NEW QUESTION 1
You have a Hyper-V host named Server1 that runs Windows Server 2021. Server1 hosts the virtual machines configured as shown in the following table.

All the virtual machines have two volumes named C and D.
You plan to implement BitLocker Drive Encryption (BitLocker) on the virtual machines. Which virtual machines can have their volumes protected by using BitLocker? Choose Two.

• A. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM3 only
• B. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM1 and VM3 only
• C. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM2 and VM3 only
• D. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM2 and VM4 only
• E. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM2, VM3 and VM4 only
• F. Virtual machines that can have volume C protected by using BitLocker and a Trusted Platform Module (TPM) protector: VM1, VM2, VM3 and VM4
• G. Virtual machines that can have volume D protected by using BitLocker: VM3 only
• H. Virtual machines that can have volume D protected by using BitLocker: VM1 and VM3 only
• I. Virtual machines that can have volume D protected by using BitLocker: VM2 and VM3 only
• J. Virtual machines that can have volume D protected by using BitLocker: VM2 and VM4 only
• K. Virtual machines that can have volume D protected by using BitLocker: VM2, VM3 and VM4 only
• L. Virtual machines that can have volume D protected by using BitLocker: VM1, VM2, VM3 and VM4

Answer: AG

Explanation: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/deploy/upgrade-virtualmachine- versionin-hyper-v-on-windows-or-windows-server
To use Virtual TPM protector for encrypting C: drive, you have to use at least VM Configuration Version 7.0 and Generation 2 Virtual machines.

https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
If you don’t use TPM for protecting a drive, there is no such Virtual TPM or VM Generation, or VM Configuration version requirement, you can even use Bitlocker without TPM Protector with earlier versions of Windows.

NEW QUESTION 2
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You need to ensure that you can view Windows PowerShell code that was generated dynamically and executed on the computers in OU1.
What would you configure in GP1?

• A. Object Access\Audit Application Generated from the advanced audit policy
• B. Turn on PowerShell Script Block Logging from the PowerShell settings
• C. Turn on Module Logging from the PowerShell settings
• D. Object Access\Audit Other Object Access Events from the advanced audit policy

Answer: B

Explanation: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
While Windows PowerShell already has the LogPipelineExecutionDetails Group Policy setting to log the
invocation of cmdlets, PowerShell’s scripting language has plenty of features that you might want to log and/or audit.
The new Detailed Script Tracing feature lets you enable detailed tracking and analysis of Windows PowerShell scripting use on a system.
After you enable detailed script tracing, Windows PowerShell logs all script blocks to the ETW event log,
Microsoft-Windows-PowerShell/Operational.
If a script block creates another script block (for example, a script that calls the Invoke-Expression cmdlet on a string), that resulting script block is logged as well.
Logging of these events can be enabled through the Turn on PowerShell Script Block Logging Group Policy
setting (in Administrative Templates -> Windows Components -> Windows PowerShell).

NEW QUESTION 3
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has Microsoft Security Compliance Manager (SCM) 4.0 installed. The domain contains domain controllers that run Windows Server 2021.
A Group Policy object (GPO) named GPO1 is applied to all of the domain controllers.
GPO1 has a Globally Unique Identifier (GUID) of 7ABCDEFG-1234-5678-90AB-005056123456. You need to create a new baseline that contains the settings from GPO1. What should you do first?

• A. Copy the \\contoso.com\sysvol\contoso.com\Policies\{7ABCDEFG-1234-5678-90AB- 005056123456} folder to Server1.
• B. From Group Policy Management, create a backup of GPO1.
• C. From Windows PowerShell, run the Copy-GPO cmdlet
• D. Modify the permissions of the \\contoso.com\sysvol\contoso.com\Policies\{7ABCDEFG- 1234-5678-90AB-005056123456}

Answer: B

Explanation: https://technet.microsoft.com/en-us/library/hh489604.aspx Import Your GPOs
You can import current settings from your GPOs and compare these to the Microsoft recommended best
practices.
Start with a GPO backup that you would commonly create in the Group Policy Management Console (GPMC).
Take note of the folder to which the backup is saved. In SCM, select GPO Backup, browse to the GPO folder’s Globally Unique Identifier (GUID) and select a name for the GPO when it’s imported.
SCM will preserve any ADM files and GP Preference files (those with non-security settings that SCM doesn’t parse) you’re storing with your GPO backups.
It saves them in a subfolder within the user’s public folder. When you export the baseline as a GPO again, it
also restores all the associated files.

NEW QUESTION 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows10.
The network uses the 172.16.0.0/16 address space.
Computer1 has an application named App1.exe that is located in D:Apps. App1.exe is configured to accept connections on TCP port 8080.
You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.
Solution: You run the New-NetFirewallRule –DisplayName "Rule1" –Direction Inbound
–Program "D:AppsApp1.exe" –Action Allow -Profile Domain command. Does this meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 5
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
You need to allow network administrators to use Just Enough Administration (JEA) to change the
TCP/IP settings on Server1. The solution must use the principle of least privilege. How should you configure the session configuration file?

• A. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to ContosoNetwork Configuration Operators.
• B. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to ContosoNetwork Configuration Operators.
• C. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Network Configuration Operators.
• D. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Network Configuration Operators.

Answer: D

Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/newpssessionconfigurationfile? view=powershell-6

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021. You need to prevent NTLM authentication on Server1.
Solution: From a Group Policy, you configure the Security Options. Does this meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 7
Your network contains an Active Directory domain named contoso.com The domain contains five file servers that run Windows Server 2021.
You have an organizational unit (OU) named Finance that contains all of the servers. You create a Group Policy object (GPO) and link the GPO to the Finance OU.
You need to ensure that when a user in the finance department deletes a file from a file server, the event is logged. The solution must log only users who have a manager attribute of Ben Smith. Which audit policy setting should you configure in the GPO?

• A. File system in Global Object Access Auditing
• B. Audit Detailed File Share
• C. Audit Other Account Logon Events
• D. Audit File System in Object Access

Answer: C

NEW QUESTION 8
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains several Hyper-V hosts.
You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2021. You need to configure Server22 as the primary Host Guardian Service server.
Which three cmdlets should you run in sequence? To answer move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Answer:

Explanation: References:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/ guarded-fabric-setting-up-the-host-guardian-service-hgs

NEW QUESTION 9
____ enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.

• A. Network Unlock
• B. EFS recovery agent
• C. JEA
• D. Credential Guard

Answer: A

Explanation: https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-how-to-enablenetwork- unlock

NEW QUESTION 10
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You need to implement BitLocker Network Unlock for all of the laptops. Which server role should you deploy to the network?

• A. Network Controller
• B. Windows Deployment Services
• C. Host Guardian Service
• D. Device Heath Attestation

Answer: B

Explanation: https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-how-to-enablenetwork- unlock Network Unlock core requirements
Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These
requirements include:
You must be running at least Windows 8 or Windows Server 2012.
Any supported operating system with UEFI DHCP drivers can be Network Unlock clients.
A server running the Windows Deployment Services (WDS) role on any supported server operating system.
BitLocker Network Unlock optional feature installed on any supported server operating system. A DHCP server, separate from the WDS server.
Properly configured public/private key pairing. Network Unlock Group Policy settings configured.

NEW QUESTION 11
You have a server named Server1 that runs Windows Server 2021.
You need to identify whether ICMP traffic is exempt from IPsec on Server1. Which cmdlet should you use?

• A. Get-NetIPSecRule
• B. Get-NetFirewallRule
• C. Get-NetFirewallProfile
• D. Get-NetFirewallSetting
• E. Get-NetFirewallPortFilter
• F. Get-NetFirewallAddressFilter
• G. Get-NetFirewallSecurityFilter
• H. Get-NetFirewallApplicationFilter

Answer: D

Explanation: The Get-NetFirewallSetting cmdlet retrieves the global firewall settings of the target computer. The NetFirewallSetting object specifies properties that apply to the firewall and IPsec settings, no matter which
network profile is currently in use.
The global configurations include viewing the active profile, exemptions, specified certification validation levels, and user and computer authorization lists.

NEW QUESTION 12
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server5 that has the Windows Server Update Services server role installed. You need to configure Windows Server Update Services (WSUS) on Server5 to use SSI. You install a certificate in the local Computer store.
Which two tools should you use? Each correct answer presents part of the solution.

• A. Wsusutil
• B. Netsh
• C. Internet Information Services (IIS) Manager
• D. Server Manager
• E. Update Services

Answer: AC

Explanation: By IIS Manager and “wsusutil configuressl” command https://technet.microsoft.com/en-us/library/bb633246.aspx To configure SSL on the WSUS server by using IIS 7.0
1) On the WSUS server, open Internet Information Services (IIS) Manager.
2) Expand Sites, and then expand the Web site for the WSUS server. We recommend that you use the WSUS
Administration custom Web site, but the default Web
site might have been chosen when WSUS was being installed.
3) Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService,
ServerSyncWebService, and SimpleAuthWebService virtual directories that reside under the WSUS Web site.
In Features View, double-click SSL Settings.
On the SSL Settings page, select the Require SSL checkbox. Ensure that Client certificates is set to Ignore.
In the Actions pane, click Apply.
4) Close Internet Information Services (IIS) Manager.
5) Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl
<Intranet
FQDN of the software update point site system>.

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com. All client computers run Windows 10.
You plan to deploy a Remote Desktop connection solution for the client computers.
You have four available servers in the domain that can be configured as Remote Desktop servers. The servers are configured as shown in the following table.

You need to ensure that all Remote Desktop connections can be protected by using Remote Credential Guard.
Solution: You deploy the Remote Desktop connection solution by using Server4. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: No, as Server4 is a Windows Server 2012R2 which does not meet the requirements of Remote Credential
Guard.
https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard Remote Credential Guard requirements
To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements:
The Remote Desktop client device:
Must be running at least Windows 10, version 1703 to be able to supply credentials.
Must be running at least Windows 10, version 1607 or Windows Server 2021 to use the user’s signed-in
credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn’t support Windows Defender Remote Credential Guard.
Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain
controller, then RDP attempts to fall back to NTLM.
Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose
credentials to risk.
The Remote Desktop remote host:
Must be running at least Windows 10, version 1607 or Windows Server 2021. Must allow Restricted Admin connections.
Must allow the client’s domain user to access Remote Desktop connections. Must allow delegation of non-exportable credentials.

NEW QUESTION 14
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2. The domain contains the servers configured as shown in the following table.

You have an organizational unit (OU) named Marketing that contains the computers in the marketing department.
You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers.
A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the
AppServers OU.
You install Windows Defender on Nano1.
You need to configure Nano1 as a Hyper-V Host. Which command should you run?

• A. Add-WindowsFeature Microsoft-NanoServer-Compute-Package
• B. Add-WindowsFeature Microsoft-NanoServer-Guest-Package
• C. Add-WindowsFeature Microsoft-NanoServer-Host-Package
• D. Add-WindowsFeature Microsoft-NanoServer-ShieldedVM-Package
• E. Install-Package Microsoft-NanoServer-Compute-Package
• F. Install-Package Microsoft-NanoServer-Guest-Package
• G. Install-Package Microsoft-NanoServer-Host-Package
• H. Install-Package Microsoft-NanoServer-ShieldedVM-Package
• I. Install-WindowsFeature Microsoft-NanoServer-Compute-Package
• J. Install-WindowsFeatureMicrosoft-NanoServer-Guest-Package
• K. Install-WindowsFeatureMicrosoft-NanoServer-Host-Package
• L. Install-WindowsFeature Microsoft-NanoServer-ShieldedVM-Package

Answer: E

Explanation: https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server#BKMK_online The Nano Server package “Microsoft-NanoServer-Compute-Package” includes the Hyper-V role for a Nano
Server host.
Moreover, the Install-WindowsFeature or Add-WindowsFeature cmdlet are NOT available on a Nano Server.

NEW QUESTION 15
Your network contains an Active Directory domain named contoso.com.
You install the Windows Server Update Services server role on a member server named Server1. Server1 runs Windows Server 2021.
You need to ensure that a user named Used can perform the following tasks:
*View the Windows Server Update Services (WSUS) configuration.
*Generate WSUS update reports.
The solution must use the principle of least privilege. What should you do on Server1?

• A. Modify the permissions of the ReportWebService virtual folder from the WSUS Administration website.
• B. Add User1 to the WSUS Reporters local group.
• C. Add User1 to the WSUS Administrators local group.
• D. Run wsusutil.exe and specify the postinstall paramete

Answer: B

Explanation: WSUS Reporters have read only access to the WSUS database and configuration

When a user with “WSUS Reporters” membership, he can view configuration and generate reports as follow:-

NEW QUESTION 16
Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012. The forest contains a single domain. The domain contains multiple Hyper-V hosts.
You plan to deploy guarded hosts.
You deploy a new server named Server22 to a workgroup.
You need to configure Server22 as a Host Guardian Service server.
What should you do before you initialize the Host Guardian Service on Server22?

• A. Install the Active Directory Domain Services server role on Server22.
• B. Obtain a certificate.
• C. Raise the forest functional level.
• D. Join Server22 to the domai

Answer: D

Explanation: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricchoose-where-to-install-hgs
The only technical requirement for installing HGS in an existing forest is that it be added to the root domain;
non-root domains are not supported.

NEW QUESTION 17
Your network contains an Active Directory domain.
The domain contains two organizational units (OUs) named ProdOU and TestOU.
All production servers are in ProdOU. All test servers are in TestOU. A server named Server1 is in TestOU.
You have a Windows Server Update Services (WSUS) server named WSUS1 that runs Windows Server 2021.
All servers receive updates from WSUS1.
WSUS is configured to approve updates for computers in the Test computer group automatically. Manual approval is required for updates to the computers in the Production computer group.
You move Server1 to ProdOU, and you discover that updates continue to be approved and installed automatically on Server1.
You need to ensure that all the servers in ProdOU only receive updates that are approved manually. What should you do?

• A. Turn off auto-restart for updates during active hours by using Group Policy objects (GPOs).
• B. Configure client-side targeting by using Group Policy objects (GPOs).
• C. Create computer groups by using the Update Services console.
• D. Run wuauclt.exe /detectnow on each server after the server is moved to a different O

Answer: B

Explanation: Updates in WSUS are approved against “Computer Group” , not AD OUs. For this example, to prevent Server1 to install automatically approved updates,
you have to remove Server1 from “Test” computer group and add Server1 into “Production” computer group in WSUS console, manually or use the WSUS GPO Client-Side Targeting feature.
https://technet.microsoft.com/en-us/library/cc720450%28v=ws.10%29.aspx?f=255&MSPPError=- 2147217396
With client-side targeting, you enable client-computers to add themselves to the computer groups you create in the WSUS console.
You can enable client-side targeting through Group Policy (in an Active Directory network environment) or by editing registry entries (in a non-Active Directory network environment) for the client computers.
When the WSUS client computers connect to the WSUS server, they will add themselves into the correct computer group.
Client-side targeting is an excellent option if you have many client computers and want to automate the process of assigning them to computer groups.
First, configure WSUS to allow Client Site Targeting.

Secondly, configure GPO to affect “ProdOU” , so that Server1 add itself to “Production” computer group.
https://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus