NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021. You need to prevent NTLM authentication on Server1.
Solution: From Windows PowerShell, you run the Disable-WindowsOptionalFeature cmdlet. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: https://blogs.technet.microsoft.com/filecab/2021/09/16/stop-using-smb1/
On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

However, the question asks about Server!
On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1): Remove-WindowsFeature FS-SMB1

Even if SMB1 is removed, SMB2 and SMB3 could still run NTLM authentication! Therefore, answer is a“NO”.

NEW QUESTION 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2021. The forest contains 2,000 client computers that run Windows 10. All client computers are deployed from a customized Windows image.
You need to deploy 10 Privileged Access Workstations (PAWs). The solution must ensure that administrators can access several client applications used by all users.
Solution: You deploy one physical computer and configure it as a Hyper-V host that runs Windows Server 2021. You create 10 virtual machines and configure each one as a PAW.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: References:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privilegedaccess/privileged-access-workstations

NEW QUESTION 3
Your company has an accounting department.
The network contains an Active Directory domain named contoso.com. The domain contains 10 servers.
You deploy a new server named Server11 that runs Windows Server 2021.
Server11 will host several network applications and network shares used by the accounting department.
You need to recommend a solution for Server11 that meets the following requirements:
-Protects Server11 from address spoofing and session hijacking
-Allows only the computers in We accounting department to connect to Server11 What should you recommend implementing?

• A. AppLocker rules
• B. Just Enough Administration (JEA)
• C. connection security rules
• D. Privileged Access Management (PAM)

Answer: C

Explanation: In IPsec connection security rule, the IPsec protocol verifies the sending host IP address by utilize integrity
functions like Digitally signing all packets.
If unsigned packets arrives Server11, those are possible source address spoofed packets, when using connection security rule in-conjunction with inbound firewall
rules, you can kill those un-signed packets with the action “Allow connection if it is secure” to prevent spoofing and session hijacking attacks.

NEW QUESTION 4
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
The hardware configuration on Server1 meets the requirements for Credential Guard. You need to enable Credential Guard on Server1.
What should you do? To answer, select the appropriate options in the answer area.

Answer:

Explanation: References:
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guardrequirements https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guardmanage# hardware-readiness-tool

NEW QUESTION 5
Your network contains an Active Directory domain named contoso.com. The domain contains five servers. All servers run Windows Server 2021.
A new secunty policy states that you must modify the infrastructure to meet the following requirements:
*Limit the nghts of administrators.
*Minimize the attack surface of the forest
*Support Multi-Factor authentication for administrators.
You need to recommend a solution that meets the new secunty policy requirements. What should you recommend deploying?

• A. an administrative forest
• B. domain isolation
• C. an administrative domain in contoso.com
• D. the Local Administrator Password Solution (LAPS)

Answer: A

Explanation: You have to “-Minimize the attack surface of the forest”, then you must create another forest for administrators.
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securingprivilegedaccess- reference-material#ESAE_BM
This section contains an approach for an administrative forest based on the Enhanced Security Administrative
Environment (ESAE) reference architecture deployed
by Microsoft’s cybersecurity professional services teams to protect customers against cybersecurity attacks.
Dedicated administrative forests allow organizations to host administrative accounts, workstations, and groups in an environment that has stronger security controls than the production environment.

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. The domain has Dynamic Access Control enabled.
Server1 contains a folder named C:Folder1. Folder1 is shared as Share1.
You need to audit all access to the contents of Folder1 from Server2. The solution must minimize the number of event log entries.
Which two audit policies should you enable on Server1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Global Object Access- File System
• B. Object Access – Audit Detailed File Share
• C. Object Access – Audit Other Object Access Events
• D. Object Access – Audit File System
• E. Object Access – Audit File Share

Answer: BE

Explanation:
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-fileshare https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share

NEW QUESTION 7
You network contains an Active Directory forest named contoso.com.
All domain controllers run Windows Server 2021 Member servers run either Windows Server 2012 R2 or Windows Server 2021.
Client computers run either Windows 8.1 or Windows 10.
You need to ensure that when users access files in shared folders on the network, the files are encrypted when they are transferred over the network.
Solution: You enable SMB encryption on all the computers in domain. Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation: SMB Encryption could be enabled on a per-computer wide basis, after you have enabled SMB encryption on a server-level basis, you could not disable encryption for any specific shared folder.
To enable Global level encryption on the server: Set-SmbServerConfiguration -EncryptData 1

NEW QUESTION 8
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a file server that runs Windows Server 2021. The file server contains the volumes configured as shown in the following table.

You need to encrypt DevFiles by using BitLocker Drive Encryption (ButLocker). Solution: You run the Enable-BitLocker cmdlet.
Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlocker?view=win10-ps

NEW QUESTION 9
You have a server named Server1 that runs Windows Server 2021. You configure Just Enough Administration (JEA) on Server1.
You need to view a list of commands that will be available to a user named User1 when User1 establishes a JEA session to Server1.
Which cmdlet should you use?

• A. Trace-Command
• B. Get-PSSessionCapability
• C. Get-PSSessionConfiguration
• D. Show-Command

Answer: B

Explanation: https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/getpssessioncapability? view=powershell-5.0.
The Get-PSSessionCapability cmdlet gets the capabilities of a specific user on a constrained session configuration.
Use this cmdlet to audit customized session configurations for users.
Starting in Windows PowerShell 5.0, you can use the RoleDefinitions property in a session configuration (.pssc) file.
Using this property lets you grant users different capabilities on a single constrained endpoint based on groupmembership.
The Get-PSSessionCapability cmdlet reduces complexity when auditing these endpoints by letting you
determine the exact capabilities granted to a user.
This command is used by I.T. Administrator (The “You” mention in the question) to verify configuration for a
User.

NEW QUESTION 10
Your network contains two single-domain Active Directory forests named contoso.com and contosoadmin.com. Contosoadmin.com contains all of the user accounts used to manage the servers in contoso.com.
You need to recommend a workstation solution that provides the highest level of protection from vulnerabilities and attacks.
What should you include in the recommendation?

• A. Provide a Privileged Access Workstation (PAW) for each user account in both forest
• B. Join each PAW to the contoso.com domain.
• C. Provide a Pnvileged Access Workstation (PAW) for each user in the contoso.com forest Join each PAW to the contoso.com domain.
• D. Provide a Pnvileged Access Workstation (PAW) for each administrato
• E. Join each PAW to the contoso.com domain.
• F. Provide a Pnvileged Access Workstation (PAW) for each administrato
• G. Join each PAW to the contosoadmin.com domain.

Answer: D

Explanation: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securingprivilegedaccess- reference-material

NEW QUESTION 11
You have a Hyper-V host named Server1 that runs Windows Server 2021. Server1 has a generation 2 virtual machine named VM1 that runs Windows 10.
You need to ensure that you can turn on BitLocker Drive Encryption (BitLocker) for drive C: on VM1. What should you do?

• A. From Server1, install the BitLocker feature.
• B. From Server1, enable nested virtualization for VM1.
• C. From VM1, configure the Require additional authentication at startup Group Policy setting.
• D. From VM1, configure the Enforce drive encryption type on fixed data drives Group Policy settin

Answer: C

Explanation: https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
If you don’t use TPM for protecting a drive, there is no such Virtual TPM or VM Generation, or VM Configuration
version requirement, you can even use Bitlocker without TPM Protector with earlier versions of Windows. How to Use BitLocker Without a TPM
You can bypass this limitation through a Group Policy change. If your PC is joined to a business or school
domain, you can’t change the Group Policy setting
yourself. Group policy is configured centrally by your network administrator.
To open the Local Group Policy Editor, press Windows+R on your keyboard, type “gpedit.msc” into the Run
dialog box, and press Enter.
Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating
System Drives in the left pane.

Double-click the “Require additional authentication at startup” option in the right pane.

Select “Enabled” at the top of the window, and ensure the “Allow BitLocker without a compatible TPM
(requires a password or a startup key on a USB flash drive)” checkbox is enabled here.
Click “OK” to save your changes. You can now close the Group Policy Editor window. Your change takes effect immediately—you don’t even need to reboot.

NEW QUESTION 12
You implement Just Enough Administration (JEA) on several file servers that run Windows Server 2021.
The Role Capability file from a server named Server5 contains the following code.

Which action can be performed by a user who connects to Server5?

• A. Create a new file share.
• B. Modify the properties of any share.
• C. Stop any process.
• D. View the NTFS permissions of any folder.

Answer: B

Explanation: https://docs.microsoft.com/en-us/powershell/jea/role-capabilities Focus on the 3rd Visible Cmdlets in this question ‘SmbShare\Set-*’
The PowerShell “SmbShare” module has the following “Set-*” cmdlets, as reported by “Get- Command -Module
SmbShare” command:-

The “Set-SmbShare” cmdlet is then visible on Server5’s JEA endpoint, and allows JEA users to modify the
properties of any file share.
https://technet.microsoft.com/en-us/itpro/powershell/windows/smbshare/set-smbshare

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
You have an organizational unit (OU) named Administration that contains the computer account of Server1.
You import the Active Directory module to Server1.
You create a Group Policy object (GPO) named GPO1. You link GPO1 to the Administration OU. You need to log an event each time an Active Directory cmdlet executed successfully from Server1. What should you do?

• A. From Advanced Audit Policy in GPO1. configure auditing for other privilege use events.
• B. Run the Add-NetEventProvider -Name “Microsoft-Active-Directory” -MatchAnyKeyword PowerShell command.
• C. From Advanced Audit Policy in GPO1, configure auditing for directory service changes.
• D. From Administrative Templates in GPO1, configure a Windows PowerShell polic

Answer: D

Explanation: In the following GPO location, you can enable the setting “Turn on Module Logging” to record an
event each
time the PowerShell executes a cmdlet of a specific PowerShell module, for example “ActiveDirectory”.
“Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell”

NEW QUESTION 14
Your network contains an Active Directory domain named contoso.com.
You deploy a server named Server1 that runs Windows Server 2021. Server1 is in a workgroup. You need to collect the logs from Server1 by using Log Analytics in Microsoft Operations Management Suite (OMS).
What should you do first?

• A. Join Server1 to the domain.
• B. Create a Data Collector Set.
• C. Install Microsoft Monitoring Agent on Server1.
• D. Create an event subscriptio

Answer: C

Explanation: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents
You need to install and connect Microsoft Monitoring Agent for all of the computers that you

You can install the OMS MMA on stand-alone computers, servers, and virtual machines.

NEW QUESTION 15
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a file server that runs Windows Server 2021. The file server contains the volumes configured as shown in the following table.

You need to encrypt DevFiles by using BitLocker Drive Encryption (ButLocker). Solution: You run the Lock-BitLocker cmdlet.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
References:
https://docs.microsoft.com/en-us/powershell/module/bitlocker/lock-bitlocker?view=win10-ps

NEW QUESTION 16
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department You have an OU named Finance that contains the computers in the finance department You have an OU named AppServers that contains application servers. A Group Policy object (GPO)
named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1.
End of repeated scenario
You need to ensure that the marketing department computers validate DNS responses from adatum.com.
Which setting should you configure in the Computer Configuration node of GP1?

• A. TCPIP Settings from Administrative Templates
• B. Connection Security Rule from Windows Settings
• C. DNS Client from Administrative Templates
• D. Name Resolution Policy from Windows Settings

Answer: D

Explanation:
The NRPT is a table that contains rules that you can configure to specify DNS settings or special behavior for names or namespaces.
The NRPT can be configured using the Group Policy Management Editor under Computer Configuration
\Policies\Windows Settings\Name Resolution Policy, or with Windows PowerShell.
If a DNS query matches an entry in the NRPT, it is handled according to settings in the policy. Queries that do not match an NRPT entry are processed normally.
You can use the NRPT to require that DNSSEC validation is performed on DNS responses for queries in the namespaces that you specify.

NEW QUESTION 17
Your network contains an Active Directory domain named contoso.com. The domain contains multiple servers that run either Windows Server 2012 or Windows Server 2012 R2.
You plan to implement Just Enough Administration (JEA) to manage all of the servers.
What should you install on each server to ensure that the servers can be managed by using JEA?

• A. Remote Server Administration Tools (RSAT)
• B. Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
• C. Management Odata Internet Information Services (IIS) Extension
• D. Windows Management Framework 5.0

Answer: D

Explanation: https://msdn.microsoft.com/en-us/library/dn896648.aspx Get JEA
The current release of JEA is available on the following platforms: Windows Server
Windows Server 2021 Technical Preview 5 and higher
Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2* with Windows Management Framework 5.0 installed