NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. The network uses the 172.16.0.0/16 address space.
Computer1 has an application named App1.exe that is located in D:\Apps\. App1.exe is configured to accept connections on TCP port 8080.
You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.
Solution: You configure an inbound rule that allows the TCP protocol on port 8080, uses a scope of 172.16.0.0/16 for local IP addresses, and applies to a private profile.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: “You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.”, you should create the firewall rule for “Domain” profile instead, not the “Private” profile.
https://technet.microsoft.com/en-us/library/getting-started-wfas-firewall-profilesipsec( v=ws.10).aspx

NEW QUESTION 2
HOTSPOT
You have 10 Hyper-V hosts that run Windows Server 2021.
Each Hyper-V host has eight virtual machines that run a distributed web application named App1. You plan to implement a Software Load Balancing (SLB) solution for client access to App1. You deploy two new virtual machines named SLB1 and SLB2.
You need to install the required components on the Hyper-V hosts and the new servers for the planned implementation.
Which components should you install? Select the Appropriate in selection area.

Answer:

Explanation: https://blogs.technet.microsoft.com/tip_of_the_day/2021/06/28/tip-of-the-day-demystifyingsoftware- definednetworking-terms-the-components/
https://technet.microsoft.com/en-us/library/mt632286.aspx
SLB Host Agent – When you deploy SLB, you must use System Center, Windows PowerShell, or another
management application to deploy the SLB Host Agent on every Hyper-V host computer.
You can install the SLB Host Agent on all versions of Windows Server 2021 that provide Hyper-V support,
including Nano Server.
SLB MUX – Part of the Software Load Balancer (SLB on Windows Server 2021, the SLB MUX processes inbound network traffic and maps VIPs (virtual IPs) to
DIPs (datacenter IPs), then forwards the traffic to the correct DIP. Each MUX also uses BGP to publish VIP
routes to edge routers. BGP Keep Alive notifies MUXes
when a MUX fails, which allows active MUXes to redistribute the load in case of a MUX failure – essentially
providing load balancing for the load balancers.

NEW QUESTION 3
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1.
On Server1, administrators plan to use several scripts that have the .ps1 extension.
You need to ensure that when code is generated from the scripts, an event containing the details of
the code is logged in the Operational log.
Which Group Policy setting or settings should you configure?

• A. Enable Protected Event Logging
• B. Audit Process Creation and Audit Process Termination
• C. Turn on PovverShell Script Block Logging
• D. Turn on PowerShell Transcription

Answer: C

Explanation: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
The new Detailed Script Tracing feature lets you enable detailed tracking and analysis of Windows PowerShell scripting use on a system.
After you enable detailed script tracing, Windows PowerShell logs all script blocks to the ETW event log,
Microsoft-Windows-PowerShell/Operational.
If a script block creates another script block (for example, a script that calls the Invoke-Expression cmdlet on a string), that resulting script block is logged as well.
Logging of these events can be enabled through the Turn on PowerShell Script Block Logging Group Policy setting (in GPO Administrative Templates -> Windows Components -> Windows PowerShell).
Answer D is incorrect, since Transcription (Start-Transcript -path <FilePath>) uses a custom output location
instead of Event Viewer \ Operational Log

NEW QUESTION 4
Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network.
You deploy a new server named FinanceServer5, and join FinanceServerS to the domain.
You need to ensure that the passwords of the local administrators of FinanceServer5 are available to the LAPS administrators.
What should you do?

• A. On FinanceServerS, register AdmPwd.dll.
• B. On FmanceServerS, install the LAPS Windows PowerShell module.
• C. In the domain, modify the permissions for the computer account of FmanceServer5.
• D. In the domain, modify the permissions of the Domain Controllers organizational unit (OU).

Answer: A

Explanation: References:
https://gallery.technet.microsoft.com/Step-by-Step-Deploy-Local-7c9ef772

NEW QUESTION 5
HOTSPOT
Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Secure that contains all servers.
You install Microsoft Security Compliance Manager (SCM) 4.0 on a server named Server1. You need to export the SCM Pnnt Server Secunty baseline and to deploy the baseline to a server named Server2.
What should you do? To answer, select the appropnate options in the answer area.

Answer:

Explanation: When the security settings is exported from SCM 4 in a GPO (folder) format, with a long GUID name

You have to import it to GPO by using “Group Policy Management”, right-click the GPO and use “Import
Settings” button

Do not confuse with security template .inf files. Only security template .INF file (which is a single file, not a
folder) could be imported to a GPO by Group Policy Object Editor

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com. All servers in the domain run Windows Server 2021.All client computers run Windows 10.
Your company has deployed the Local Administrator Password Solution (LAPS).
Client computers in the finance department are located in an organizational unit (OU) named Finance.
Each finance computer has a custom administrative account named FinAdmin. You discover that the FinAdmin accounts are not managed by LAPS.
You need to ensure that the FinAdmin accounts are managed by LAPS. What should you do?

• A. On the finance computers, register the AdmPwd.ps Windows PowerShell module and then run the ResetAdmPwdPassword cmdlet
• B. Modify the Password Policy in a Group Policy object (GPO).
• C. Modify the LAPS settings in a Group Policy object (GPO).
• D. On the finance computer
• E. rename the FinAdmin accounts to Administrato

Answer: C

Explanation: Use the GPO Setting “Name of administrator account to manage” for LAPS to manage secondary administrative accounts which is not named as “Administrator”

NEW QUESTION 7
Your network contains an Active Directory domain named contoso.com. The domain contains several Hyper-V hosts.
You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2021. You need to configure Server22 as the primary Host Guardian Service server.
Which three cmdlets should you run in sequence?

• A. Install-HgsServer
• B. Install-Module
• C. Install-Package
• D. Enable-WindowsOptionalFeature
• E. Install-ADDSDomainController
• F. Initialize-HgsServer

Answer: AEF

Explanation: Correct order of actions:
1. Install-ADDSDomainController , as Server22 is a workgroup computer, create a new domain on it first.
2. Install-HgsServer
3. Initialize-HgsServer
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricsetting-up-the-host-guardian-service-hgs
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricinstall-hgs-default
Install-HgsServer
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricinitialize-hgs-tpm-mode-default
Initialize-HgsServer

NEW QUESTION 8
Note: This question b part of a series of questions that present the same scenario. Each question In the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear In the review screen.
Your network contains an Active Directory domain named contow.com. All servers run Windows Server 2021. All client computers run Windows 10.
The relevant objects in the domain are configured as shown in the following table.

You need to assign User1 the right to restore files and folders on Server1 and Server2.
Solution: You create a Group Policy object (GPO), link it to the Operations Users OU, and modify the Users Rights Assignment in the GPO.
Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation: Yes, in “User Rights Assignment” section of a GPO, two settings for assigning backup and restore user rights are available as follow:

NEW QUESTION 9
You have the servers configured as shown in the following table.

You purchase a Microsoft Azure subscription, and you create three Microsoft Operations
Management Suite (OMS) workspaces named Workspace1, Workspace2, and Workspace3
You need to deploy Microsoft Monitoring Agent to the servers to meet the following requirements:
-Antimalware data from all the servers must be visible in Workspace1.
-Security and audit data from the domain controllers and the virtualization hosts must be visible in Workspace2.
-System update data from all the servers in all the workgroups must be visible in Workspace& How many OMS agents should you deploy?

• A. 10
• B. 33
• C. 73
• D. 45

Answer: C

Explanation: -Antimalware data from all the servers must be visible in Workspace1.
-Security and audit data from the domain controllers and the virtualization hosts must be visible in Workspace2.
-System update data from all the servers in all the workgroups must be visible in Workspace& “All the servers” mean all 5 domain controllers, plus all member servers (physical and virtual, domain and
workgroup) and virtualization hosts, so there are no exemptions.
All servers in the above table mentioned must install OMS Microsoft Monitoring agents

NEW QUESTION 10
Note: This question is part of a series of questions that present the same scenario. Each question In the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question In this section, you will NOT be able to return to It. As a result, these questions will not appear In the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains multiple Hyper-V hosts.
You need to deploy several critical line-of-business applications to the network; to meet the following requirements:
*The resources of the applications must be isolated from the physical host.
*Each application must be prevented from accessing the resources of the other applications.
*The configurations of the applications must be accessible only from the operating system that hosts
the application.
Solution: You deploy a separate Windows container for each application. Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation: References:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/

NEW QUESTION 11
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You need to ensure that AppLocker rules will apply to the marketing department computers. What should you do?

• A. From the properties of OU2, modify the Security settings.
• B. In GP2, configure the Startup type for the Application Identity service.
• C. From the properties of OU2, modify the COM+ partition Set
• D. In GP2, configure the Startup type for the Application Management servic

Answer: B

Explanation: https://docs.microsoft.com/en-us/windows/device-security/applocker/configure-the-applicationidentity- service Because AppLocker uses this service “Application Identity” to verify the attributes of
a file, you must configure it to start automatically in at least one Group Policy object (GPO) that applies AppLocker rules.

NEW QUESTION 12
Vout network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2021.
The domain contains a server named Serverl that has Microsoft Security Compliance Manager (SCM)
4.0 installed.
You export the baseline shown in the following exhibit.

You have a server named Server2 that is a member of a workgroup.
You copy the (2617e9b1-9672-492b-aefa-0505054848c2) folder to Server2. You need to deploy the baseline settings to Server2.
What should you do?

• A. Download, install, and then fun the Lgpo.exe command.
• B. From Group Policy Management import a Group Policy object (GPO).
• C. From Windows PowerShell, run the Restore-GPO cmdlet.
• D. From Windows PowerShell, run the Import-GPO cmdlet.
• E. From a command prompt run the secedit.exe command and specify the /import paramete

Answer: D

Explanation: References:
https://anytecho.wordpress.com/2015/05/22/importing-group-policies-using-powershell-almost/

NEW QUESTION 13
You are building a guarded fabric. You need to configure Admin-trusted attestation. Which cmdlet should you use?

• A. Add-HgsAttestationHostGroup
• B. Add-HgsAttestationTpmHost
• C. Add-HgsAttestationCIPolicy
• D. Add-HgsAttestationTpmPolicy

Answer: A

Explanation: Authorize Hyper-V hosts using Admin-trusted attestation
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/ guarded-fabric-addhost-information-for-admin-trusted-attestation

NEW QUESTION 14
Your network contains an Active Directory domain named contoso.com.
The domain contains a member server named Servers that runs Windows Server 2021. You need to configure Servers as a Just Enough Administration (JEA) endpoint.
Which two actions should you perform? Each correct answer presents part of the solution.

• A. Create and export a Windows PowerShell session.
• B. Deploy Microsoft Identity Manager (MIM) 2021
• C. Create a maintenance Role Capability file
• D. Generate a random Globally Unique Identifier (GUID)
• E. Create and register a session configuration file.

Answer: CE

Explanation: https://docs.microsoft.com/en-us/powershell/jea/role-capabilities https://docs.microsoft.com/en-us/powershell/jea/register-jea

NEW QUESTION 15
You implement Log Analytics in Microsoft Operations Management Suite (OMS) on all servers that run Windows Server 2021.
You need to generate a daily report that identifies which servers restarted during the last 24 hours. Which query should you use?

• A. EventLog=Application EventId:6009 Type:Event TimeGenerated>NOW+24HOURS
• B. EventLog=Application EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
• C. EventLog=System EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
• D. EventLog=System EventId:6009 Type:Event TimeGenerated>NOW+24HOURS

Answer: C

Explanation: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-searches Computer restart events are stored in “System” eventlog instead of Application even log. “NOW-24HOURS” clause matches all events generated in the last 24 hours.

NEW QUESTION 16
Your network contains an Active Directory domain named contoso.com.
The domain contains two global groups named Group1 and Group2. A user named User1 is a member of Group1
You have an organizational unit (OU) named OU1 that contains the computer accounts of computers that contain sensitive data. A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1.
GPO1 has the User Rights Assignment configured as shown in the following table.

You need to prevent User1 from signing in to Computer1. What should you do?

• A. From Default Domain Policy, modify the Allow log on locally user right
• B. On Computer1, modify the Deny log on locally user right.
• C. From Default Domain Policy, modify the Deny log on locally user right
• D. Remove User1 to Group2.

Answer: D

Explanation: https://technet.microsoft.com/en-us/library/cc957048.aspx “Deny log on locally”
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users are prevented from logging on at the computer.
This policy setting supercedes the Allow Log on locally policy setting if an account is subject to both policies.
Therefore, adding User1 to Group2 will let User1 to inherit both policy, and then prevent User1 to sign in to
Computer1.

NEW QUESTION 17
Your data center contains 10 Hyper-V hosts that host 100 virtual machines.
You plan to secure access to the virtual machines by using the Datacenter Firewall service.
You have four servers available for the Datacenter Firewall service. The servers are configured as shown in the following table.

You need to install the required server roles for the planned deployment Which server role should you deploy? Choose Two.

• A. Server role to deploy: Multipoint Services
• B. Server role to deploy: Network Controller
• C. Server role to deploy: Network Policy and Access Services
• D. Servers on which to deploy the server role: Server20 and Server21
• E. Servers on which to deploy the server role: Server22 and Server23

Answer: BE

Explanation: Datacenter Firewall is a new service included with Windows Server 2021. It is a network layer, 5- tuple (protocol, source and destination port numbers, source and destination IP addresses), stateful, multitenant firewall. When deployed and offered as a service by the serviceprovider, tenant administrators can install and configure firewall policies to help protect their virtual networks from unwanted traffic originating from Internet and intranet networks.
https://docs.microsoft.com/en-us/windows-server/networking/sdn/technologies/networkcontroller/ networkcontroller
Network Controller Features
The following Network Controller features allow you to configure and manage virtual and physical network
devices and services.
i) Firewall Management (Datacenter Firewall)
ii) Software Load Balancer Management
iii) Virtual Network Management
iv) RAS Gateway Management

https://docs.microsoft.com/en-us/windows-server/networking/sdn/plan/installation-andpreparationrequirements- for-deploying-network-controller
Installation requirements
Following are the installation requirements for Network Controller.
For Windows Server 2021 deployments, you can deploy Network Controller on one or more computers, one or more VMs, or a combination of computers and VMs.
All VMs and computers planned as Network Controller nodes must be running Windows Server 2021 Datacenter edition.