100% Guarantee 70-744 Exam Questions and Answers 2021

NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2021.
You need to prevent direct .NET scripts invoked by interactive Windows PowerShell sessions from running on the servers.
What should you do for each server?

• A. Create an AppLocker rule.
• B. Create a Code Integrity rule.
• C. Disable PowerShell Remoting.
• D. Modify the local Kerberos policy setting

Answer: C

NEW QUESTION 2
HOTSPOT
You plan to deploy three encrypted virtual machines that use Secure Boot. The virtual machines will be configured as shown in the following table.

How should you protect each virtual machine? To answer, select the appropriate options in the answer area.

Answer:

Explanation: Shielded VM Prevents Virtual Machine connection and PowerShell Direct, it prevent the Hyper-V host to interact in any means with the Shielded VM.
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabric-andshielded-vms

NEW QUESTION 3
Your network contains an Active Directory domain named contoso.com.
The domain contains four global groups named Group1, Group2, Group3, and Group4. A user named User1 is a member of Group3.
You have an organizational unit (OU) named OU1 that contains computer accounts. A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1. GPO1 has the User Rights Assignment configured as shown in the following table.

• A. Modify the membership of Group3.
• B. Modify the membership of Group2.
• C. Modify the membership of Group1.
• D. Modify the membership of Group4.

Answer: B

NEW QUESTION 4
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
The hardware configuration on Server1 meets the requirements for Credential Guard. You need to enable Credential Guard on Server1.
What should you do? To answer, select the appropriate options in the answer area.

Answer:

Explanation: References:
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guardrequirements https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guardmanage# hardware-readiness-tool

NEW QUESTION 5
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. The domain has Dynamic Access Control enabled.
Server1 contains a folder named C:Folder1. Folder1 is shared as Share1.
You need to audit all access to the contents of Folder1 from Server2. The solution must minimize the number of event log entries.
Which two audit policies should you enable on Server1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Global Object Access- File System
• B. Object Access – Audit Detailed File Share
• C. Object Access – Audit Other Object Access Events
• D. Object Access – Audit File System
• E. Object Access – Audit File Share

Answer: BE

Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-fileshare https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com.
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Center on server named Server1 and the ATA Gateway on a server named Served. You need to ensure that Server2 can collect NTLM authentication events.
What should you configure?

• A. the domain controllers to forward Event ID 4776 to Server2
• B. the domain controllers to forward Event ID 1000 to Server1
• C. Server2 to forward Event ID 1026 to Server1
• D. Server1 to forward Event ID 1000 to Server2

Answer: A

Explanation: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-architecture
ATA monitors your domain controller network traffic by utilizing port mirroring to an ATA Gateway using physical or virtual switches.
If you deploy the ATA Lightweight Gateway directly on your domain controllers, it removes the requirement for port mirroring.
In addition, ATA can leverage Windows events (forwarded directly from your domain controllers or from a SIEM server) and analyze the data for attacks and threats.
See the GREEN line in the following figure, forward event ID 4776 which indicates NTLM authentication is being used to ATA Gateway Server2.

NEW QUESTION 7
This question relates to Windows Firewall and related technologies. These rules use IPsec to secure traffic while it crosses the network.
You use these rules to specify that connections between two computers must be authenticated or encrypted.
What is the name for these rules?

• A. Connection Security Rules
• B. Firewall Rules
• C. TCP Rules
• D. DHP Rules

Answer: A

NEW QUESTION 8
Your network contains an Active Directory domain named contoso.com.
The domain contains 10 servers that run Windows Server 2021 and 800 client computers that run Windows 10.
You need to configure the domain to meet the following requirements:
-Users must be locked out from their computer if they enter an incorrect password twice.
-Users must only be able to unlock a locked account by using a one-time password that is sent to their mobile phone.
You deploy all the components of Microsoft Identity Manager (MIM) 2021.
Which three actions should you perform before you deploy the MIM add-ins and extensions? Each correct answer presents part of the solution.

• A. From a Group Policy object (GPO), configure Public Key Policies
• B. Deploy a Multi-Factor Authentication provider and copy the required certificates to the MIM server.
• C. From the MIM Portal, configure the Password Reset AuthN Workflow.
• D. Deploy a Multi-Factor Authentication provider and copy the required certificates to the client computers.
• E. From a Group Policy object (GPO), configure Security Setting

Answer: BCE

Explanation: -Users must be locked out from their computer if they enter an incorrect password twice. (E)
-Users must only be able to unlock a locked account by using a one-time password that is sent to their mobile phone. (B and C), detailed configuration process in the following web page.
https://docs.microsoft.com/en-us/microsoft-identity-manager/working-with-self-servicepasswordreset# prepare-mim-to-work-with-multi-factor-authentication

NEW QUESTION 9
Your network contains an Active Directory domain named contoso.com.
You deploy a server named Server1 that runs Windows Server 2021. Server1 is in a workgroup. You need to collect the logs from Server1 by using Log Analytics in Microsoft Operations Management Suite (OMS).
What should you do first?

• A. Join Server1 to the domain.
• B. Create a Data Collector Set.
• C. Install Microsoft Monitoring Agent on Server1.
• D. Create an event subscriptio

Answer: C

Explanation: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
You need to install and connect Microsoft Monitoring Agent for all of the computers that you

You can install the OMS MMA on stand-alone computers, servers, and virtual machines.

NEW QUESTION 10
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2. The domain contains the servers configured as shown in the following table.

You have an organizational unit (OU) named Marketing that contains the computers in the marketing department.
You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers.
A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the
AppServers OU.
You install Windows Defender on Nano1.
You need to configure Nano1 as a Hyper-V Host. Which command should you run?

• A. Add-WindowsFeature Microsoft-NanoServer-Compute-Package
• B. Add-WindowsFeature Microsoft-NanoServer-Guest-Package
• C. Add-WindowsFeature Microsoft-NanoServer-Host-Package
• D. Add-WindowsFeature Microsoft-NanoServer-ShieldedVM-Package
• E. Install-Package Microsoft-NanoServer-Compute-Package
• F. Install-Package Microsoft-NanoServer-Guest-Package
• G. Install-Package Microsoft-NanoServer-Host-Package
• H. Install-Package Microsoft-NanoServer-ShieldedVM-Package
• I. Install-WindowsFeature Microsoft-NanoServer-Compute-Package
• J. Install-WindowsFeatureMicrosoft-NanoServer-Guest-Package
• K. Install-WindowsFeatureMicrosoft-NanoServer-Host-Package
• L. Install-WindowsFeature Microsoft-NanoServer-ShieldedVM-Package

Answer: E

Explanation: https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server#BKMK_online The Nano Server package “Microsoft-NanoServer-Compute-Package” includes the Hyper-V role for a Nano
Server host.
Moreover, the Install-WindowsFeature or Add-WindowsFeature cmdlet are NOT available on a Nano Server.

NEW QUESTION 11
HOTSPOT
Your network contains two Active Directory forests named adatum.com and priv.adatum.com. You deploy Microsoft Identity Manager (MIM) 2021 to the priv.adatum.com domain, and you implement Privileged Access Management (PAM).
You create a PAM role named Group1 as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answer:

Explanation: References:https://tlktechidentitythoughts.wordpress.com/2021/09/07/mim-2021-setting-upprivileged- access-management-pam-in-an-existing-domain-using-the-built-in-pam-tool/

NEW QUESTION 12
Your data center contains 10 Hyper-V hosts that host 100 virtual machines.
You plan to secure access to the virtual machines by using the Datacenter Firewall service.
You have four servers available for the Datacenter Firewall service. The servers are configured as shown in the following table.

You need to install the required server roles for the planned deployment Which server role should you deploy? Choose Two.

• A. Server role to deploy: Multipoint Services
• B. Server role to deploy: Network Controller
• C. Server role to deploy: Network Policy and Access Services
• D. Servers on which to deploy the server role: Server20 and Server21
• E. Servers on which to deploy the server role: Server22 and Server23

Answer: BE

Explanation: Datacenter Firewall is a new service included with Windows Server 2021. It is a network layer, 5- tuple (protocol, source and destination port numbers, source and destination IP addresses), stateful, multitenant firewall. When deployed and offered as a service by the serviceprovider, tenant administrators can install and configure firewall policies to help protect their virtual networks from unwanted traffic originating from Internet and intranet networks.
https://docs.microsoft.com/en-us/windows-server/networking/sdn/technologies/networkcontroller/ networkcontroller
Network Controller Features
The following Network Controller features allow you to configure and manage virtual and physical network
devices and services.
i) Firewall Management (Datacenter Firewall)
ii) Software Load Balancer Management
iii) Virtual Network Management
iv) RAS Gateway Management

https://docs.microsoft.com/en-us/windows-server/networking/sdn/plan/installation-andpreparationrequirements- for-deploying-network-controller
Installation requirements
Following are the installation requirements for Network Controller.
For Windows Server 2021 deployments, you can deploy Network Controller on one or more computers, one or more VMs, or a combination of computers and VMs.
All VMs and computers planned as Network Controller nodes must be running Windows Server 2021 Datacenter edition.

NEW QUESTION 13
You have a server named Server1 that runs Windows Server 2021. You need to view all of the inbound rules on Server1.
Which cmdlet should you use?

• A. Get-NetIPSecRule
• B. Get-NetFirewallRule
• C. Get-NetFirewallProfile
• D. Get-NetFirewallSetting
• E. Get-NetFirewallPortFilter
• F. Get-NetFirewallAddressFilter
• G. Get-NetFirewallSecurityFilter
• H. Get-NetFirewallApplicationFilter

Answer: B

Explanation: Get-NetFirewallRule -Direction Inbound <— view inbound rules for all profiles The following examples shows inbound rule for specific firewall profile.
Get-NetFirewallRule -Direction Inbound | where {$_.Profile -eq “Domain”} Get-NetFirewallRule -Direction Inbound | where {$_.Profile -eq “Public”} Get-NetFirewallRule -Direction Inbound | where {$_.Profile -eq “Private”}

NEW QUESTION 14
You deploy the Host Guardian Service (HGS).
You have several Hyper-V hosts that have older hardware and Trusted Platform Modules (TPMs) version 1.2.
You discover that the Hyper-V hosts cannot start shielded virtual machines.
You need to configure HGS to ensure that the older Hyper-V hosts can host shielded virtual machines. What should you do?

• A. Run the Set-HgsServer cmdlet and specify the -TrustTpm parameter.
• B. Run the Set-HgsServer cmdlet and specify the -TrustActiveDirectory parameter.
• C. Run the Clear-HgsServer cmdlet and specify the -Clustername parameter
• D. Run the Clear-HgsServer cmdlet and specify the -Force parameter.
• E. It is not possible to enable older Hyper-V hosts to run Shielded virtual machines

Answer: E

Explanation: Requirements and Limitations
There are several requirements for using Shielded VMs and the HGS:
One bare metal host: You can deploy the Shielded VMs and the HGS with just one host. However,
Microsoft
recommends that you cluster HGS for high availability.
Windows Server 2021 Datacenter Edition: The ability to create and run Shielded VMs and the HGS is only
supported by Windows Server 2021 Datacenter Edition.
For Admin-trusted attestation mode: You only need to have server hardware capable of running Hyper-V in
Windows Server 2021 TP5 or higher.
For TPM-trusted attestation: Your servers must have TPM 2.0 and UEFI 2.3.1 and they must boot in UEFI
mode. The hosts must also have secure boot enabled. Hyper-V role: Must be installed on the guarded host. HGS Role: Must be added to a physical host. Generation 2 VMs.
A fabric AD domain.
An HGS AD, which in Windows Server 2021 TP5 is a separate AD infrastructure from your fabric AD.

NEW QUESTION 15
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021. You need to prevent NTLM authentication on Server1.
Solution: From a Group Policy, you configure the Security Options. Does this meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 16
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has Microsoft Security Compliance Manager (SCM) 4.0 installed. The domain contains domain controllers that run Windows Server 2021.
A Group Policy object (GPO) named GPO1 is applied to all of the domain controllers.
GPO1 has a Globally Unique Identifier (GUID) of 7ABCDEFG-1234-5678-90AB-005056123456. You need to create a new baseline that contains the settings from GPO1. What should you do first?

• A. Copy the \\contoso.com\sysvol\contoso.com\Policies\{7ABCDEFG-1234-5678-90AB- 005056123456} folder to Server1.
• B. From Group Policy Management, create a backup of GPO1.
• C. From Windows PowerShell, run the Copy-GPO cmdlet
• D. Modify the permissions of the \\contoso.com\sysvol\contoso.com\Policies\{7ABCDEFG- 1234-5678-90AB-005056123456}

Answer: B

Explanation: https://technet.microsoft.com/en-us/library/hh489604.aspx Import Your GPOs
You can import current settings from your GPOs and compare these to the Microsoft recommended best
practices.
Start with a GPO backup that you would commonly create in the Group Policy Management Console (GPMC).
Take note of the folder to which the backup is saved. In SCM, select GPO Backup, browse to the GPO folder’s Globally Unique Identifier (GUID) and select a name for the GPO when it’s imported.
SCM will preserve any ADM files and GP Preference files (those with non-security settings that SCM doesn’t parse) you’re storing with your GPO backups.
It saves them in a subfolder within the user’s public folder. When you export the baseline as a GPO again, it
also restores all the associated files.

NEW QUESTION 17
DRAG DROP
You configure Just Enough Administration (JEA).
You need to ensure that a non-administrator user can perform the following actions:
-Restart Internet Information Services (IIS)
-Restart a custom service named Service1.
How should you complete the role configuration file? To answer, select the appropriate options in the answer area.

Answer:

Explanation: VisibleExternalCommands = ‘C:\Windows\system32\iisreset.exe’
VisibleCmdlets = @{ Name ‘Restart-service’ ; Parameters @{ Name = ‘Name’; ValidateSet = ‘Service1’}}
https://docs.microsoft.com/en-us/powershell/jea/role-capabilities