NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com. The domain contains 1,000 client computers that run Windows 10.
A security audit reveals that the network recently experienced a Pass-the-Hash attack. The attack was initiated from a client computer and accessed Active Directory objects restricted to the members of the Domain Admins group.
You need to minimize the impact of another successful Pass-the-Hash attack on the domain. What should you recommend?

• A. Instruct all users to sign in to a client computer by using a Microsoft account.
• B. Move the computer accounts of all the client computers to a new organizational unit (OU). Remove the permissions to the new OU from the Domain Admins group.
• C. Instruct all administrators to use a local Administrators account when they sign in to a client computer.
• D. Move the computer accounts of the domain controllers to a new organizational unit (OU). Remove the permissions to the new OU from the Domain Admins group.

Answer: C

Explanation: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard

NEW QUESTION 2
Note: This question Is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is Independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
Server1 has a shared folder named Share1. You need to encrypt the contents of Share1. Which tool should you use?

• A. File Explorer
• B. Shared Folders
• C. Server Manager
• D. Disk Management
• E. Storage Explorer
• F. Computer Management
• G. System Configuration
• H. File Server Resource Manager (FSRM)

Answer: A

NEW QUESTION 3
You deploy the Host Guardian Service (HGS).
You have several Hyper-V hosts that have older hardware and Trusted Platform Modules (TPMs) version 1.2.
You discover that the Hyper-V hosts cannot start shielded virtual machines.
You need to configure HGS to ensure that the older Hyper-V hosts can host shielded virtual machines. What should you do?

• A. Run the Set-HgsServer cmdlet and specify the -TrustTpm parameter.
• B. Run the Set-HgsServer cmdlet and specify the -TrustActiveDirectory parameter.
• C. Run the Clear-HgsServer cmdlet and specify the -Clustername parameter
• D. Run the Clear-HgsServer cmdlet and specify the -Force parameter.
• E. It is not possible to enable older Hyper-V hosts to run Shielded virtual machines

Answer: E

Explanation: Requirements and Limitations
There are several requirements for using Shielded VMs and the HGS:
One bare metal host: You can deploy the Shielded VMs and the HGS with just one host. However,
Microsoft
recommends that you cluster HGS for high availability.
Windows Server 2021 Datacenter Edition: The ability to create and run Shielded VMs and the HGS is only
supported by Windows Server 2021 Datacenter Edition.
For Admin-trusted attestation mode: You only need to have server hardware capable of running Hyper-V in
Windows Server 2021 TP5 or higher.
For TPM-trusted attestation: Your servers must have TPM 2.0 and UEFI 2.3.1 and they must boot in UEFI
mode. The hosts must also have secure boot enabled. Hyper-V role: Must be installed on the guarded host. HGS Role: Must be added to a physical host. Generation 2 VMs.
A fabric AD domain.
An HGS AD, which in Windows Server 2021 TP5 is a separate AD infrastructure from your fabric AD.

NEW QUESTION 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question In this section, you will NOT be able to return to It. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally. Computer1 runs an application named App1 that listens to port 8080.
You need to prevent connections to App1 when Computer1 is connected to the home network. Solution: From Windows Firewall in the Control Panel, you add an application and allow the application to communicate through the firewall on a Private network.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: References:
http://www.online-tech-tips.com/windows-10/adjust-windows-10-firewall-settings/

NEW QUESTION 5
Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network You need to view the password of the local administrator of a server named Server5. Which tool should you use?

• A. Active Directory Users and Computers
• B. Computer Management
• C. Accounts from the Settings app
• D. Server Manager

Answer: A

Explanation: Use “Active Directory Users and Computers” to view the attribute value of “ms-MCS-adminpwd” of the Server5 computer account
https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solutionlapsimplementation- hints-and-security-nerd-commentaryincludingmini-threat-model/

NEW QUESTION 6
DRAG DROP
Your network contains an Active Directory domain named contoso.com.
The domain contains two servers named Server1 and Server2 that run Windows Server 2021. You need to install Microsoft Advanced Threat Analytics (ATA) on Server1 and Server2. Which four actions should you perform in sequence?

Answer:

Explanation: Correct Order of Actions:-
1. Install ATA Center (on Server1 for example)
2. Install ATA Gateway (on Server2 for example, if Server2 has internet connectivity)
3. Set the ATA Gateway configuration settings. (Register Server2 ATA Gateway to Server1’s ATA Center)
4. Install the ATA Lightweight Gateway.
Since there are not switch-based port mirroring choice used to capture domain controller’s inbound and
outbound traffic,
installing ATA Lightweight Gateway on DCs to forward security related events to ATA Center is necessary.

NEW QUESTION 7
Your network contains an Active Directory domain named contoso.com.
The domain contains four global groups named Group1, Group2, Group3, and Group4. A user named User1 is a member of Group3.
You have an organizational unit (OU) named OU1 that contains computer accounts. A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1. GPO1 has the User Rights Assignment configured as shown in the following table.

• A. Modify the membership of Group3.
• B. Modify the membership of Group2.
• C. Modify the membership of Group1.
• D. Modify the membership of Group4.

Answer: B

NEW QUESTION 8
HOTSPOT
Your network contains two Active Directory forests named contoso.com and adatum.com. Contoso.com contains a Hyper-V host named Server1. Server1 is a member of a group named HyperHosts. Adatum.com contains a server named Server2. Server1 and Server2 run Windows Server 2021.
Contoso.com trusts adatum.com.
You plan to deploy shielded virtual machines to Server1 and to configure Admin-trusted attestation on Server2.
Which component should you install and which cmdlet should you run on Server2? To answer, select the appropriate options in the answer area.

Answer:

Explanation: Key for this question is Admin-trusted attestation or (AD mode) for guarded fabric “Server1.contoso.com”, while Server2.adatum.com is running the Host Guardian Service.

https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricguarded-host-prerequisites
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/guarded-fabricconfirm-hosts-can-attest-successfully

NEW QUESTION 9
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
The services on Server1 are shown in the following output.

Server1 has the AppLocker rules configured as shown in the exhibit (Click the Exhibit button.)

Rule1 and Rule2 are configured a$ shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Answer:

Explanation: On Server1, User1 can run D:\Folder2\App1.exe : Yes On Server1, User1 can run D:\Folder1\Program1.exe : Yes
If Program1 is copied from D:\Folder1 to D:\Folder2, User1 can run Program1.exe on Server1 : NO
https://docs.microsoft.com/en-us/windows/device-security/applocker/configure-the-applicationidentity- service
The Application Identity service determines and verifies the identity of an app. Stopping this service will
prevent AppLocker policies from being enforced.
In this question, Server1’s Application Identity service is stopped, therefore, no more enforcement on
AppLocker rules, everyone could run everything on Server1.

NEW QUESTION 10
You have a server named Server1 that runs Windows Server 2021.
You need to identify whether IPsec tunnel authorization is configured on Server1. Which cmdlet should you use?

• A. Get-NetIPSecRule
• B. Get-NetFirewallRule
• C. Get-NetFirewallProfile
• D. Get-NetFirewallSetting
• E. Get-NetFirewallPortFilter
• F. Get-NetFirewallAddressFilter
• G. Get-NetFirewallSecurityFilter
• H. Get-NetFirewallApplicationFilter

Answer: A

Explanation: https://technet.microsoft.com/en-us/itpro/powershell/windows/netsecurity/get-netipsecrule

NEW QUESTION 11
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1.
End of repeated scenario
You need to ensure that you can deploy a shielded virtual machine to Server4. Which server role should you deploy?

• A. Hyper-V
• B. Device Health Attestation
• C. Network Controller
• D. Host Guardian Service

Answer: D

Explanation: https://blogs.technet.microsoft.com/datacentersecurity/2021/06/06/step-by-step-creating-shieldedvms- withoutvmm/
Shielding an existing VM
Let’s start with the simpler approach. This requires you to have a running VM on a host which is not the
guarded host.
This is important to distinguish, because you are simulating the scenario where a tenant wants to take an
existing, unprotected VM and shield it before moving it to a guarded host.
For clarity, the host machine which is not the guarded host will be referred as the tenant host below. A shielded VM can only run on a trusted guarded host.
The trust is established by the adding the Host Guardian Service server role (retrieved from the HGS server) to the Key Protector which is used to shield
the VM.
That way, the shielded VM can only be started after the guarded host successfully attest against the HGS
server.
In this example, the running VM is named SVM. This VM must be generation 2 and have a supported OS
installed with remote desktop enabled.
You should verify the VM can be connected through RDP first, as it will almost certainly be the primary way to access the VM once it is shielded (unless you have installed other remoting capabilities).

NEW QUESTION 12
You have a server named Server1 that runs Windows Server 2021.
You need to install Security Compliance Manager (SCM) 4.0 on Server1. What should you install on Server1 first?

• A. the .NET Framework 3.5 Features feature
• B. the Active Directory Rights Management Services server role
• C. the Remote Server Administration Tools feature
• D. the Group Policy Management feature

Answer: A

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10. Computer1 connects to a home network and a corporate network.
The corporate network uses the 172.16.0.0/24 address space internally. Computer1 runs an application named App1 that listens to port 8080.
You need to prevent connections to App1 when Computer1 is connected to the home network. Solution: From Windows Firewall with Advanced Security, you create an inbound rule. Does this meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 14
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You need to prepare the environment to support applying Update1 to the laptops only. What should you do? Choose Two.

• A. Tool to use: Active Directory Administrative Center
• B. Tool to use: Active Directory Users and Computers
• C. Tool to use: Microsoft Intune
• D. Tool to use: Update Services
• E. Type of object to create: A computer group
• F. Type of object to create: A distribution group
• G. Type of object to create: A mobile device group
• H. Type of object to create: A security group
• I. Type of object to create: An OU

Answer: DE

Explanation: https://technet.microsoft.com/en-us/library/cc708458(v=ws.10).aspx

NEW QUESTION 15
Your network contains an Active Directory domain named contoso.com. The domain contains two DNS servers that run Windows Server 2021. The servers host two zones named contoso.com and admin.contoso.com. You sign both zones.
You need to ensure that all client computers in the domain validate the zone records when they query the zone.
What should you deploy?

• A. a Microsoft Security Compliance Manager (SCM) policy
• B. a zone transfer policy
• C. a Name Resolution Policy Table (NRPT)
• D. a connection security rule

Answer: C

Explanation: You should use Group Policy NRPT to for a DNS Client to perform DNSSEC validation of DNS zone records.

NEW QUESTION 16
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021. You need to prevent NTLM authentication on Server1.
Solution: From Windows PowerShell, you run the New-ADAuthenticationPolicy cmdlet. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: ADDS Authentication Policy does not provide ability to prevent the use of NTLM authentication.

NEW QUESTION 17
Your network contains an Active Directory domain named contoso.com. The domain contains a certification authority (CA).
You need to implement code integrity policies and sign them by using certificates issued by the CA. You plan to use the same certificate to sign policies on multiple computers.
You duplicate the Code Signing certificate template and name the new template CodeIntegrity. How should you configure the CodeIntegrity template?

• A. Enable the Allow private key to be exported setting and modify the Key Usage extension.
• B. Disable the Allow private key to be exported setting and modify the Application Policies extension.
• C. Disable the Allow private key to be exported setting and disable the Basic Constraints extension.
• D. Enable the Allow private key to be exported setting and enable the Basic Constraints extension

Answer: D