User1 to inherit both policy, and
then prevent User1 to sign in toComputer1.
QUESTION 134
You are creating a Nano Server image for the deployment of 10 servers.
You need to configure the servers as guarded hosts that use Trusted Platform Module (TPM)
attestation.
Which three packages should you include in the Nano Server image? Each correct answer
presents part of the solution.
A. Microsoft-NanoServer-SecureStartup-Package
B. Microsoft-NanoServer-ShieldedVM-Package
C. Microsoft-NanoServer-Storage-Package
D. Microsoft-NanoServer-SCVMM-Compute-Package
E. Microsoft-NanoServer-SCVMM-Package
F. Microsoft-NanoServer-Compute-Package
Answer: ABF
Explanation:
https://docs.microsoft.com/en-us/system-center/vmm/guarded-deploy-host?toc=/windows-
server/virtualization/toc.json
For an SCVMM Managed Nano Server Hyper-V case:If your host is running Nano Server Hyper-
V host, it should have the Compute, SCVMM-Package, SCVMMCompute, SecureStartup, and
ShieldedVM
packagesinstalled.https://docs.microsoft.com/en-us/windows-server/get-started/deploy- nano-
serverFor an standalone Nano Server Hyper-V host, no SCVMM related packages are required,
only Compute,SecureStartup, and ShieldedVM packages are required.This table shows the roles
and features that are available in this release of Nano Server, along with theWindows PowerShell
options that will install the packagesfor them.Some packages are installed directly with their own
Windows PowerShell switches (such as -Compute); othersyou install by passing package names
to the -Package parameter, which you can combine in a comma-separated list.
You can dynamically list availablepackages using the Get-NanoServerPackage cmdlet.

100
QUESTION 135
You plan to enable Credential Guard on four servers.
Credential Guard secrets will be bound to the TPM.
The servers run Windows Server 2016 and are configured as shown in the following table.
Which of the above server you could enable Credential Guard?

101
A. Server1
B. Server2
C. Server3
D. Server4
Answer: D
Explanation:
requirementsHardware and software requirements
To provide basic protections against OS level attempts to read Credential Manager domain
credentials, NTLMand Kerberos derived credentials, WindowsDefender Credential Guard uses:-
Support for Virtualization-based security (required)-Secure boot (required)-TPM 2.0 either
discrete or firmware (preferred ?provides binding to hardware)-UEFI lock (preferred ?prevents
attacker from disabling with a simple registry key change)
QUESTION 136
The domain contains servers that run
You enable Remote Credential Guard on a server named Server1.
You have an administrative computer named Computer1 that runs Windows 10.
Computer1 is configured to require Remote Credential Guard.
You sign in to Computer1 as ContosoUser1.
You need to establish a Remote Desktop session to Server1 as ContosoServerAdmin1.
A. Install the Universal Windows Platform (UWP) Remote Desktop application
B. Turn on virtualization based security
C. Run the mstsc.exe /remoteGuard
D. Sign in to Computer1 as ContosoServerAdmin1
Answer: D
Explanation:
When Computer1 is configured to require Remote Credential Guard, you cannot use NTLM
authentication tospecify (or impersonate) another user account whenconnecting to
Server1.Therefore, you have to sign in to Computer1 as "ServerAdmin1" and use Kerberos for
authenticating to RDPserver "Server1" when Remote Credential Guard is required.
QUESTION 137
You have two computers configured as shown in the following table.
You need to ensure that the credentials that you use to establish Remote Desktop sessions from
Client1 to Server1 are protected by using Remote CredentialGuard.
A. Join Client1 to the domain.

102
B. Remove Server1 from the domain.
C. Upgrade Server1 to Windows Server 2016 Datacenter.
D. Upgrade Client1 to Windows 10 Enterprise.
Answer: A
Explanation:
https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
QUESTION 138
Your data center contains 10 Hyper-V hosts that host 100 virtual machines.
You plan to secure access to the virtual machines by using the Datacenter Firewall service.
You have four servers available for the Datacenter Firewall service.
You need to install the required server roles for the planned deployment
Which server role should you deploy? Choose Two.
A. Server role to deploy: Multipoint Services
B. Server role to deploy: Network Controller
C. Server role to deploy: Network Policy and Access Services
D. Servers on which to deploy the server role: Server20 and Server21
E. Servers on which to deploy the server role: Server22 and Server23
Answer: BE
Explanation:
Datacenter Firewall is a new service included with Windows Server 2016. It is a network layer, 5-
tuple (protocol,source and destination port numbers, source anddestination IP addresses),
stateful, multitenant firewall. When deployed and offered as a service by the serviceprovider,
tenant administrators can install andconfigure firewall policies to help protect their virtual networks
from unwanted traffic originating from Internetand intranet

103
networks.https://docs.microsoft.com/en-us/windows- server/networking/sdn/technologies/network-
controller/networkcontrollerNetwork Controller FeaturesThe following Network Controller features
allow you to configure and manage virtual and physical networkdevices and services.i) Firewall
Management (Datacenter Firewall)ii) Software Load Balancer Managementiii) Virtual Network
Managementiv) RAS Gateway Management
https://docs.microsoft.com/en-us/windows-server/networking/sdn/plan/installation-and-
preparationrequirements-for-deploying-network-controller
Installation requirementsFollowing are the installation requirements for Network Controller.For
Windows Server 2016 deployments, you can deploy Network Controller on one or more
computers, one ormore VMs, or a combination of computers and VMs.All VMs and computers
planned as Network Controller nodes must be running Windows Server 2016 Datacenter edition.
QUESTION 139
Your network contains an Active Directory domain named contoso.com. All client computers run
Windows 10.
You plan to deploy a Remote Desktop connection solution for the client computers.
You have four available servers in the domain that can be configured as Remote Desktop
servers. The servers are configured as shown in the following table.
You need to ensure that all Remote Desktop connections can be protected by using Remote
Credential Guard.

104
Solution: You deploy the Remote Desktop connection solution by using Server3.
A. Yes
B. No
Answer: A
Explanation:
Yes, since all client computers run Windows 10, and Server2 is Windows Server 2016 which
fulfills thefollowing requirements of using Remote Credential
Guard.https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
Remote Credential Guard requirementsTo use Windows Defender Remote Credential Guard, the
Remote Desktop client and remote host must meetthe following requirements:The Remote
Desktop client device:Must be running at least Windows 10, version 1703 to be able to supply
credentials.Must be running at least Windows 10, version 1607 or Windows Server 2016 to use
the user's signed-incredentials. This requires the user's account be able tosign in to both the
client device and the remote host.Must be running the Remote Desktop Classic Windows
application. The Remote Desktop Universal WindowsPlatform application doesn't support
WindowsDefender Remote Credential Guard.Must use Kerberos authentication to connect to the
remote host. If the client cannot connect to a domaincontroller, then RDP attempts to fall back to
NTLM.Windows Defender Remote Credential Guard does not allow NTLM fallback because this
would exposecredentials to risk.The Remote Desktop remote host:Must be running at least
Windows 10, version 1607 or Windows Server 2016.Must allow Restricted Admin
connections.Must allow the client's domain user to access Remote Desktop connections. Must
allow delegation of non-exportable credentials.
QUESTION 140
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
All servers run Windows Server 2016. The forest contains 2,000 client computers that run
Windows 10.
All client computers are deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs).
The solution must ensure that administrators can access several client applications used by all
users.
Solution: You deploy one physical computer and configure it as a Hyper-V host that runs
You create 10 virtual machines and configure each one as a PAW.
A. Yes
B. No
Answer: B
Explanation:
It is a violation of the clean source principal to run a PAW as a VM. Irrespective of whether the
host is Win 10 or Server 2016. You always run the PAW as the host OS, then use VM for
everyday use.

105
QUESTION 141
members.
department.
You need to prepare the environment to support applying Update1 to the laptops only.
What should you do? Choose Two.
A. Tool to use: Active Directory Administrative Center
B. Tool to use: Active Directory Users and Computers
C. Tool to use: Microsoft Intune
D. Tool to use: Update Services
E. Type of object to create: A computer group
F. Type of object to create: A distribution group
G. Type of object to create: A mobile device group
H. Type of object to create: A security group
I. Type of object to create: An OU
Answer: DE
Explanation:

106
QUESTION 142
You have a Hyper-V host named Hyperv1 that has a virtual machine named FS1.
FS1 is a file server that contains sensitive data.
You need to secure FS1 to meet the following requirements:
- Prevent console access to FS1.
- Prevent data from being extracted from the VHDX file of FS1.

107
A. Enable BitLocker Drive Encryption (BitLocker) for all the volumes on FS1
B. Disable the virtualization extensions for FS1
C. Disable all the Hyper-V integration services for FS1
D. On Hyperv1, enable BitLocker Drive Encryption (BitLocker) for the drive that contains the VHDX
file for FS1.
E. Enable shielding for FS1
Answer: DE
QUESTION 143
The domain contains 1,000 client computers that run either Windows 8.1 or Windows 10.
You have a Windows Server Update Services (WSUS) deployment.
All client computers receive updates from WSUS.
You deploy a new WSUS server named WSUS2.
You need to configure all of the client computers that run Windows 10 to send WSUS reporting
data to WSUS2.
What should you configure?
A. an approval rule
B. a computer group
C. a Group Policy object (GPO)
D. a synchronization rule
Answer: C
Explanation:
Under "Set the intranet update service for detecting updates", type http://wsus:8530Under "Set
the intranet statistics server", type http://wsus2:8531

108
QUESTION 144
All client computers run Windows 10.
You plan to deploy a Remote Desktop connection solution for the client computers.
You have four available servers in the domain that can be configured as Remote Desktop
servers.
You need to ensure that all Remote Desktop connections can be protected by using Remote
Credential Guard.
Solution: You deploy the Remote Desktop connection solution by using Server4.
A. Yes
B. No
Answer: B
Explanation:
No, as Server4 is a Windows Server 2012R2 which does not meet the requirements of Remote
CredentialGuard.

109
https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
Remote Credential Guard requirementsTo use Windows Defender Remote Credential Guard, the
Remote Desktop client and remote host must meetthe following requirements:The Remote
Desktop client device:Must be running at least Windows 10, version 1703 to be able to supply
credentials.Must be running at least Windows 10, version 1607 or Windows Server 2016 to use
the user's signed-incredentials. This requires the user's account be able tosign in to both the
client device and the remote host.Must be running the Remote Desktop Classic Windows
application. The Remote Desktop Universal WindowsPlatform application doesn't support
WindowsDefender Remote Credential Guard. Must use Kerberos authentication to connect to the
remote host. If the client cannot connect to a domaincontroller, then RDP attempts to fall back to
NTLM.Windows Defender Remote Credential Guard does not allow NTLM fallback because this
would exposecredentials to risk.The Remote Desktop remote host:Must be running at least
Windows 10, version 1607 or Windows Server 2016.Must allow Restricted Admin connections.
Must allow the client's domain user to access Remote Desktop connections.
Must allow delegation of non-exportable credentials.
QUESTION 145
You have the Windows Server 2016 operating system images as following table.
Your company's security policy states that you must minimize the attack surface when
provisioning new servers.
You need to deploy a Host Guardian Service cluster.
Which image should you use for the deployment?
A. image1
B. image2
C. image3
D. image4
Answer: C
Explanation:
vm/guarded-fabricprepare-for-hgs
PrerequisitesHardware: HGS can be run on physical or virtual machines, but physical machines
are recommended.If you want to run HGS as a three-node physical cluster (for availability), you
must have three physical servers.(As a best practice for clustering, the three serversshould have
very similar hardware.)Operating system: Windows Server 2016, Standard or Datacenter edition.
<--- so you cannot useServer Core or Nano Server for running HostGuardian Service.Server

110
Roles: Host Guardian Service and supporting server roles.Configuration permissions/privileges
for the fabric (host) domain: You will need to configure DNS forwardingbetween the fabric (host)
domain and the HGS domain.If you are using Admin- trusted attestation (AD mode), you will need
to configure an Active Directory trustbetween the fabric domain and the HGS domain.
QUESTION 146
You need to identify the default action for the inbound traffic when Server1 connects to the
domain.
A. Get-NetIPSecRule
G. Get-NetFirewallApplicationFilter
Answer: C
QUESTION 147
Server1 hosts the virtual machines configured as shown in the following table.
All the virtual machines have two volumes named C and D.
You plan to implement BitLocker Drive Encryption (BitLocker) on the virtual machines.
Which virtual machines can have their volumes protected by using BitLocker? Choose Two.
A. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform
Module (TPM) protector: VM3 only
B. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform
Module (TPM) protector: VM1 and VM3 only
C. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform
D. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform
E. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform
Module (TPM) protector: VM2, VM3 and VM4 only
F. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform

111
Module (TPM) protector: VM1, VM2, VM3 and VM4
G. Virtual machines that can have volume D protected by using BitLocker: VM3 only
H. Virtual machines that can have volume D protected by using BitLocker: VM1 and VM3 only
I. Virtual machines that can have volume D protected by using BitLocker: VM2 and VM3 only
J. Virtual machines that can have volume D protected by using BitLocker: VM2 and VM4 only
K. Virtual machines that can have volume D protected by using BitLocker: VM2, VM3 and VM4 only
L. Virtual machines that can have volume D protected by using BitLocker: VM1, VM2, VM3 and VM4
Answer: AG
Explanation:
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/deploy/upgrade-virtual-
machine-versionin-hyper-v-on-windows-or-windows-server
To use Virtual TPM protector for encrypting C: drive, you have to use at least VM Configuration
Version 7.0 andGeneration 2 Virtual machines.
https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/If you don't
use TPM for protecting a drive, there is no such Virtual TPM or VM Generation, or VM

112
Configuration version requirement, you can even use Bitlocker without TPM Protector with earlier
versions of Windows.
QUESTION 148
You plan to create a subfolder in Share1 for each domain user.
You need to limit each user to using 100 MB of data in their respective subfolder.
The solution must enable the users to be notified when they use 80 percent of the available
space in the subfolder.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: H
Explanation:
https://4sysops.com/archives/file-server-resource-manager-fsrm-part-3-quota-management/
QUESTION 149
You deploy the Local Administrator Password Solution (LAPS) to the network
You need to view the password of the local administrator of a server named Server5.
A. Active Directory Users and Computers
B. Computer Management
C. Accounts from the Settings app
D. Server Manager
Answer: A
Explanation:
Use "Active Directory Users and Computers" to view the attribute value of "ms-MCS-adminpwd"
of the Server5 computer account
https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solution-
lapsimplementation-hints-and-security-nerd-commentaryincludingmini-threat-model/
QUESTION 150
Solution: From Windows PowerShell, you run the New-ADAuthenticationPolicy cmdlet.

113
A. Yes
B. No
Answer: B
Explanation:
ADDS Authentication Policy does not provide ability to prevent the use of NTLM authentication.
QUESTION 151
You need to install Security Compliance Manager (SCM) 4.0 on Server1.
What should you install on Server1 first?
A. the .NET Framework 3.5 Features feature
B. the Active Directory Rights Management Services server role
C. the Remote Server Administration Tools feature
D. the Group Policy Management feature
Answer: A
QUESTION 152
You discover that the members of a group named FinanceAdministrators can view the password
of the local Administrator accounts on the servers in an organizational unit (OU) named
FinanceServers.
You need to prevent the FinanceAdministrators members from viewing the local administrators'
passwords on the servers in FinanceServers.
Which permission should you remove from FinanceAdministrators?
A. List contents
B. All extended rights
C. Read all properties
D. Read permissions
Answer: B
Explanation:
https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solution-
lapsimplementation-hints-and-security-nerd-commentaryincludingmini-threat-model/
Access to the password is granted via the "Control Access" right on the attribute.Control Access
is an "Extended Right" in Active Directory, which means if a user has been granted the
"AllExtended Rights" permission they'll be able to seepasswords even if you didn't give them
permission.
QUESTION 153
Hotspot Question
A new security policy states that all the virtual machines must be encrypted.

114
An administrator runs the following commands.
Get -VM | Stop-VM
Get -VM | Update-VMVersion
Get -VM | Start-VM
For each of the following statements, Select Yes, if the statement is true. Otherwise Select No.
Answer:
Explanation:
You can configure VM1 as an encryption-supported virtual machine: Yes
After the "Update-VMVersion" is executed against all three virtual machines, they become:- VM1
Generation 2 Version 8VM2 Generation 1 Version 8VM3 Generation 2 Version 8Pay attention to
VM2, and the question has not mention to use TPM protector.
You can configure this VM asEncryption Supported by using a Key Storage Driveadded to the
virtual machine setting.

115
Within the guest, there is no Virtual TPM
Then , start Encrypt the C system drive with the guest 2012R2 bitlocker feature

116
After the encryption is completed:-
QUESTION 154
Hotspot Question
Your network contains an Active Directory named contoso.com.
The domain contains the computers configured as shown in the following table.
Server1 has a share named Share1 with the following configurations:-

117
Server1, Computer1, and Computer2 have the connection security rules configured as shown in
follow:

118
Please Select the correct statement as below:
Answer:
Explanation:
When Computer1 accesses Share1, SMB encryption will be used: YES
When Computer2 accesses Share1, SMB encryption will be used: YES
When Server1 accesses a shared folder on Computer1, IPsec encryption will be used: NO
The shared folder "Share1" is configured with "EncryptData : True", no matter which network the
client resides,SMB 3 communication will be encrypted.When Server1 access Computer1 over
network, the original packet L3 IP Header is as follow:-172.16.1.30 ? 172.16.10.60
These traffic does not match the enabled IPSec rule "Rule2" nor "Rule3", and the only matching
rule "Rule1" isdisabled. So, no IPsec encryption will be achieved.
QUESTION 155
Hotspot Question
You have 100 computers that run Windows 10 and are members of a workgroup.
You need to configure Windows Defender to meet the following requirements:
- Exclude a C:SalesSalesdb from malware scans.
- Configure a full scan to occur daily.
What should you run to meet each requirement?

119
Answer:

120
Explanation:
Exclude C:SalesSalesdb from malware scans:
Set-MpPreference Configure a full scan to occur daily: Set-MpPreference
https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
Set-MpPreference -ExclusionPath C:SalesSalesdbSet-MpPreference -
RemediationScheduleDay Everyday
QUESTION 156
Drag and Drop Question
You need to install Microsoft Advanced Threat Analytics (ATA) on Server1 and Server2.
Which four actions should you perform in sequence?

121
Answer:
Explanation:
Correct Order of Actions:-1. Install ATA Center (on Server1 for example)2. Install ATA Gateway
(on Server2 for example, if Server2 has internet connectivity)3. Set the ATA Gateway
configuration settings. (Register Server2 ATA Gateway to Server1's ATA Center)4. Install the
ATA Lightweight Gateway.Since there are not switch-based port mirroring choice used to capture
domain controller's inbound andoutbound traffic,installing ATA Lightweight Gateway on DCs to
forward security related events to ATA Center is necessary.

122
QUESTION 157
Hotspot Question
All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an
organizational unit (OU) named OU1 that contains the computer accounts of application servers.
department.
You need to create an Encrypting File System (EFS) data recovery certificate and then add the
certificate as an EFS data recovery agent on Server5.

123
What should you use on Server5? To answer, select the appropriate options in the answer area.
Answer:
Explanation:
To create the EFS data recovery certificate: Cipher To add the certificate as an EFS data
recovery agent: Local Group Policy Editor
https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-
protection/create-and-verifyan-efs-dra-certificatecipher /R
QUESTION 158
You install Security Compliance Manager (SCM) 4.0 on a server that runs Windows Server 2016.
You need to modify a baseline, and then make the baseline available as a domain policy.
Which four actions should you perform in sequence?

124
Answer:
QUESTION 159
Hotspot Question
You have 10 Hyper-V hosts that run Windows Server 2016.

125
Each Hyper-V host has eight virtual machines that run a distributed web application named App1.
You plan to implement a Software Load Balancing (SLB) solution for client access to App1.
You deploy two new virtual machines named SLB1 and SLB2.
You need to install the required components on the Hyper-V hosts and the new servers for the
planned implementation.
Which components should you install? Select the Appropriate in selection area.
Answer:

126
Explanation:
Component to install on SLB1 and SLB2: SLB Multiplexer (MUX) Component to install on each
Hyper-V host:SLB Host Agent
https://blogs.technet.microsoft.com/tip_of_the_day/2016/06/28/tip-of-the-day-demystifying-
software-definednetworking-terms-the-components/
https://technet.microsoft.com/en- us/library/mt632286.aspx
SLB Host Agent ?When you deploy SLB, you must use System Center, Windows PowerShell, or
anothermanagement application to deploy the SLB Host Agent onevery Hyper-V host
computer.You can install the SLB Host Agent on all versions of Windows Server 2016 that
provide Hyper-V support,including Nano Server.SLB MUX ?Part of the Software Load Balancer
(SLB on Windows Server 2016, the SLB MUX processesinbound network traffic and maps VIPs
(virtual IPs) toDIPs (datacenter IPs), then forwards the traffic to the correct DIP. Each MUX also
uses BGP to publish VIProutes to edge routers. BGP Keep Alive notifies MUXeswhen a MUX
fails, which allows active MUXes to redistribute the load in case of a MUX
failure ?essentiallyproviding load balancing for the load balancers.

127
QUESTION 160
You configure Just Enough Administration (JEA).
You need to ensure that a non-administrator user can perform the following actions:
- Restart Internet Information Services (IIS)
- Restart a custom service named Service1.
How should you complete the role configuration file? To answer, select the appropriate options in
the answer area.
Answer:
Explanation:
VisibleExternalCommands = `C:Windowssystem32iisreset.exe' VisibleCmdlets = @{ Name
`Restart-service' ; Parameters @{ Name = `Name'; ValidateSet = `Service1'}}

128
QUESTION 161
correct solution. After you answer a question in this sections, you will NOT be able to
Your network contain an Active Directory domain named contoso.com. The domain contains a
computer named Computer1 that runs Windows 10. Computer1 connects to a home network and
a corporate network.
Solution: From Group Policy Management, you create an AppLocker rule.
A. Yes
B. No
Answer: B
Explanation:
https://technet.microsoft.com/en-us/library/dd759068(v=ws.11).aspx
QUESTION 162
correct solution. After you answer a question in this sections, you will NOT be able to

129
Your network contain an Active Directory domain named contoso.com. The domain contains a
computer named Computer1 that runs Windows 10. Computer1 connects to a home network and
a corporate network.
Solution: From Group Policy Management, you create software restriction policy.
A. Yes
B. No
Answer: B
Explanation:
https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx
QUESTION 163
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2016.
A central access policy named Policy1 is deployed to the domain.
You need to apply Policy1 to Volume1.
A. File Explorer
B. Shared Folders
C. Server Manager
D. Disk Management
E. Storage Explorer
Answer: A
Explanation:
https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-
access-policy--demonstration-steps-#BKMK_1.4

130
QUESTION 164
correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. All domain controllers run
Windows Server 2016. Member servers run either Windows Server 2012 R2 or Windows Server
2016. Client computers run either Windows 8.1 or Windows 10.
Solution: You disable SMB 1.0 on all the computers in the domain, and then you enable the
Encrypt data access option on each file share.
A. Yes
B. No
Answer: B
QUESTION 165
correct solution.
You deploy Windows Server 2016 to a server named Server1.
You need to ensure that you can run Windows Containers on Server1.
Solution: On Server1, you enable the Containers feature, and then you install the PowerShell for
Docker module. You restart the server.
A. Yes
B. No
Answer: A
Explanation:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/deploy-
containers-on-server

131
QUESTION 166
correct solution.
Solution: On Server1, you enable the Containers feature, and then you install the Hyper-V server
role. You restart the server.
A. Yes
B. No
Answer: B
Explanation:
QUESTION 167
correct solution.
Solution: On Server1, you enable the Containers feature, and then you restart the server.
A. Yes
B. No
Answer: B
Explanation:
QUESTION 168

132
certification authority (CA).
You need to implement code integrity policies and sign them by using certificates issued by the
CA.
You plan to use the same certificate to sign policies on multiple computers. You duplicate the
Code Signing certificate template and name the new template CodeIntegrity.
How should you configure the CodeIntegrity template?
A. Enable the Allow private key to be exported setting and modify the Key Usage extension.
B. Disable the Allow private key to be exported setting and modify the Application Policies extension.
C. Disable the Allow private key to be exported setting and disable the Basic Constraints extension.
D. Enable the Allow private key to be exported setting and enable the Basic Constraints extension
Answer: D
Explanation:
https://blogs.technet.microsoft.com/ukplatforms/2017/05/04/create-code-integrity-signing-
certificate/
QUESTION 169
Your network contains an Active Directory domain named contoso.com. The domain contains 100
servers.
You discover that the members of a group named FinanceAdministartors can view the password
of the local Administrator accounts on the servers in an organizational unit (OU) named
FinanceServers.
You need to prevent the FinanceAdministartors members from viewing the local administrators
`passwords on the servers in FinanceServers. Which permission should you remove from
FinanceAdministartors?
A. all extended rights
B. read all properties
C. read permissions
D. list contents
Answer: A
Explanation:
https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-
active-directory/
QUESTION 170
You have a file server named FS1 that runs Windows Server 2016.
You plan to disable SMB 1.0 on the server.
You need to verify which computers access FS1 by using SMB 1.0.
What should you run first?

133
A. Debug-FileShare
B. Set-FileShare
C. Set-SmbShare
D. Set-SmbServerConfiguration
E. Set-SmbClientConfiguration
Answer: D
QUESTION 171
You plan to enable Credential Guard on four servers. Credential Guard secrets will be bound to
the TPM.
The servers run Windows Server 2016 and are configured as shown in the following table.
You need to identify which server you must modify to support the planned implementation.
Which server should you identify?
A. Server1
B. Server2
C. Server3
D. Server4
Answer: D
Explanation:
requirements
QUESTION 172
Your network contains an Active Directory domain named contoso.com. The domain contains two
servers named Server1 and Server2. The domain has Dynamic Access Control enabled.
Server1 contains a folder named C:Folder1. Folder1 is shared as Share1.
You need to audit all access to the contents of Folder1 from Server2. The solution must minimize
the number of event log entries.
Which two audit policies should you enable on Server1? Each correct answer presents part of the
solution.

134
NOTE: Each correct selection is worth one point.
A. Global Object Access- File System
B. Object Access - Audit Detailed File Share
C. Object Access - Audit Other Object Access Events
D. Object Access - Audit File System
E. Object Access - Audit File Share
Answer: BE
Explanation:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-
share
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
QUESTION 173
Your network contains an Active Directory forest named contoso.com. The forest contains three
domains.
You deploy a second Active Directory forest named admin.contoso.com. The forest contains a
domain member server named Server1. Server1 has Microsoft Identity Manager (MIM) 2016
deployed.
You need to implement Privileged Access Management (PAM) and to use admin.contoso.com as
an administrative forest.
A. From Server1, run the New-PAMTrust cmdlet.
B. From a domain controller in contoso.com, run the New-PAMDomainConfiguration cmdlet.
C. From a domain controller in admin.contoso.com, run the New-PAMTrust cmdlet.
D. From a domain controller in contoso.com, run the New-PAMTrust cmdlet.
E. From a domain controller in admin.contoso.com, run the New-PAMDomainConfiguration cmdlet.
F. From Server1, run the New- PAMDomainConfiguration cmdlet.
Answer: AF
Explanation:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-
for-pam
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-
priv-corpforests
QUESTION 174
correct solution.

135
computer named Computer1 that runs Windows10.
Computer1 has an application named App1.exe that is located in D:Apps. App1.exe is
configured to accept connections on TCP port 8080.
Solution: You run the New-NetFirewallRule -DisplayName "Rule1" -Direction Inbound -LocalPort
8080 -Protocol TCP -Action Allow -Profile Domain command.
A. Yes
B. No
Answer: B
QUESTION 175
correct solution.
Solution: You configure an inbound rule that allows the TCP protocol on port 8080, uses a scope
of 172.16.0.0/16 for local IP addresses, and applies to a private profile.
A. Yes
B. No
Answer: B
Explanation:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/dd448531(v=ws.10)

136
QUESTION 176
correct solution.
Solution: You run the New-NetFirewallRule -DisplayName "Rule1" -Direction Inbound -
Program "D:AppsApp1.exe" -Action Allow -Profile Domain command.
A. Yes
B. No
Answer: A
Explanation:

137
QUESTION 177
correct solution.
Solution: From a Group Policy, you configure the Kerberos Policy.
A. Yes

138
B. No
Answer: B
Explanation:
https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/
QUESTION 178
correct solution.
You manage a file server that runs Windows Server 2016. The file server contains the volumes
configured as shown in the following table.
You need to encrypt DevFiles by using BitLocker Drive Encryption (ButLocker).
Solution: You run the Lock-BitLocker cmdlet.
A. Yes
B. No
Answer: B
Explanation:
https://docs.microsoft.com/en-us/powershell/module/bitlocker/lock-bitlocker?view=win10-ps
QUESTION 179
correct solution.

139
Solution: You run the manage-bde.exe command and specify the 璷n parameter.
A. Yes
B. No
Answer: A
Explanation:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ manage-
bde-on
QUESTION 180
correct solution.
Solution: You run the Enable-BitLocker cmdlet.
A. Yes
B. No

140
Answer: A
Explanation:
https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlocker?view=win10-ps
QUESTION 181
You need to allow network administrators to use Just Enough Administration (JEA) to change the
TCP/IP settings on Server1. The solution must use the principle of least privilege.
How should you configure the session configuration file?
A. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to ContosoNetwork
Configuration Operators.
B. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to ContosoNetwork
Configuration Operators.
C. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Network Configuration
Operators.
D. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Network Configuration
Operators.
Answer: D
Explanation:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-
pssessionconfigurationfile?view=powershell-6
QUESTION 182
You download Microsoft Security Compliance Toolkit 1.0 and all the security baselines.
You need to deploy one of the security baselines to all the computers in an organizational unit
(OU) named OU1.
What should you do?
A. Run 1gpo.exe and specify the /g parameter. From Policy Analyzer, click Add.
B. From Group Policy Management, create and link a Group Policy object (GPO). Select the GPO
and run the Import Settings Wizard.
C. From Group Policy Management, click Group Policy Objects, and then click Manage Backups...
D. From Group Policy Management, create and link a Group Policy object (GPO). Run 1gpo.exe and
specify the /g parameter.
Answer: B
Explanation:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-
to-client-computers-by-using-group-policy
QUESTION 183
You have a virtual machine named FS1 that runs Windows Server 2016.

141
FS1 has the shared folders shown in the following table.
You need to ensure that each user can store 10 GB of files in FS1Users.
What should you do?
A. From File Explorer, open the properties of volume D, and then modify the Quota settings.
B. Install the File Server Resource Manager role service, and then create a file screen.
C. From File Explorer, open the properties of D:Users, and then modify the Advanced sharing
settings.
D. Install the File Server Resource Manager role service, and then create a quota.
Answer: D
Explanation:
https://docs.microsoft.com/en-us/windows-server/storage/fsrm/create-quota
QUESTION 184
Your network has an internal network and a perimeter network. Only the servers on the perimeter
network can access the Internet. You create a Microsoft Operations Management Suite (OMS)
instance in Microsoft Azure.
You deploy Microsoft Monitoring Agent to all the servers on both the networks.
You discover that only the servers on the perimeter network report to OMS.
You need to ensure that all the servers report to OMS.
What should you do?
A. Install a Web Application Proxy on the perimeter network and install an OMS Gateway on the
internal network. Publish the OMS Gateway from the Web Application Proxy.
B. Install a Web Application Proxy and an OMS Gateway on the perimeter network. Publish the OMS
Gateway from the Web Application Proxy.
C. Configure the network firewalls to allow the internal servers to access the IP addresses of the
Azure OMS instance by using TCP port 443.
D. On the internal servers, run the Add-AzureRmUsageConnect cmdlet and specify the 瑼dminUri
parameter.
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway
QUESTION 185
member server named Server5 that runs Windows Server 2016.

142
You need to configure Server5 as a Just Enough Administrator (JEA) endpoint.
A. Generate a random Globally Unique Identifier (GUID).
B. Create and export a Windows PowerShell session.
C. Create and register a session configuration file.
D. Deploy Microsoft Identity Manager (MIM) 2016.
E. Create a maintenance Role Capability file.
Answer: CE
Explanation:
https://docs.microsoft.com/en-us/powershell/jea/session-configurations
QUESTION 186
You need to identify the default action for the inbound traffic when Server1 connects to the
domain.
A. Get-NetIPSecRule
Answer: C
Explanation:
https://docs.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallprofile?
view=win10-ps
QUESTION 187
You need to identify whether any connection security rules are configured on Server1.

143
A. Get-NetIPSecRule
Answer: A
Explanation:
https://docs.microsoft.com/en-us/powershell/module/netsecurity/get-netipsecrule? view=win10-ps
QUESTION 188
Your company has an accounting department.
The network contains an Active Directory domain named contoso.com. the domain contains 10
servers.
You deploy a new server named Server11 that runs Windows Server 2016. Server11 will host
several network applications and network shares used by the accounting department.
You need to recommend a solution for Server11 that meets the following requirements:
- Protects Server11 from address spoofing and session hijacking
- Allows only the computers in the accounting department to connect to
Server11
What should you recommend implementing?
A. Just Enough Administration (JEA)
B. AppLocker rules
C. Privileged Access Management (PAM)
D. connection security rules
Answer: D
Explanation:
https://support.microsoft.com/en-us/help/942957/security-rules-for-windows-firewall-and-for-
ipsec-based-connections-in
QUESTION 189
You have two servers named Server1 and Server2 that run Windows Server 2016. The servers
are in a workgroup.
You need to create a security template that contains the security settings of Server1 and to apply
the template to Server2. The solution must minimize administrative effort.
Which snap-in should you use for each server? To answer, drag the appropriate snap-ins to the

144
correct servers. Each snap-in may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content.
Answer:
Explanation:

145
https://www.windows-server-2012-r2.com/security-templates.html
QUESTION 190
Hotspot Question
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain. You install the ATA
Gateway on a server named Server1.
To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect
events.
You need to configure the query filter for event subscriptions on Server1.
How should you configure the query filter? To answer, select the appropriate options in the
answer are.
Answer:

146
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection
QUESTION 191
user named User1 and a computer named Computer1. Remote Server Administration Tools
(RSAT) is installed on Computer1.
You need to add User1 as a data recovery agent in the domain.
Which four actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:

147
Explanation:
https://msdn.microsoft.com/library/cc875821.aspx#EJAA
https://www.serverbrain.org/managing-security-2003/using-the-cipher-command-to-add-data-
recovery-agent.html
QUESTION 192
Hotspot Question
Your network contains several Windows container hosts.
You plan to deploy three custom .NET applications.
You need to recommend a deployment solution for the applications. Each application must:
Be accessible by using a different IP address.
Have access to a unique file system.
Start as quickly as possible.
What should you recommend? To answer, select the appropriate options in the answer area.

148
Answer:
Explanation:
https://docs.microsoft.com/en-us/dotnet/standard/modernize-with-azure-and-
containers/modernize-existing-apps-to-cloud-optimized/deploy-existing-net-apps-as-windows-
containers
https://blogs.msdn.microsoft.com/msgulfcommunity/2015/06/20/what-is-windows-server-
containers-and-hyper-v-containers/
QUESTION 193
Hotspot Question
You plan to implement a guarded fabric in TPM-trusted attestation mode. The fabric will contain a
three- node Host Guardian Service (HGS) cluster and four guarded hosts.
All the hosts will have matching hardware and will run the same workload.

149
You need to add the hosts to the HGS cluster.
What is the minimum number of times you must run each cmdlet to implement the HGS cluster?
To answer, select the appropriate options in the answer area.
Answer:

150
Explanation:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/
guarded-fabric-tpm-trusted-attestation-capturing-hardware
QUESTION 194
Hotspot Question
The hardware configuration on Server1 meets the requirements for Credential Guard.
You need to enable Credential Guard on Server1.
What should you do? To answer, select the appropriate options in the answer area.

151
Answer:
Explanation:
requirements
manage#hardware-readiness-tool
QUESTION 195
Hotspot Question

152
A user named User1 is a member of the local Administrators group.
Server1 has the AppLocker rules configured as shown in the exhibit. (Click the Exhibit button.)
Rule1 and Rule2 are configured as shown in the following table.
You verify that User1 is unable to run App2.exe on Server1.
Which changes will allow User1 to run D:Folder1Program.exe and D:Folder2App2.exe? To
answer select the appropriate options in the answer area.
Answer:

153
Explanation:
https://technet.microsoft.com/en-us/library/ee449492(v=ws.11).aspx
QUESTION 196
Hotspot Question
You plan to deploy an application named App1.exe.
You need to verify whether Control Flow Guard is enabled for App1.exe.
Which command should you run? To answer, select the appropriate options in the answer area.
Answer:
Explanation:
https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

154
QUESTION 197
Hotspot Question
All the virtual machines have two volumes named C and D.
You plan to implement BitLocker Drive Encryption (BitLocker) on the virtual machines.
Which virtual machines can have their volumes protected by using BitLocker? To answer, select
the appropriate options in the answer area.

155
Answer:

156
Explanation:
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/deploy/upgrade-virtual-
machine-version-in-hyper-v-on-windows-or-windows-server
http://www.shulerent.com/2012/09/04/locking-down-a-virtual-machine-with-bitlocker/
QUESTION 198
Hotspot Question
You manage a guarded fabric in TPM-trusted attestation mode.
You plan to create a virtual machine template disk for shielded virtual machines.
You need to create the virtual machine disk that you will use to generate the template.
How should you configure the disk? To answer, select the appropriate options in the answer area.

157
Answer:
Explanation:
vm/guarded-fabric-configuration-scenarios-for-shielded-vms-overview
https://docs.microsoft.com/en-us/system-center/dpm/what-s-new-in-dpm-2016?view=sc-dpm-
1801
QUESTION 199
Hotspot Question
Your network contains two Active Directory forests named adatum.com and priv.adatum.com.

158
You deploy Microsoft Identity Manager (MIM) 2016 to the priv.adatum.com domain, and you
implement Privileged Access Management (PAM).
You create a PAM role named Group1 as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
Answer:

159
Explanation:
https://tlktechidentitythoughts.wordpress.com/2016/09/07/mim-2016-setting-up-privileged-access-
management-pam-in-an-existing-domain-using-the-built-in-pam-tool/
QUESTION 200
several Hyper-V hosts.
You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2016.
You need to configure Server22 as the primary Host Guardian Service server.
Which three cmdlets should you run in sequence? To answer move the appropriate cmdlets from
the list of cmdlets to the answer area and arrange them in the correct order.

160
Answer:

161
Explanation:
vm/guarded-fabric-setting-up-the-host-guardian-service-hgs
QUESTION 201
Hotspot Question
You are implementing Privileged Access Management (PAM) for an Active Directory forest
named contoso.com.
You install a bastion forest named adatum.com, and you establish a trust between the forests.
You need to create a group in contoso.com that will be used by Microsoft Identity Manager to
create groups in adatum.com.
How should you configure the group? To answer, select the appropriate options in the answer
area.

162
Answer:
Explanation:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion- environment

70-744.pdf

More Related Content

Similar to 70-744.pdf (20)

More from Lisa Cain (20)

Recently uploaded (20)

70-744.pdf