Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2016. The forest contains 2,000 client computers that run Windows 10. All client computers are deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs). The solution must ensure that administrators can access several client applications used by all users.
Solution: You deploy 10 physical computers and configure them as PAWs. You deploy 10 additional computers and configure them by using the customized Windows image.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
References:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privilegedaccess-workstations
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2016. The forest contains 2,000 client computers that run Windows 10. All client computers are deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs). The solution must ensure that administrators can access several client applications used by all users.
Solution: You deploy 10 physical computers and configure each one as a virtualization host. You deploy the operating system on each host by using the customized Windows image. On each host, you create a guest virtual machine and configure the virtual machine as a PAW.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privilegedaccess-workstations
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2016. The forest contains 2,000 client computers that run Windows 10. All client computers are deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs). The solution must ensure that administrators can access several client applications used by all users.
Solution: You deploy one physical computer and configure it as Hyper-V host that runs Windows Server 2016. You create 10 virtual machines and configure each one as a PAW.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privilegedaccess-workstations
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contain an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally.
Computer1 runs an application named App1 that listens to port 8080.
You need to prevent connections to App1 when Computer1 is connected to the home network.
Solution: From Group Policy Management, you create an AppLocker rule.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References:
https://technet.microsoft.com/en-us/library/dd759068(v=ws.11).aspx
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contain an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally.
Computer1 runs an application named App1 that listens to port 8080.
You need to prevent connections to App1 when Computer1 is connected to the home network.
Solution: From Group Policy Management, you create software restriction policy.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References:
https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contain an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally.
Computer1 runs an application named App1 that listens to port 8080.
You need to prevent connections to App1 when Computer1 is connected to the home network.
Solution: From Windows Firewall in the Control Panel, you add an application and allow the application to communicate through the firewall on a Private network.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References:
http://www.online-tech-tips.com/windows-10/adjust-windows-10-firewall-settings/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2016. All client computers run Windows 10.
The relevant objects in the domain are configured as shown in the following table.
You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You create a Group Policy object (GPO), you link the GPO to the Servers OU, and then you modify the Users Rights Assignment in the GPO.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References: https://technet.microsoft.com/en-us/library/cc771990(v=ws.11).aspx
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2016. All client computers run Windows 10.
The relevant objects in the domain are configured as shown in the following table.
You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You add User1 to the Backup Operators group in contoso.com.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
References:
https://technet.microsoft.com/en-us/library/cc771990(v=ws.11).aspx
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2016. All client computers run Windows 10.
The relevant objects in the domain are configured as shown in the following table.
You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You create a Group Policy object (GPO), link it to the Operations Users OU, and modify the Users Rights Assignment in the GPO.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References:
https://technet.microsoft.com/en-us/library/cc771990(v=ws.11).aspx
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains multiple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network to meet the following requirements:
– The resources of the applications must be isolated from the physical host.
– Each application must be prevented from accessing the resources of the other applications.
– The configurations of the applications must be accessible only from the operating system that hosts the application.
Solution: You deploy a separate Windows container for each application.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
References:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains multiple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network to meet the following requirements:
– The resources of the applications must be isolated from the physical host.
– Each application must be prevented from accessing the resources of the other applications.
– The configurations of the applications must be accessible only from the operating system that hosts the application.
Solution: You deploy a separate Hyper-V container for each application.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
References:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains multiple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network to meet the following requirements:
– The resources of the applications must be isolated from the physical host.
– Each application must be prevented from accessing the resources of the other applications.
– The configurations of the applications must be accessible only from the operating system that hosts the application.
Solution: You deploy one Windows container to host all of the applications.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/
Your network contains an Active Directory domain named contoso.com. The domain contains 1,000 client computers that run Windows 10.
A security audit reveals that the network recently experienced a Pass-the-Hash attack. The attack was initiated from a client computer and accessed Active Directory objects restricted to the members of the Domain Admins group.
You need to minimize the impact of another successful Pass-the-Hash attack on the domain.
What should you recommend?
- A . Instruct all users to sign in to a client computer by using a Microsoft account.
- B . Move the computer accounts of all the client computers to a new organizational unit (OU). Remove the permissions to the new OU from the Domain Admins group.
- C . Instruct all administrators to use a local Administrators account when they sign in to a client computer.
- D . Move the computer accounts of the domain controllers to a new organizational unit (OU). Remove the permissions to the new OU from the Domain Admins group.
C
Explanation:
References: https://en.wikipedia.org/wiki/Pass_the_hash#Mitigations
Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2016.
You create a new bastion forest named admin.contoso.com. The forest functional level of admin.contoso.com is Windows Server 2012 R2.
You need to implement a Privileged Access Management (PAM) solution.
Which two actions should you perform? Each correct answer presents part of the solution.
- A . Raise the forest functional level of admin.contoso.com.
- B . Deploy Microsoft Identify Management (MIM) 2016 to admin.contoso.com.
- C . Configure contoso.com to trust admin.contoso.com.
- D . Deploy Microsoft Identity Management (MIM) 2016 to contoso.com.
- E . Raise the forest functional level of contoso.com.
- F . Configure admin.contoso.com to trust contoso.com.
AC
Explanation:
References:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/hardware-software-requirements https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2016.
Server1 is configured as a domain controller. You configure Server1 as a Just Enough Administration (JEA) endpoint. You configure the required JEA rights for a user named User1.
You need to tell User1 how to manage Active Directory objects from Server2.
What should you tell User1 to do first on Server2?
- A . From a command prompt, runntdsutil.exe.
- B . From Windows PowerShell, run the Import-Module cmdlet.
- C . From Windows PowerShell, run the Enter-PSSession cmdlet.
- D . Install the management consoles for Active Directory, and then launch Active Directory Users and Computers.
C
Explanation:
References:
https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-step/
Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers. You deploy the Local Administrator Password Solution (LAPS) to the network. You deploy a new server named FinanceServer5, and join FinanceServer5 to the domain. You need to ensure that the passwords of the local administrators of FinanceServer5 are available to the LAPS administrators.
What should you do?
- A . On FinanceServer5, register AdmPwd.dll.
- B . On FinanceServer5, install the LAPS Windows PowerShell module.
- C . In the domain, modify the permissions for the computer account of FinanceServer5.
- D . In the domain, modify the permissions of the Domain Controllers organizational unit (OU).
A
Explanation:
References:
https://gallery.technet.microsoft.com/Step-by-Step-Deploy-Local-7c9ef772
Your network contains an Active Directory domain named contoso.com. The domain contains four servers.
The servers are configured as shown in the following table.
You need to manage FS1 and FS2 by using Just Enough Administration (JEA).
What should you do before you can implement JEA?
- A . Install Microsoft.NET Framework 4.6.2 on FS2.
- B . Install Microsoft.NET Framework 4.6.2 on FS1.
- C . Install Windows Management Framework 5.0 on FS2.
- D . Upgrade DC1 to Windows Server 2016.
C
Explanation:
References:
https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by-step/
HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest has Microsoft Identity Manager (MIM) 2016 deployed. You implement Privileged Access Management (PAM). You need to request privileged access from a client computer in contoso.com by using PAM.
How should you complete the Windows PowerShell script? To answer, select the appropriate options in the answer area.
Explanation:
References:
https://technet.microsoft.com/en-us/library/mt604089.aspx https://technet.microsoft.com/en-us/library/mt604084.aspx
Your network contains an Active Directory domain named contoso.com. The domain contains five servers. All servers run Windows Server 2016.
A new security policy states that you must modify the infrastructure to meet the following requirements:
* Limit the nghts of administrators.
* Minimize the attack surface of the forest
* Support Multi-Factor authentication for administrators.
You need to recommend a solution that meets the new security policy requirements.
What should you recommend deploying?
- A . an administrative forest
- B . domain isolation
- C . an administrative domain in contoso.com
- D . the Local Administrator Password Solution (LAPS)
A
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ESAE_BM
Your network contains two single-domain Active Directory forests named contoso.com and contosoadmin.com. Contosoadmin.com contains all of the user accounts used to manage the servers in contoso.com.
You need to recommend a workstation solution that provides the highest level of protection from vulnerabilities and attacks.
What should you include in the recommendation?
- A . Provide a Privileged Access Workstation (PAW) for each user account in both forests. Join each PAW to the contoso.com domain.
- B . Provide a Privileged Access Workstation (PAW) for each user in the contoso.com forest. Join each PAW to the contoso.com domain.
- C . Provide a Privileged Access Workstation (PAW) for each administrator. Join each PAW to the contoso.com domain.
- D . Provide a Privileged Access Workstation (PAW) for each administrator. Join each PAW to the contosoadmin.com domain.
D
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-accessworkstations
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2016.
The domain contains a server named Server1.
You export the security baseline shown in the following exhibit.
You have a server named Server2 that is a member of a workgroup.
You copy the {2617e9b1-9672-492b-aefa-0505054848c2} folder to Server2.
You need to deploy the baseline settings to Server2.
What should you do?
- A . Download and then run the Lgpo.exe command.
- B . From Group Policy Management, import a Group Policy object (GPO).
- C . From Windows PowerShell, run the Restore-GPO cmdlet.
- D . From Windows PowerShell, run the Import-GPO cmdlet.
- E . From a command prompt, run the secedit.exe command and specify the /import parameter.
A
Explanation:
References:
https://anytecho.wordpress.com/2015/05/22/importing-group-policies-using-powershell-almost/
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
A technician is testing the deployment of Credential Guard on Server1.
You need to verify whether Credential Guard is enabled on Server1.
What should you do?
- A . From a command prompt, run the credwiz.exe command.
- B . From Task Manager, review the processes listed on the Details tab.
- C . From Server Manager, click Local Server, and review the properties of Server1.
- D . From Windows PowerShell, run the Get-WsManCredSSP cmdlet.
- E . From a command prompt, run the tsecimp.exe command.
- F . From Control Panel, open Credential Manager, and review the list of Windows Credentials.
B
Explanation:
References: https://yungchou.wordpress.com/2016/10/10/credential-guard-made-easy-in-windows-10version-1607/
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
The services on Server1 are shown in the following output.
Server1 has the AppLocker rules configured as shown in the exhibit. (Click the Exhibit button.)
Rule1 and Rule2 are configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Your network contains an Active Directory domain named contoso.com. You install the Windows Server Update Services server role on a member server named Server1. Server1 runs Windows Server 2016.
You need to ensure that a user named User1 can perform the following tasks:
* View the Windows Server Update Services (WSUS) configuration.
* Generate WSUS update reports.
The solution must use the principle of least privilege.
What should you do on Server1?
- A . Modify the permissions of the ReportWebService virtual folder from the WSUS Administration website.
- B . Add User1 to the WSUS Reporters local group.
- C . Add User1 to the WSUS Administrators local group.
- D . Run wsusutil.exe and specify the postinstall parameter.
B
Explanation:
References:
https://technet.microsoft.com/en-us/library/hh852346(v=ws.11).aspx#BKMK_ConfigComputerGroups
HOTSPOT
You network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Secure that contains all server. You install Microsoft Security Compliance Manager (SCM) 4.0 on a server named Server1. You need to export the SCM Print Server Security baseline and to deploy the baseline to a server named Server2.
What should you do? To answer, select the appropriate options in the answer area.
Explanation:
References:
http://www.techrepublic.com/blog/it-security/use-ms-security-compliance-manager-to-secure-yourwindows-environment/https://technet.microsoft.com/en-us/library/hh489604.aspx
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server5 that has the Windows Server Update Services server role installed.
You need to configure Windows Server Update Services (WSUS) on Server5 to use SSL.
You install a certificate in the local Computer store.
Which two tools should you use? Each correct answer presents part of the solution.
- A . Wsusutil
- B . Netsh
- C . Internet Information Services (IIS) Manager
- D . Server Manager
- E . Update Services
AC
Explanation:
References:
https://technet.microsoft.com/en-us/library/hh852346(v=ws.11).aspx#bkmk_3.5.ConfigSSL
Your network contains an Active Directory domain named contoso.com. The domain contains 1,000 client computers that run Windows 8.1 and 1,000 client computers that run Windows 10.
You deploy a Windows Server Update Services (WSUS) server. You create a computer group for each organizational unit (OU) that contains client computers. You configure all of the client computers to receive updates from WSUS.
You discover that all of the client computers appear in the Unassigned Computers computer group in the Update Services console.
You need to ensure that the client computers are added automatically to the computer group that corresponds to the location of the computer account in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
- A . From Group Policy objects (GPOs), configure the Enable client-side targeting setting.
- B . From the Update Services console, configure the Computers option.
- C . From Active Directory Users and Computers, create a domain local distribution group for each WSUS computer group.
- D . From Active Directory Users and Computers, modify the flags attribute of each OU.
AB
Explanation:
References:
https://technet.microsoft.com/en-us/library/dd252762.aspx https://technet.microsoft.com/en-us/library/cc720433(v=ws.10).aspx
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
Server1 has a volume named Volume1.
A central access policy named Policy1 is deployed to the domain.
You need to apply Policy1 to Volume1.
Which tool should you use?
- A . File Explorer
- B . Shared Folders
- C . Server Manager
- D . Disk Management
- E . Storage Explorer
- F . Computer Management
- G . System Configuration
- H . File Server Resource Manager (FSRM)
A
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy-demonstration-steps-#BKMK_1.4
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
Server1 has a shared folder named Share1.
You need to encrypt the contents to Share1.
Which tool should you use?
- A . File Explorer
- B . Shared Folders
- C . Server Manager
- D . Disk Management
- E . Storage Explorer
- F . Computer Management
- G . System Configuration
- H . File Server Resource Manager (FSRM)
A
Explanation:
References:
https://msdn.microsoft.com/en-us/library/dd163562.aspx
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
Server1 has a shared folder named Share1.
You need to ensure that all access to Share1 uses SMB Encryption.
Which tool should you use?
- A . File Explorer
- B . Shared Folders
- C . Server Manager
- D . Disk Management
- E . Storage Explorer
- F . Computer Management
- G . System Configuration
- H . File Server Resource Manager (FSRM)
C
Explanation:
References:
https://support.microsoft.com/en-za/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windowsserver-2012
https://blogs.technet.microsoft.com/filecab/2012/05/03/smb-3-security-enhancements-in-windows-server2012/
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016 and a Nano Server named Nano1.
Nano1 has two volumes named C and D.
You are signed in to Server1.
You need to configure Data Deduplication on Nano1.
Which tool should you use?
- A . File Explorer
- B . Shared Folders
- C . Server Manager
- D . Disk Management
- E . Storage Explorer
- F . Computer Management
- G . System Configuration H. File Server Resource Manager (FSRM)
C
Explanation:
References:
https://technet.microsoft.com/en-us/library/hh831434(v=ws.11).aspx
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2016.
You need to create Work Folders on Server1.
Which tool should you use?
- A . File Explorer
- B . Shared Folders
- C . Server Manager
- D . Disk Management
- E . Storage Explorer
- F . Computer Management
- G . System Configuration
- H . File Server Resource Manager (FSRM)
C
Explanation:
References:
https://blogs.technet.microsoft.com/canitpro/2015/01/19/step-by-step-creating-a-work-folders-test-labdeployment-in-windows-server-2012-r2/
https://technet.microsoft.com/en-us/library/dn265974(v=ws.11).aspx
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
Server1 has a volume named Volume1.
Dynamic Access Control is configured. A resource property named Property1 was created in the domain.
You need to ensure that Property1 is set to a value of Big for all of the files in Volume1 that are larger than 10 MB.
Which tool should you use?
- A . File Explorer
- B . Shared Folders
- C . Server Manager
- D . Disk Management
- E . Storage Explorer
- F . Computer Management
- G . System Configuration
- H . File Server Resource Manager (FSRM)
H
Explanation:
References:
https://technet.microsoft.com/en-us/library/cc732431(v=ws.11).aspx
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1. You need to execute D:Folder1 on Nano1 from being scanned by Windows Defender.
Which cmdlet should you run?
- A . Set-StorageSetting
- B . Set-FsrmFileScreenException
- C . Set-MpPreference
- D . Set-DtcAdvancedSetting
C
Explanation:
References:
http://www.thomasmaurer.ch/2016/07/how-to-disable-and-configure-windows-defender-on-windowsserver-2016-using-powershell/
HOTSPOT
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU.
You install Windows Defender on Nano1.
You need to ensure that you can implement the Local Administrator Password Solution (LAPS) for the finance department computers.
What should you do in the contoso.com forest? To answer, select the appropriate options in the answer area.
Explanation:
References:
https://learn-powershell.net/2016/10/08/setting-up-local-administrator-password-solution-laps/
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU.
You install Windows Defender on Nano1. You need to ensure that the marketing department computers validate DNS responses from adatum.com.
Which setting should you configure in the Computer Configuration node of GP1?
- A . TCPIP Settings from Administrative Templates
- B . Connection Security Rule from Windows Settings
- C . DNS Client from Administrative Templates
- D . Name Resolution Policy from Windows Settings
D
Explanation:
References:
https://technet.microsoft.com/en-us/library/ee649182(v=ws.10).aspx
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU.
You install Windows Defender on Nano1.
You need to ensure that you can deploy a shielded virtual machine to Server4.
Which server role should you deploy?
- A . Hyper-V
- B . Device Health Attestation
- C . Network Controller
- D . Host Guardian Service
D
Explanation:
References:
https://blogs.technet.microsoft.com/datacentersecurity/2016/03/16/windows-server-2016-and-hostguardian-service-for-shielded-vms/
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU.
You install Windows Defender on Nano1.
You need to disable SMB 1.0 on Server2.
What should you do?
- A . From File Server Resource Manager, create a classification rule.
- B . From the properties of each network adapter on Server2, modify the bindings.
- C . From Windows PowerShell, run the Set-SmbClientConfiguration cmdlet.
- D . From Server Manager, remove a Windows feature.
D
Explanation:
References:
https://support.microsoft.com/en-za/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windowsserver-2012
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10. You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You
have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1. You plan to implement BitLocker Drive Encryption (BitLocker) on the operating system volumes of the
application servers. You need to ensure that the BitLocker recovery keys are stored in Active Directory.
Which Group Policy setting should you configure?
- A . System cryptography: Force strong key protection for user keys stored on the computer
- B . Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
- C . System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
- D . Choose how BitLocker-protected operating system drives can be recovered.
D
Explanation:
References:
https://technet.microsoft.com/en-us/library/jj679890(v=ws.11).aspx#BKMK_rec3
Your network contains an Active Directory domain named contoso.com. You are deploying Microsoft Advanced Threat Analytics (ATA). You create a user named User1. You need to configure the user account of User1 as a Honeytoken account.
Which information must you use to configure the Honeytoken account?
- A . The SAM account name of User1
- B . The Globally Unique Identifier (GUID) of User1
- C . the SID of User1
- D . the UPN of User1
Your network contains an Active Directory domain named contoso.com. You create a Microsoft Operations Management Suite (OMS) workspace. You need to connect several computers directly to the workspace.
Which two pieces of information do you require? Each correct answer presents part of the solution.
- A . the ID of the workspace
- B . the name of the workspace
- C . the URL of the workspace
- D . the key of the workspace
AD
Explanation:
References:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1.
Server1 is configured as shown in the following table.
You plan to create a pilot deployment of Microsoft Advanced Threat Analytics (ATA). You need to install the ATA Center on Server1.
What should you do first?
- A . Install Microsoft Security Compliance Manager (SCM).
- B . Obtain an SSL certificate.
- C . Assign an additional IPv4 address.
- D . Remove Server1 from the domain.
B
Explanation:
References:
https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata-step1
Your network contains an Active Directory domain named contoso.com. The domain contains five file servers that run Windows Server 2016. You have an organizational unit (OU) named Finance that contains all of the servers.
You create a Group Policy object (GPO) and link the GPO to the Finance OU. You need to ensure that when a user in the finance department deletes a file from a file server, the event is logged. The solution must log only users who have a manager attribute of Ben Smith.
Which audit policy setting should you configure in the GPO?
- A . File system in Global Object Access Auditing
- B . Audit Detailed File Share
- C . Audit Other Account Logon Events
- D . Audit File System in Object Access
A
Explanation:
References:
https://technet.microsoft.com/en-us/library/cc976403.aspx
Your network contains an Active Directory domain named contoso.com. The domain contains a server
named Server1 that runs Windows Server 2016. You have an organizational unit (OU) named Administration that contains the computer account of Server1.
You import the Active Directory module to Server1. You create a Group Policy object (GPO) named GPO1. You link GPO1 to the Administration OU. You need to log an event each time an Active Directory cmdlet is executed successfully from Server1.
What should you do?
- A . From Advanced Audit Policy in GPO1, configure auditing for directory service changes.
- B . Run the(Get-Module ActiveDirectory).LogPipelineExecutionDetails = $falsecommand.
- C . Run the(Get-Module ActiveDirectory).LogPipelineExecutionDetails = $truecommand.
- D . From Advanced Audit Policy in GPO1, configure for other privilege use events.
- E . From Administrative Templates in GPO1, configure an Event Logging policy.
C
Explanation:
References:
https://www.petri.com/enable-powershell-logging
HOTSPOT
Your network contains an Active Directory domain named adatum.com. The domain contains a file server named Server1 that runs Windows Server 2016. You have an organizational unit (OU) named OU1 that contains Server1. You create a Group Policy object (GPO) named GPO1 and link GPO1 to OU1. A user named User1 is a member of group named Group1.
The properties of User1 are shown in the User1 exhibit. (Click the Exhibit button.)
User1 has permissions to two files on Server1 configured as shown in the following table.
From Auditing Entry for Global File SACL, you configure the advanced audit policy settings in GPO1 as shown in the SACL exhibit. (Click the Exhibit button.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Explanation:
References: http://sourcedaddy.com/windows-7/auditing-file-and-folder-access.html
Your network contains an Active Directory domain named contoso.com. You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain. You install the ATA Center on server named Server1 and the ATA Gateway on a server named Server2. You need to ensure that Server2 can collect NTLM authentication events.
What should you configure?
- A . the domain controllers to forward Event ID 4776 to Server2
- B . the domain controllers to forward Event ID 1000 to Server1
- C . Server2 to forward Event ID 1026 to Server1
- D . Server1 to forward Event ID 1000 to Server 2
A
Explanation:
References:
http://winrook.blogspot.co.za/2015/12/configuring-windows-event-forwarding.html
Your network contains an Active Directory forest named contoso.com. The network is connected to the Internet. You have 100 point-of-sale (POS) devices that run Windows 10. The devices cannot access the Internet. You deploy Microsoft Operations Management Suite (OMS). You need to use OMS to collect and analyze data from the POS devices.
What should you do first?
- A . Deploy Windows Server Gateway to the network.
- B . Install the OMS Log Analytics Forwarder on the network.
- C . Install Microsoft Data Management Gateway on the network.
- D . Install the Simple Network Management Protocol (SNMP) feature on the devices.
- E . Add the Microsoft NDIS Capture service to the network adapter of the devices.
B
Explanation:
References:
https://blogs.technet.microsoft.com/msoms/2016/03/17/oms-log-analytics-forwarder/
HOTSPOT
You plan to deploy three encrypted virtual machines that use Secure Boot.
The virtual machines will be configured as shown in the following table.
How should you protect each virtual machine? To answer, select the appropriate options in the answer area.
Explanation:
References:
https://cloudbase.it/hyperv-shielded-vms-part-1/
https://www.itprotoday.com/server-virtualization/difference-between-shielded-vm-and-encryptionsupported-vm
HOTSPOT
Your network contains two Active Directory forests named contoso.com and adatum.com. Contoso.com contains a Hyper-V host named Server1. Server1 is a member of a group named HyperHosts. Adatum.com contains a server named Server2. Server1 and Server2 run Windows Server 2016.
Contoso.com trusts adatum.com.
You plan to deploy shielded virtual machines to Server1 and to configure Admin-trusted attestation on Server2.
Which component should you install and which cmdlet should you run on Server2? To answer, select the appropriate options in the answer area.
Explanation:
References:
https://blogs.technet.microsoft.com/datacentersecurity/2016/03/16/windows-server-2016-and-hostguardian-service-for-shielded-vms/https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabricadmin-trusted-attestation-creating-a-security-group
Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012. The forest contains a single domain. The domain contains multiple Hyper-V hosts.
You plan to deploy guarded hosts.
You deploy a new server named Server22 to a workgroup.
You need to configure Server22 as a Host Guardian Service server.
What should you do before you initialize the Host Guardian Service on Server22?
- A . Install the Active Directory Domain Services server role on Server22.
- B . Obtain a certificate.
- C . Raise the forest functional level.
- D . Join Server22 to the domain.
A
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabricprepare-for-hgs#prerequisites-for-the-host-guardian-service
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. All domain controllers run Windows Server 2016. Member servers run either Windows Server 2012 R2 or Windows Server 2016. Client computers run either Windows 8.1 or Windows 10.
You need to ensure that when users access files in shared folders on the network, the files are encrypted when they are transferred over the network.
Solution: You disable SMB 1.0 on all the computers in the domain, and then you enable the Encrypt data access option on each file share.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. All domain controllers run Windows Server 2016. Member servers run either Windows Server 2012 R2 or Windows Server 2016. Client computers run either Windows 8.1 or Windows 10.
You need to ensure that when users access files in shared folders on the network, the files are encrypted when they are transferred over the network.
Solution: You enable access-based enumeration on all the file shares.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy Windows Server 2016 to a server named Server1.
You need to ensure that you can run Windows Containers on Server1.
Solution: On Server1, you enable the Containers feature, and then you install the PowerShell for Docker module. You restart the server.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
References: https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/deploycontainers-on-server
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy Windows Server 2016 to a server named Server1.
You need to ensure that you can run Windows Containers on Server1.
Solution: On Server1, you enable the Containers feature, and then you install the Hyper-V server role. You restart the server.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References: https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/deploycontainers-on-server
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy Windows Server 2016 to a server named Server1.
You need to ensure that you can run Windows Containers on Server1.
Solution: On Server1, you enable the Containers feature, and then you restart the server.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References: https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/deploycontainers-on-server
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
You need to prevent NTLM authentication on Server1.
Solution: From a Group Policy, you configure the Security Options.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References: https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
You need to prevent NTLM authentication on Server1.
Solution: From Windows PowerShell, you run the Disable-WindowsOptionalFeature cmdlet.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References: https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
You need to prevent NTLM authentication on Server1.
Solution: From Windows PowerShell, you run the New-ADAuthenticationPolicy cmdlet.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References: https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a file server
named Server1 that runs Windows Server 2016. Server1 has a shared folder named Share1. You plan to create a subfolder in Share1 for each domain user. You need to limit each user to using 100 MB of data in their respective subfolder. The solution must enable the users to be notified when they use 80 percent of the available space in the subfolder.
Which tool should you use?
- A . File Explorer
- B . Shared Folders
- C . Server Manager
- D . Disk Management
- E . Storage Explorer
- F . Computer Management
- G . System Configuration
- H . File Server Resource Manager (FSRM)
H
Explanation:
References: https://4sysops.com/archives/file-server-resource-manager-fsrm-part-3-quota-management/
HOTSPOT
Your network contains an Active Directory named contoso.com
The domain contains the computers configured as shown in the following table.
Server1 has a share named Share1 that has the following configurations.
Server1, Computer1, and Computer2 have the connection security rules configured as shown in the exhibit. (Click the Exhibit button.) Exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
DRAG DROP
You have two servers named Server1 and Server2 that run Windows Server 2016. The servers are in a workgroup. You need to create a security template that contains the security settings of Server1 and to apply the template to Server2. The solution must minimize administrative effort.
Which snap-in should you use for each server? To answer, drag the appropriate snap-ins to the correct servers. Each snap-in may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:
Explanation:
References: https://www.windows-server-2012-r2.com/security-templates.html
You are creating a Nano Server image for the deployment of 10 servers.
You need to configure the servers as guarded hosts that use Trusted Platform Module (TPM) attestation.
Which three packages should you include in the Nano Server image? Each correct answer presents part of the solution.
- A . Microsoft-NanoServer-SCVMM-Compute-Package
- B . Microsoft-NanoServer-SecureStartup-Package
- C . Microsoft-NanoServer-Compute-Package
- D . Microsoft-NanoServer-ShieldedVM-Package
- E . Microsoft-NanoServer-Storage-Package
- F . Microsoft-NanoServer-SCVMM- Package
BCD
Explanation:
References:
https://docs.microsoft.com/en-us/system-center/vmm/guarded-deploy-host?toc=/windows-server/virtualization/https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server
Your network contains an Active Directory domain named contoso.com. The domain contains several shielded virtual machines. You deploy a new server named Server1 that runs Windows Server 2016. You install the Hyper-V server role on Server1. You need to ensure that you can host shielded virtual machines on Server1.
What should you install on Server1?
- A . Host Guardian Hyper-V Support
- B . the Windows Biometric Framework (WBF)
- C . VM Shielding Tools for Fabric Management
- D . BitLocker Network Unlock
A
Explanation:
References: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-guarded-host-prerequisites
Your network contains an Active Directory domain named contoso.com. You deploy a server named Server1 that runs Windows Server 2016. Server1 is in a workgroup. You need to collect the logs from Server1 by using Log Analytics in Microsoft Operations Management Suite (OMS).
What should you do first?
- A . Create an event subscription
- B . Create a Data Collector-Set
- C . Install Microsoft Monitoring Agent on Server1
- D . Join Server1 to the domain
C
Explanation:
References: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
HOTSPOT
Your network contains an Active Directory domain named contoso.com. You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain. You install the ATA Gateway on a server named Server1. To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect events. You need to configure the query filter for event subscriptions on Server1.
How should you configure the query filter? To answer, select the appropriate options in the answer are.
Explanation:
References: https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection
Note: This question is part of a series of questions that use the same scenario. For yourconvenience, the scenario is repeated in each question. Each question presents a different goaland answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
End of repeated scenario.
You enable deep script block logging for Windows PowerShell.
In which event log will PowerShell code that is generated dynamically appear?
- A . Applications and Services Logs/Windows PowerShell
- B . Windows Logs/Security
- C . Applications and Services Logs/Microsoft/Windows/PowerShell/Operational
- D . Windows Logs/Application
C
Explanation:
References:
https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-7
Note: This question is part of a series of questions that use the same scenario. For yourconvenience, the scenario is repeated in each question. Each question presents a different goaland answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
End of repeated scenario.
You need to create a Role Capability file on Server3.
Which file should you create?
- A . File1.ini
- B . File1.ps1
- C . File1.xml
- D . File1.psrc
D
Explanation:
References: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/role-capabilities? view=powershell-7
Note: This question is part of a series of questions that use the same scenario. For yourconvenience, the scenario is repeated in each question. Each question presents a different goaland answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
End of repeated scenario.
You need to implement BitLocker Network Unlock for all of the laptops.
Which server role should you deploy to the network?
- A . Host Guardian Service
- B . Device Health Attestation
- C . Windows Deployment Services
- D . Network Controller
C
Explanation:
References: https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-how-to-enablenetwork-unlock
Note: This question is part of a series of questions that use the same scenario. For yourconvenience, the scenario is repeated in each question. Each question presents a different goaland answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
End of repeated scenario.
You need to ensure that AppLocker rules will apply to the marketing department computers.
What should you do?
- A . From the properties of OU2, modify the COM+ partition Set.
- B . In GP2, configure the Startup type for the Application Identity service.
- C . In GP2, configure the Startup type for the Application Management service.
- D . From the properties of OU2, modify the Security settings.
B
Explanation:
References: https://docs.microsoft.com/en-us/windows/device-security/applocker/configure-theapplication-identity-service
Your network contains an Active Directory domain named contoso.com. The domain contains a certification authority (CA).
You need to implement code integrity policies and sign them by using certificates issued by the CA.
You plan to use the same certificate to sign policies on multiple computers.
You duplicate the Code Signing certificate template and name the new template CodeIntegrity.
How should you configure the CodeIntegrity template?
- A . Enable the Allow private key to be exported setting and modify the Key Usage extension.
- B . Disable the Allow private key to be exported setting and modify the Application Policies extension.
- C . Disable the Allow private key to be exported setting and disable the Basic Constraints extension.
- D . Enable the Allow private key to be exported setting and enable the Basic Constraints extension
D
Explanation:
References: https://blogs.technet.microsoft.com/ukplatforms/2017/05/04/create-code-integrity-signingcertificate/