Microsoft 70-744 Online Practice Questions and Exam Preparation

Microsoft 70-744 Online Questions & Answers

• Question 171:

  You have a server named Server1 that runs Windows Server 2016.

  You configure Just Enough Administration (JEA) on Server1.

  You need to view a list of commands that will be available to a user named User1 when User1 establishes a JEA session to Server1.

  Which cmdlet should you use?

  A. Trace-Command
  B. Get-PSSessionCapability
  C. Get-PSSessionConfiguration
  D. Show-Command
  B. Get-PSSessionCapability

  ---

  https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/get-pssessioncapability? view=powershell-5.0.The Get-PSSessionCapability cmdlet gets the capabilities of a specific user on a constrained sessionconfiguration.Use this cmdlet to audit customized session configurations for users.Starting in Windows PowerShell 5.0, you can use the RoleDefinitions property in a session configuration (.pssc)file. Using this property lets you grant users different capabilities on a single constrained endpoint based on groupmembership.The Get-PSSessionCapability cmdlet reduces complexity when auditing these endpoints by letting youdetermine the exact capabilities granted to a user.This command is used by I.T. Administrator (The "You" mention in the question) to verify configuration for aUser.

• Question 172:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. You implement the Local Administrator Password Solution (LAPS) in the domain. You enable auditing for LAPS. You need to identify any users who read the password for Server1. Which log should you review?

  A. Windows Logs\System on Server1
  B. Windows Logs\Security on the domain controllers
  C. Applications and Services Logs\Directory Service on the domain controllers
  D. Windows Logs\Application on Server1
  A. Windows Logs\System on Server1

• Question 173:

  You have a Hyper-V host named Server1 that runs Windows Server 2016. Server1 has a generation 2 virtual machine named VM1 that runs Windows 10.

  You need to ensure that you can turn on BitLocker Drive Encryption (BitLocker) for drive C: on VM1. What should you do?

  A. From Server1, install the BitLocker feature.
  B. From Server1, enable nested virtualization for VM1.
  C. From VM1, configure the Require additional authentication at startup Group Policy setting.
  D. From VM1, configure the Enforce drive encryption type on fixed data drives Group Policy setting.
  C. From VM1, configure the Require additional authentication at startup Group Policy setting.

  ---

  https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/If you don't use TPM for protecting a drive, there is no such Virtual TPM or VM Generation, or VM Configurationversion requirement, you can even use Bitlockerwithout TPM Protector with earlier versions of Windows.How to Use BitLocker Without a TPMYou can bypass this limitation through a Group Policy change. If your PC is joined to a business or schooldomain, you can't change the Group Policy settingyourself. Group policy is configured centrally by your network administrator.To open the Local Group Policy Editor, press Windows+R on your keyboard, type "gpedit.msc" into the Rundialog box, and press Enter.Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > WindowsComponents > BitLocker Drive Encryption > OperatingSystem Drives in the left pane.

  

  Double-click the "Require additional authentication at startup" option in the right pane.

  

  Select "Enabled" at the top of the window, and ensure the "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USBflash drive)" checkbox is enabled here.Click "OK" to save your changes. You can now close the Group Policy Editor window. Your change takes effectimmediately--you don't even need to reboot.

• Question 174:

  Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2016.

  The domain contains a server named Server1 that has Microsoft Security Compliance Manager (SCM) 4.0 installed.

  You export the baseline shown in the following exhibit.

  

  You have a server named Server2 that is a member of a workgroup.

  You copy the {2617e9b1-9672-492b-aefa-0505054848c2} folder to Server2.

  You need to deploy the baseline settings to Server2.

  What should you do?

  A. Download, install, and then fun the Lgpo.exe command.
  B. From Group Policy Management import a Group Policy object (GPO).
  C. From Windows PowerShell, run the Restore-GPO cmdlet.
  D. From Windows PowerShell, run the Import-GPO cmdlet.
  E. From a command prompt run the secedit.exe command and specify the /import parameter.
  D. From Windows PowerShell, run the Import-GPO cmdlet.

  ---

  References: https://anytecho.wordpress.com/2015/05/22/importing-group-policies-using-powershell-almost/

• Question 175:

  The Job Title attribute for a domain user named User1 has a value of Sales Manager. User1 runs whoami /claims and receives the following output:

  

  Kerberos support for Dynamic Access Control on this device has been disabled.

  You need to ensure that the security token of User1 has a claim for Job Title. What should you do?

  A. From Windows PowerShell, run the New-ADClaimTransformPolicy cmdlet and specify the -Name parameter
  B. From Active Directory Users and Computers, modify the properties of the User1 account.
  C. From Active Directory Administrative Center, add a claim type.
  D. From a Group Policy object (GPO), configure KDC support for claims, compound authentication, and Kerberos armoring.
  C. From Active Directory Administrative Center, add a claim type.

  ---

  From the output, obviously, a claim type is missing (or disabled) so that the domain controller is not issuing tickets with the "Job Title" claim type.

• Question 176:

  DRAG DROP

  Your network contains an Active Directory domain named contoso.com. The domain functional level is Windows Server 2016. The domain contains a member server named Server1.

  You test Code Integrity on Server1 in audit mode.

  You need to enforce the Code Integrity levels on all the Windows Server 2016 servers in the domain.

  Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

  ---

  https://blogs.technet.microsoft.com/datacentersecurity/2018/03/10/default-code-integrity-policy-for-windows-server/

• Question 177:

  Your network contains an Active Directory domain.

  You install Security Compliance Manager (SCM) 4.0 on a server that runs Windows Server 2016.

  You need to modify a baseline, and then make the baseline available as a domain policy.

  Which four actions should you perform in sequence?

  Select and Place:

  

  

  ---

  1. Duplicate a baseline.

  2. Modify the settings of a baseline.

  3. Export the baseline as a Group Policy Object (GPO) backup4. Import settings into a Group Policy object (GPO)

• Question 178:

  You deploy the Host Guardian Service (HGS).

  You have several Hyper-V hosts that have older hardware and Trusted Platform Modules (TPMs) version 1.2.

  You discover that the Hyper-V hosts cannot start shielded virtual machines.

  You need to configure HGS to ensure that the older Hyper-V hosts can host shielded virtual machines. What should you do?

  A. Run the Set-HgsServer cmdlet and specify the -TrustTpm parameter.
  B. Run the Set-HgsServer cmdlet and specify the -TrustActiveDirectory parameter.
  C. Run the Clear-HgsServer cmdlet and specify the -Clustername parameter
  D. Run the Clear-HgsServer cmdlet and specify the -Force parameter.
  E. It is not possible to enable older Hyper-V hosts to run Shielded virtual machines
  E. It is not possible to enable older Hyper-V hosts to run Shielded virtual machines

  ---

  Requirements and LimitationsThere are several requirements for using Shielded VMs and the HGS:One bare metal host: You can deploy the Shielded VMs and the HGS with just one host. However, Microsoftrecommends that you cluster HGS for high availability.Windows Server 2016 Datacenter Edition: The ability to create and run Shielded VMs and the HGS is onlysupported by Windows Server 2016 DatacenterEdition.For Admin-trusted attestation mode: You only need to have server hardware capable of running Hyper-V in Windows Server 2016 TP5 or higher.For TPM-trusted attestation: Your servers must have TPM 2.0 and UEFI 2.3.1 and they must boot in UEFImode. The hosts must also have secure boot enabled.Hyper-V role: Must be installed on the guarded host.HGS Role: Must be added to a physical host.Generation 2 VMs.A fabric AD domain.An HGS AD, which in Windows Server 2016 TP5 is a separate AD infrastructure from your fabric AD.

• Question 179:

  Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012.

  The forest contains 20 member servers that are configured as file servers. All domain controllers run Windows Server 2016.

  You create a new forest named contosoadmin.com.

  You need to use the Enhanced Security Administrative Environment (ESAE) approach for the administration of the resources in contoso.com.

  Which two actions should you perform? Each correct answer presents part of the solution.

  A. From the properties of the trust, enable selective authentication.
  B. Configure contosoadmin.com to trust contoso.com.
  C. Configure contoso.com to trust contosoadmin.com.
  D. From the properties of the trust, enable forest-wide authentication.
  E. Configure a two-way trust between both forests.
  A. From the properties of the trust, enable selective authentication.
  C. Configure contoso.com to trust contosoadmin.com.

  ---

  https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privilegedaccess-reference-material#ESAE_BM Trust configurations ?Configure trust from managed forests(s) or domain(s) to the administrative forestA one-way trust is required from production environment to the admin forest. This can be a domain trust or a forest trust.The admin forest/domain (contosoadmin.com) does not need to trust the managed domains/forests (contoso.com) to manage Active Directory, though additionalapplications may require a two-way trust relationship, security validation, and testing.Selective authentication should be used to restrict accounts in the admin forest to only logging on to theappropriate production hosts.

• Question 180:

  Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.

  You deploy Advanced Threat Analytics (ATA) to Server1.

  You need to move the ATA database to a different folder.

  Which configuration file should you modify?

  A. Config.json
  B. Web.config
  C. Config.xml
  D. Mongod.cfg
  D. Mongod.cfg

  ---

  References: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-database-management