Simulation 70-744 Study Guides 2021

NEW QUESTION 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to It. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2021. All client computers run Windows 10.
The relevant objects in the domain are configured as shown in the following table.

You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You create a Group Policy object (GPO), you link the GPO to the Servers OU, and then you modify the Users Rights Assignment in the GPO.
Does this meet the goat?

• A. Yes
• B. No

Answer: B

Explanation: References:
https://technet.microsoft.com/en-us/library/cc771990(v=ws.11).aspx

NEW QUESTION 2
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. The network uses the 172.16.0.0/16 address space.
Computer1 has an application named App1.exe that is located in D:\Apps\. App1.exe is configured to accept connections on TCP port 8080.
You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate
network.
Solution: You configure an inbound rule that allows the TCP protocol on port 8080 and applies to all profiles
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.”
Therefore, you should not create firewall rule for all three profiles.

NEW QUESTION 3
Your network contains an Active Directory domain named contoso.com.The domain contains 1,000 client computers that run either Windows 8.1 or Windows 10.
You have a Windows Server Update Services (WSUS) deployment All client computers receive updates from WSUS.
You deploy a new WSUS server named WSUS2.
You need to configure all of the client computers that run Windows 10 to send WSUS reporting data to WSUS2.
What should you configure?

• A. an approval rule
• B. a computer group
• C. a Group Policy object (GPO)
• D. a synchronization rule

Answer: C

Explanation: https://technet.microsoft.com/en-us/library/cc708574(v=ws.10).aspx
Under “Set the intranet update service for detecting updates”, type http://wsus:8530 Under “Set the intranet statistics server”, type http://wsus2:8531

NEW QUESTION 4
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department You have an OU named Finance that contains the computers in the finance department You have an OU named AppServers that contains application servers. A Group Policy object (GPO)
named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1.
End of repeated scenario
You need to ensure that the marketing department computers validate DNS responses from adatum.com.
Which setting should you configure in the Computer Configuration node of GP1?

• A. TCPIP Settings from Administrative Templates
• B. Connection Security Rule from Windows Settings
• C. DNS Client from Administrative Templates
• D. Name Resolution Policy from Windows Settings

Answer: D

Explanation:
The NRPT is a table that contains rules that you can configure to specify DNS settings or special behavior for names or namespaces.
The NRPT can be configured using the Group Policy Management Editor under Computer Configuration
\Policies\Windows Settings\Name Resolution Policy, or with Windows PowerShell.
If a DNS query matches an entry in the NRPT, it is handled according to settings in the policy. Queries that do not match an NRPT entry are processed normally.
You can use the NRPT to require that DNSSEC validation is performed on DNS responses for queries in the namespaces that you specify.

NEW QUESTION 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
You need to prevent NTLM authentication on Server1.
Solution: From a Group Policy, you configure the Kerberos Policy. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
References:
https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2021/

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com. The domain contains multiple servers that run either Windows Server 2012 or Windows Server 2012 R2.
You plan to implement Just Enough Administration (JEA) to manage all of the servers.
What should you install on each server to ensure that the servers can be managed by using JEA?

• A. Remote Server Administration Tools (RSAT)
• B. Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
• C. Management Odata Internet Information Services (IIS) Extension
• D. Windows Management Framework 5.0

Answer: D

Explanation: https://msdn.microsoft.com/en-us/library/dn896648.aspx Get JEA
The current release of JEA is available on the following platforms: Windows Server
Windows Server 2021 Technical Preview 5 and higher
Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2* with Windows Management Framework 5.0 installed

NEW QUESTION 7
You have a Hyper-V host named Server1 that runs Windows Server 2021. Server1 hosts the virtual machines configured as shown in the following table.

All the virtual machines have two volumes named C and D.
You plan to implement BitLocker Drive Encryption (BitLocker) on the virtual machines. Which virtual machines can have their volumes protected by using BitLocker? Choose Two.

• A. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM3 only
• B. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM1 and VM3 only
• C. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM2 and VM3 only
• D. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM2 and VM4 only
• E. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM2, VM3 and VM4 only
• F. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM1, VM2, VM3 and VM4
• G. Virtual machines that can have volume D protected by using BitLocker: VM3 only
• H. Virtual machines that can have volume D protected by using BitLocker: VM1 and VM3 only
• I. Virtual machines that can have volume D protected by using BitLocker: VM2 and VM3 only
• J. Virtual machines that can have volume D protected by using BitLocker: VM2 and VM4 only
• K. Virtual machines that can have volume D protected by using BitLocker: VM2, VM3 and VM4 only
• L. Virtual machines that can have volume D protected by using BitLocker: VM1, VM2, VM3 and VM4

Answer: AG

Explanation: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/deploy/upgrade-virtualmachine- versionin-hyper-v-on-windows-or-windows-server
To use Virtual TPM protector for encrypting C: drive, you have to use at least VM Configuration Version 7.0 and Generation 2 Virtual machines.

https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
If you don’t use TPM for protecting a drive, there is no such Virtual TPM or VM Generation, or VM Configuration version requirement, you can even use Bitlocker without TPM Protector with earlier versions of Windows.

NEW QUESTION 8
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You need to ensure that you can encrypt the operating system drive of VM1 by using BitLocker. Which Group Policy should you configure?

• A. Configure use of hardware-based encryption for operating system drives
• B. Configure TPM platform validation profile for native UEFI firmware configurations
• C. Require additional authentication at startup
• D. Configure TPM platform validation profile for BIOS-based firmware configurations

Answer: C

Explanation: As there is not a choice “Enabling Virtual TPM for the virtual machine VM1”, then we have to use a fall-back
method for enabling BitLocker in VM1.
https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

NEW QUESTION 9
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1.
Server1 is configured as shown in the following table.

You plan to create a pilot deployment of Microsoft Advanced Threat Analytics (ATA). You need to install the ATA Center on Server1.
What should you do first?

• A. Install Microsoft Security Compliance Manager (SCM).
• B. Obtain an SSL certificate.
• C. Assign an additional IPv4 address.
• D. Remove Server1 from the domai

Answer: B

Explanation: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites
ATA Center which is the first component to be deployed on Server1, requires the use of SSL protocol to
communicate with ATA Gateway
To ease the installation of ATA, you can install self-signed certificates during installation.
Post deployment you should replace the self-signed with a certificate from an internal Certification Authority tobe used by the ATA Center.
Make sure the ATA Center and ATA Gateways have access to your CRL distribution point.
If the they don’t have Internet access, follow the procedure to manually import a CRL, taking care to install the all the CRL distribution points for the whole chain.

NEW QUESTION 10
Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012.
The forest contains 20 member servers that are configured as file servers. All domain controllers run Windows Server 2021.
You create a new forest named contosoadmin.com.
You need to use the Enhanced Security Administrative Environment (ESAE) approach for the administration of the resources in contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution.

• A. From the properties of the trust, enable selective authentication.
• B. Configure contosoadmin.com to trust contoso.com.
• C. Configure contoso.com to trust contosoadmin.com.
• D. From the properties of the trust, enable forest-wide authentication.
• E. Configure a two-way trust between both forest

Answer: AC

Explanation: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securingprivilegedaccess- reference-material#ESAE_BM
Trust configurations – Configure trust from managed forests(s) or domain(s) to the administrative forest
A one-way trust is required from production environment to the admin forest. This can be a domain trust or a forest trust.
The admin forest/domain (contosoadmin.com) does not need to trust the managed domains/forests (contoso.com) to manage Active Directory, though additional applications may require a two-way trust relationship, security validation, and testing.
Selective authentication should be used to restrict accounts in the admin forest to only logging on to the
appropriate production hosts.

NEW QUESTION 11
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1.
On Server1, administrators plan to use several scripts that have the .ps1 extension.
You need to ensure that when code is generated from the scripts, an event containing the details of
the code is logged in the Operational log.
Which Group Policy setting or settings should you configure?

• A. Enable Protected Event Logging
• B. Audit Process Creation and Audit Process Termination
• C. Turn on PovverShell Script Block Logging
• D. Turn on PowerShell Transcription

Answer: C

Explanation: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
The new Detailed Script Tracing feature lets you enable detailed tracking and analysis of Windows PowerShell scripting use on a system.
After you enable detailed script tracing, Windows PowerShell logs all script blocks to the ETW event log,
Microsoft-Windows-PowerShell/Operational.
If a script block creates another script block (for example, a script that calls the Invoke-Expression cmdlet on a string), that resulting script block is logged as well.
Logging of these events can be enabled through the Turn on PowerShell Script Block Logging Group Policy setting (in GPO Administrative Templates -> Windows Components -> Windows PowerShell).
Answer D is incorrect, since Transcription (Start-Transcript -path <FilePath>) uses a custom output location
instead of Event Viewer \ Operational Log

NEW QUESTION 12
Note: This question Is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is Independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
Server1 has a shared folder named Share1. You need to encrypt the contents of Share1. Which tool should you use?

• A. File Explorer
• B. Shared Folders
• C. Server Manager
• D. Disk Management
• E. Storage Explorer
• F. Computer Management
• G. System Configuration
• H. File Server Resource Manager (FSRM)

Answer: A

NEW QUESTION 13
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer
choices, but the text of the scenario is exactly the same in each question in this series. Start of repeated scenario
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department You have an OU named finance that contains the computers in the finance department You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1.
End of repeated scenario
You need to exclude D:Folder1 on Nano1 from being scanned by Windows Defender. Which cmdlet should you run?

• A. Set-StorageSetting
• B. Set-FsrmFileScreenException
• C. Set-MpPreference
• D. Set-DtcAdvancedSetting

Answer: C

Explanation: https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference

NEW QUESTION 14
You have a Hyper-V host named Hyperv1 that has a virtual machine named FS1. FS1 is a file server that contains sensitive data.
You need to secure FS1 to meet the following requirements:
-Prevent console access to FS1.
-Prevent data from being extracted from the VHDX file of FS1.
Which two actions should you perform? Each correct answer presents part of the solution.

• A. Enable BitLocker Drive Encryption (BitLocker) for all the volumes on FS1
• B. Disable the virtualization extensions for FS1
• C. Disable all the Hyper-V integration services for FS1
• D. On Hyperv1, enable BitLocker Drive Encryption (BitLocker) for the drive that contains the VHDX file for FS1.
• E. Enable shielding for FS1

Answer: AE

Explanation: -Prevent console access to FS1. –> Enable shielding for FS1
-Prevent data from being extracted from the VHDX file of FS1. –> Enable BitLocker Drive Encryption (BitLocker) for all the volumes on FS1

NEW QUESTION 15
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2021. The forest contains 2,000 client computers that run Windows 10. All client computers are deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs). The solution must ensure that administrators can access several client applications used by all users.
Solution: You deploy one physical computer and configure it as a Hyper-V host that runs Windows Server 2021. You create 10 virtual machines and configure each one as a PAW.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: References:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privilegedaccess/privileged-access-workstations

NEW QUESTION 16
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
You need to allow network administrators to use Just Enough Administration (JEA) to change the
TCP/IP settings on Server1. The solution must use the principle of least privilege. How should you configure the session configuration file?

• A. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to ContosoNetwork Configuration Operators.
• B. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to ContosoNetwork Configuration Operators.
• C. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Network Configuration Operators.
• D. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Network Configuration Operators.

Answer: D

Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/newpssessionconfigurationfile? view=powershell-6

NEW QUESTION 17
You implement Log Analytics in Microsoft Operations Management Suite (OMS) on all servers that run Windows Server 2021.
You need to generate a daily report that identifies which servers restarted during the last 24 hours. Which query should you use?

• A. EventLog=Application EventId:6009 Type:Event TimeGenerated>NOW+24HOURS
• B. EventLog=Application EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
• C. EventLog=System EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
• D. EventLog=System EventId:6009 Type:Event TimeGenerated>NOW+24HOURS

Answer: C

Explanation: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-searches Computer restart events are stored in “System” eventlog instead of Application even log. “NOW-24HOURS” clause matches all events generated in the last 24 hours.