Microsoft 70-744 Exam Questions Instant Access

Question 1

You have several virtual machines that run in a hosted data center on Hyper-V hosts.

The hosting provider recently updated the service offering in its Hyper-V environment to include a new Host Guardian Service (HSG).

You plan to use the Shielding Data File Wizard to create a data file that will include password information and an RDP file. The file will be used to create new shielded virtual machines in the fabric of the hosting provider.

What do you require from the hosting provider to complete the wizard?

Aan XML file that contains the names of all the Hyper-V hosts in the fabric.

Ban XML file that contains virtual machine configuration data from the Hyper-V hosts

Ca CER file that contains a certificate from the provider

Dan XML file that contains guardian metadata

Answer : D

References:

https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-tenant-creates-shielding-data

Question 2

Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration.

Windows Defender comes with a number of different Defender-specific cmdlets that you can run through PowerShell to automate common tasks.

Which Cmdlet would you run first if you wanted to perform an offline scan?

AStart-MpWDOScan

BStart-MpScan

CSet-MpPreference -DisableRestorePoint $true

DSet-MpPreference -DisablePrivacyMode $true

Answer : A

Some malicious software can be particularly difficult to remove from your PC. Windows Defender Offline (Start-MpWDOScan) can help to find and remove this using up-to-date threat definitions.

Question 3

Your network contains an Active Directory domain.

The domain contains two organizational units (OUs) named ProdOU and TestOU.

All production servers are in ProdOU. All test servers are in TestOU. A server named Server1 is in TestOU.

You have a Windows Server Update Services (WSUS) server named WSUS1 that runs Windows Server 2016.

All servers receive updates from WSUS1.

WSUS is configured to approve updates for computers in the Test computer group automatically.

Manual approval is required for updates to the computers in the Production computer group.

You move Server1 to ProdOU, and you discover that updates continue to be approved and installed

automatically on Server1.

You need to ensure that all the servers in ProdOU only receive updates that are approved manually.

What should you do?

ATurn off auto-restart for updates during active hours by using Group Policy objects (GPOs).

BConfigure client-side targeting by using Group Policy objects (GPOs).

CCreate computer groups by using the Update Services console.

DRun wuauclt.exe /detectnow on each server after the server is moved to a different OU.

Answer : B

Updates in WSUS are approved against ''Computer Group'' , not AD OUs.

For this example, to prevent Server1 to install automatically approved updates,

you have to remove Server1 from ''Test'' computer group and add Server1 into ''Production'' computer group in WSUS console, manually or use the WSUS GPO

Client-Side Targeting feature.

https://technet.microsoft.com/en-us/library/cc720450%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

With client-side targeting, you enable client-computers to add themselves to the computer groups you create in the WSUS console.

You can enable client-side targeting through Group Policy (in an Active Directory network environment) or by editing registry entries (in a non-Active Directory

network environment) for the client computers.

When the WSUS client computers connect to the WSUS server, they will add themselves into the

correct computer group.

Client-side targeting is an excellent option if you have many client computers and want to automate the process of assigning them to computer groups.

First, configure WSUS to allow Client Site Targeting.

Secondly, configure GPO to affect ''ProdOU'' , so that Server1 add itself to ''Production'' computer group. https://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus

Question 4

The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10 and are domain members.

All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.

An OU named OU2 contains the computer accounts of the computers in the marketing department.

A Group Policy object (GPO) named GP1 is linked to OU1.

A GPO named GP2 is linked to OU2.

All computers receive updates from Server1.

You create an update rule named Update1.

You need to ensure that you can view Windows PowerShell code that was generated dynamically and executed on the computers in OU1.

What would you configure in GP1?

AObject Access\\Audit Application Generated from the advanced audit policy

BTurn on PowerShell Script Block Logging from the PowerShell settings

CTurn on Module Logging from the PowerShell settings

DObject Access\\Audit Other Object Access Events from the advanced audit policy

Answer : B

https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script

While Windows PowerShell already has the LogPipelineExecutionDetails Group Policy setting to log the

invocation of cmdlets, PowerShell's scripting language has

plenty of features that you might want to log and/or audit.

The new Detailed Script Tracing feature lets you enable detailed tracking and analysis of Windows PowerShell scripting use on a system.

After you enable detailed script tracing, Windows PowerShell logs all script blocks to the ETW event log,

Microsoft-Windows-PowerShell/Operational.

If a script block creates another script block (for example, a script that calls the Invoke-Expression cmdlet on a string), that resulting script block is logged as well.

Logging of these events can be enabled through the Turn on PowerShell Script Block Logging Group Policy setting (in Administrative Templates -> Windows

Components -> Windows PowerShell).

Question 5

Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.

Start of repeated scenario

Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.

The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10.

You have an organizational unit (OU) named Marketing that contains the computers in the marketing department You have an OU named Finance that contains the computers in the finance department You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU.

You install Windows Defender on Nano1.

End of repeated scenario

You need to ensure that the marketing department computers validate DNS responses from adatum.com.

Which setting should you configure in the Computer Configuration node of GP1?

ATCPIP Settings from Administrative Templates

BConnection Security Rule from Windows Settings

CDNS Client from Administrative Templates

DName Resolution Policy from Windows Settings

Answer : D

The NRPT is a table that contains rules that you can configure to specify DNS settings or special behavior for names or namespaces.

The NRPT can be configured using the Group Policy Management Editor under Computer Configuration

\\Policies\\Windows Settings\\Name Resolution Policy, or with

Windows PowerShell.

If a DNS query matches an entry in the NRPT, it is handled according to settings in the policy.

Queries that do not match an NRPT entry are processed normally.

You can use the NRPT to require that DNSSEC validation is performed on DNS responses for queries in

the namespaces that you specify.

Question 6

You have the Windows Server 2016 operating system images as following table.

. Your company's security policy states that you must minimize the attack surface when provisioning new servers. You need to deploy a Host Guardian Service cluster. Which image should you use for the deployment?

Aimage1

Bimage2

Cimage3

Dimage4

Answer : C

https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabricprepare-for-hgs Prerequisites

Hardware: HGS can be run on physical or virtual machines, but physical machines are recommended.

If you want to run HGS as a three-node physical cluster (for availability), you must have three physical servers.

(As a best practice for clustering, the three servers

should have very similar hardware.)

Operating system: Windows Server 2016, Standard or Datacenter edition. <---- so you cannot use

Server Core or Nano Server for running Host

Guardian Service.

Server Roles: Host Guardian Service and supporting server roles.

Configuration permissions/privileges for the fabric (host) domain: You will need to configure DNS forwarding between the fabric (host) domain and the HGS domain.

If you are using Admin-trusted attestation (AD mode), you will need to configure an Active Directory trust between the fabric domain and the HGS domain.

Question 7

Your network contains an Active Directory domain named contoso.com.

The domain contains four global groups named Group1, Group2, Group3, and Group4. A user named User1 is a member of Group3.

You have an organizational unit (OU) named OU1 that contains computer accounts. A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1.

GPO1 has the User Rights Assignment configured as shown in the following table.

AModify the membership of Group3.

BModify the membership of Group2.

CModify the membership of Group1.

DModify the membership of Group4.

Answer : B

Microsoft Securing Windows Server 2016 70-744 Exam Questions