Microsoft 70-744 Dumps Questions 2021

NEW QUESTION 1
You have two computers configured as shown in the following table.

You need to ensure that the credentials that you use to establish Remote Desktop sessions from Client1 to Server1 are protected by using Remote CredentialGuard.

• A. Join Client1 to the domain.
• B. Remove Server1 from the domain.
• C. Upgrade Server1 to Windows Server 2021 Datacenter.
• D. Upgrade Client1 to Windows 10 Enterpris

Answer: A

Explanation: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard

NEW QUESTION 2
You have a server named Server1 that runs Windows Server 2021.
You need to identify whether ICMP traffic is exempt from IPsec on Server1. Which cmdlet should you use?

• A. Get-NetIPSecRule
• B. Get-NetFirewallRule
• C. Get-NetFirewallProfile
• D. Get-NetFirewallSetting
• E. Get-NetFirewallPortFilter
• F. Get-NetFirewallAddressFilter
• G. Get-NetFirewallSecurityFilter
• H. Get-NetFirewallApplicationFilter

Answer: D

Explanation: The Get-NetFirewallSetting cmdlet retrieves the global firewall settings of the target computer. The NetFirewallSetting object specifies properties that apply to the firewall and IPsec settings, no matter which
network profile is currently in use.
The global configurations include viewing the active profile, exemptions, specified certification validation levels, and user and computer authorization lists.

NEW QUESTION 3
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You enable deep script block logging for Windows PowerShell.
In which event log will PowerShell code that is generated dynamically appear?

• A. Applications and Services Logs/Microsoft/Windows/PowerShell/Operational
• B. Windows Logs/Security
• C. Applications and Services Logs/Windows PowerShell
• D. Windows Logs/Application

Answer: A

Explanation: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
While Windows PowerShell already has the LogPipelineExecutionDetails Group Policy setting to log the
invocation of cmdlets, PowerShell’s scripting language has plenty of features that you might want to log and/or audit.
The new Detailed Script Tracing feature lets you enable detailed tracking and analysis of Windows PowerShell scripting use on a system.
After you enable detailed script tracing, Windows PowerShell logs all script blocks to the ETW (event tracing for windows) event log – Microsoft-WindowsPowerShell/Operational.
If a script block creates another script block (for example, a script that calls the Invoke-Expression cmdlet on a string), that resulting script block is logged as well.
Logging of these events can be enabled through the Turn on PowerShell Script Block Logging Group Policy
setting (in Administrative Templates -> Windows Components -> Windows PowerShell).

NEW QUESTION 4
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department You have an OU named finance that contains the computers in the finance department You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1.
End of repeated scenario
You need to ensure that when a configuration change is made on Nano2, Nano2 will revert back to the original configuration automatically.
What should you do first?

• A. Enable File History for all volumes.
• B. Install the Microsoft-NanoServer-DSC-Package optional package
• C. Install the Microsoft-NanoServer-DCB-Package optional package
• D. Enable System Protection on all volumes
• E. Deploy Microsoft System Center 2021 – Data Protection Manager (DPM)

Answer: B

Explanation: Using PowerShell DSC (Desire State Configuration) to mitigate configuration drift on Nano Server requires
additional steps, like installing the support package “Microsoft-NanoServer-DSC-Package” https://docs.microsoft.com/en-us/powershell/dsc/nanodsc
DSC on Nano Server is an optional package in the NanoServer\Packages folder of the Windows Server 2021 media.
The package can be installed when you create a VHD for a Nano Server by specifying Microsoft-
NanoServerDSC-Package as the value of the Packages
parameter of the New-NanoServerImage function, or the following PowerShell cmdlets on a live Nano server
“Nano2”.
Import-PackageProvider NanoServerPackage
Install-package Microsoft-NanoServer-DSC-Package -ProviderName NanoServerPackage -Force

NEW QUESTION 5
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally. Computer1 runs an application named App1 that listens to port 8080.
You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.
Solution: You run the command New-NetFirewallRule -DisplayName “Rule1” -Direction Inbound - Program “D:\Apps\App1.exe” –Action Allow -Profile Domain
Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation: Tested correct cmdlet, worked, and the profile “Domain” for corporate network is also correct.

NEW QUESTION 6
HOTSPOT
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1.
End of repeated scenario
You need to ensure that you can implement the Local Administrator Password Solution (LAPS) (or the finance department computers.
What should you do in the contoso.com forest? To answer, select the appropriate options in the answer area.

Answer:

Explanation: https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-activedirectory/

NEW QUESTION 7
Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All domain controllers run Windows Server 2021.
You deploy a second Active Directory forest named admin.contoso.com.
The forest contains a domain member server named Server1. Server1 has Microsoft Identity Manager (MIM) 2021 deployed.
You need to implement Privileged Access Management (PAM) and to use admin.contoso.com as an administrative forest.
Which two actions should you perform? Each correct answers presents part of the solution.

• A. From a domain controller in contoso.co
• B. run the New-PAMTrust cmdlet.
• C. From Server1, run the New-PAMDomainConfiguration cmdlet
• D. From a domain controller in admin.contoso.com, run the New-PAMTrust cmdlet.
• E. From a domain controller in contoso.com, run the New-PAMDomainConfiguration cmdlet.
• F. From a domain controller in admin.contoso.com, run the New-PAMDomainConfiguration cmdlet
• G. From Server1, run the New-PAMTrust cmdlet

Answer: BF

Explanation: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environmentfor- pam
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-betweenpriv- corpforests

NEW QUESTION 8
You have a file server named FS1 that runs Windows Server 2021. You plan to disable SMB 1.0 on the server.
You need to verify which computers access FS1 by using SMB 1.0. What should you run first?

• A. Debug-FileShare
• B. Set-FileShare
• C. Set-SmbShare
• D. Set-SmbServerConfiguration
• E. Set-SmbClientConfiguration

Answer: D

NEW QUESTION 9
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021. You need to prevent NTLM authentication on Server1.
Solution: From Windows PowerShell, you run the New-ADAuthenticationPolicy cmdlet. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: ADDS Authentication Policy does not provide ability to prevent the use of NTLM authentication.

NEW QUESTION 10
The Job Title attribute for a domain user named User1 has a value of Sales Manager. User1 runs whoami /claims and receives the following output:

Kerberos support for Dynamic Access Control on this device has been disabled.
You need to ensure that the security token of User1 has a claim for Job Title. What should you do?

• A. From Windows PowerShell, run the New-ADClaimTransformPolicy cmdlet and specify the -Name parameter
• B. From Active Directory Users and Computers, modify the properties of the User1 account.
• C. From Active Directory Administrative Center, add a claim type.
• D. From a Group Policy object (GPO), configure KDC support for claims, compound authentication, and Kerberos armoring.

Answer: C

Explanation: From the output, obviously, a claim type is missing (or disabled) so that the domain controller is not issuing
tickets with the “Job Title” claim type.

NEW QUESTION 11
The “Network Security: Restrict NTLM: NTLM authentication in this domain” policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller.
Which value would you choose so that the domain controller will deny all NTLM authentication logon attempts using accounts from this domain to all servers in the domain.
The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the Network security: Restrict NTLM: Add server exceptions in this domain policy setting.

• A. Deny for domain accounts
• B. Deny for domain accounts to domain servers
• C. Deny all
• D. Deny for domain servers

Answer: B

NEW QUESTION 12
You have the servers configured as shown in the following table.

You purchase a Microsoft Azure subscription, and you create three Microsoft Operations
Management Suite (OMS) workspaces named Workspace1, Workspace2, and Workspace3
You need to deploy Microsoft Monitoring Agent to the servers to meet the following requirements:
-Antimalware data from all the servers must be visible in Workspace1.
-Security and audit data from the domain controllers and the virtualization hosts must be visible in Workspace2.
-System update data from all the servers in all the workgroups must be visible in Workspace& How many OMS agents should you deploy?

• A. 10
• B. 33
• C. 73
• D. 45

Answer: C

Explanation: -Antimalware data from all the servers must be visible in Workspace1.
-Security and audit data from the domain controllers and the virtualization hosts must be visible in Workspace2.
-System update data from all the servers in all the workgroups must be visible in Workspace& “All the servers” mean all 5 domain controllers, plus all member servers (physical and virtual, domain and
workgroup) and virtualization hosts, so there are no exemptions.
All servers in the above table mentioned must install OMS Microsoft Monitoring agents

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. The network uses the 172.16.0.0/16 address space.
Computer1 has an application named App1.exe that is located in D:\Apps\. App1.exe is configured to accept connections on TCP port 8080.
You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.
Solution: You configure an inbound rule that allows the TCP protocol on port 8080, uses a scope of 172.16.0.0/16 for local IP addresses, and applies to a private profile.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: “You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.”, you should create the firewall rule for “Domain” profile instead, not the “Private” profile.
https://technet.microsoft.com/en-us/library/getting-started-wfas-firewall-profilesipsec( v=ws.10).aspx

NEW QUESTION 14
Your network contains an Active Directory domain named contoso.com. The domain contains two DNS servers that run Windows Server 2021. The servers host two zones named contoso.com and admin.contoso.com. You sign both zones.
You need to ensure that all client computers in the domain validate the zone records when they query the zone.
What should you deploy?

• A. a Microsoft Security Compliance Manager (SCM) policy
• B. a zone transfer policy
• C. a Name Resolution Policy Table (NRPT)
• D. a connection security rule

Answer: C

Explanation: You should use Group Policy NRPT to for a DNS Client to perform DNSSEC validation of DNS zone records.

NEW QUESTION 15
Your network contains an Active Directory forest named conloso.com. The network is connected to the Internet.
You have 100 point-of-sale (POS) devices that run Windows 10. The devices cannot access the Internet.
You deploy Microsoft Operations Management Suite (OMS).
You need to use OMS to collect and analyze data from the POS devices. What should you do first?

• A. Deploy Windows Server Gateway to the network.
• B. Install the OMS Log Analytics Forwarder on the network.
• C. Install Microsoft Data Management Gateway on the network.
• D. Install the Simple Network Management Protocol (SNMP) feature on the devices.
• E. Add the Microsoft NDJS Capture service to the network adapter of the devices.

Answer: B

Explanation: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway OMS Log Analytics Forwarder = OMS Gateway
If your IT security policies do not allow computers on your network to connect to the Internet, such as point of sale (POS) devices, or servers supporting IT services, but you need to connect them to OMS to manage and monitor them, they can be configured to communicate directly with the OMS Gateway (previous called “OMS Log Analytics Fowarder”) to receive configuration and forward data on their behalf.

NEW QUESTION 16
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a file server that runs Windows Server 2021. The file server contains the volumes configured as shown in the following table.

You need to encrypt DevFiles by using BitLocker Drive Encryption (ButLocker). Solution: You run the manage-bde.exe command and specify the –on parameter. Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/managebde- on

NEW QUESTION 17
Your network contains an Active Directory domain named contoso.com. The domain contains several Hyper-V hosts.
You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2021. You need to configure Server22 as the primary Host Guardian Service server.
Which three cmdlets should you run in sequence?

• A. Install-HgsServer
• B. Install-Module
• C. Install-Package
• D. Enable-WindowsOptionalFeature
• E. Install-ADDSDomainController
• F. Initialize-HgsServer

Answer: AEF

Explanation: Correct order of actions:
1. Install-ADDSDomainController , as Server22 is a workgroup computer, create a new domain on it first.
2. Install-HgsServer
3. Initialize-HgsServer
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricsetting-up-the-host-guardian-service-hgs
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricinstall-hgs-default
Install-HgsServer
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricinitialize-hgs-tpm-mode-default
Initialize-HgsServer