We provide in two formats. Download PDF & Practice Tests. Pass Microsoft 70-744 Exam quickly & easily. The 70-744 PDF type is available for reading and printing. You can print more and practice many times. With the help of our product and material, you can easily pass the 70-744 exam.
Free demo questions for Microsoft 70-744 Exam Dumps Below:
NEW QUESTION 1
HOTSPOT
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2021. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You need to create an Encrypting File System (EFS) data recovery certificate and then add the certificate as an EFS data recovery agent on Server5.
What should you use on Server5? To answer, select the appropriate options in the answer area.
Answer:
Explanation: https://docs.microsoft.com/en-us/windows/threat-protection/windows-informationprotection/ create-and-verifyan-efs-dra-certificatecipher /R
NEW QUESTION 2
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1.
Server1 is configured as shown in the following table.
You plan to create a pilot deployment of Microsoft Advanced Threat Analytics (ATA). You need to install the ATA Center on Server1.
What should you do first?
- A. Install Microsoft Security Compliance Manager (SCM).
- B. Obtain an SSL certificate.
- C. Assign an additional IPv4 address.
- D. Remove Server1 from the domai
Answer: B
Explanation: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites
ATA Center which is the first component to be deployed on Server1, requires the use of SSL protocol to
communicate with ATA Gateway
To ease the installation of ATA, you can install self-signed certificates during installation.
Post deployment you should replace the self-signed with a certificate from an internal Certification Authority tobe used by the ATA Center.
Make sure the ATA Center and ATA Gateways have access to your CRL distribution point.
If the they don’t have Internet access, follow the procedure to manually import a CRL, taking care to install the all the CRL distribution points for the whole chain.
NEW QUESTION 3
The Job Title attribute for a domain user named User1 has a value of Sales Manager. User1 runs whoami /claims and receives the following output:
Kerberos support for Dynamic Access Control on this device has been disabled.
You need to ensure that the security token of User1 has a claim for Job Title. What should you do?
- A. From Windows PowerShell, run the New-ADClaimTransformPolicy cmdlet and specify the -Name parameter
- B. From Active Directory Users and Computers, modify the properties of the User1 account.
- C. From Active Directory Administrative Center, add a claim type.
- D. From a Group Policy object (GPO), configure KDC support for claims, compound authentication, and Kerberos armoring.
Answer: C
Explanation: From the output, obviously, a claim type is missing (or disabled) so that the domain controller is not issuing
tickets with the “Job Title” claim type.
NEW QUESTION 4
HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest has Microsoft Identity Manager (MIM) 2021 deployed. You implement Privileged Access Management (PAM).
You need to request privileged access from a client computer in contoso.com by using PAM.
How should you complete the Windows PowerShell script? To answer, select the appropriate options in the answer area.
Answer:
Explanation: $PAM = Get-PAMRoleForRequest | ? {$_,DisplayName -eq “CorpAdmins” } New-PAMRequest -role $PAM
References:
https://technet.microsoft.com/en-us/library/mt604089.aspx https://technet.microsoft.com/en-us/library/mt604084.aspx
NEW QUESTION 5
HOTSPOT
You manage a guarded fabric in TPM-trusted attestation mode.
You plan to create a virtual machine template disk for shielded virtual machines. You need to create the virtual machine disk that you will use to generate the template.
How should you configure the disk? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation: References:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/ guarded-fabric-configuration-scenarios-for-shielded-vms-overview
https://docs.microsoft.com/en-us/system-center/dpm/what-s-new-in-dpm-2021?view=sc-dpm-1801
NEW QUESTION 6
Note: This question Is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
Server1 has a volume named Volume1.
A central access policy named Policy1 is deployed to the domain. You need to apply Policy1 to Volume1.
Which tool should you use?
- A. File Explorer
- B. Shared Folders
- C. Server Manager
- D. Disk Management
- E. Storage Explorer
- F. Computer Management
- G. System Configuration
- H. File Server Resource Manager (FSRM)
Answer: A
Explanation:
“File Explorer” = “Windows Explorer”.
https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-centralaccess- policy–
demonstration-steps-#BKMK_1.4
NEW QUESTION 7
The New-CIPolicy cmdlet creates a Code Integrity policy as an .xml file. If you do NOT supply either driver files or rules what will happen?
- A. The cmdlet performs a system scan
- B. An exception/warning is shown because either one is required
- C. Nothing
- D. The cmdlet searches the Code Integrity Audit log for drivers
Answer: A
Explanation: If you do not supply either driver files or rules, this cmdlet performs a system scan similar to the Get- SystemDriver cmdlet.
The cmdlet generates rules based on Level. If you specify the Audit parameter, this cmdlet scans the Code Integrity Audit log instead.
NEW QUESTION 8
Your network contains an Active Directory domain named contoso.com.
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Center on server named Server1 and the ATA Gateway on a server named Served. You need to ensure that Server2 can collect NTLM authentication events.
What should you configure?
- A. the domain controllers to forward Event ID 4776 to Server2
- B. the domain controllers to forward Event ID 1000 to Server1
- C. Server2 to forward Event ID 1026 to Server1
- D. Server1 to forward Event ID 1000 to Server2
Answer: A
Explanation: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-architecture
ATA monitors your domain controller network traffic by utilizing port mirroring to an ATA Gateway using physical or virtual switches.
If you deploy the ATA Lightweight Gateway directly on your domain controllers, it removes the requirement for port mirroring.
In addition, ATA can leverage Windows events (forwarded directly from your domain controllers or from a SIEM server) and analyze the data for attacks and threats.
See the GREEN line in the following figure, forward event ID 4776 which indicates NTLM authentication is being used to ATA Gateway Server2.
NEW QUESTION 9
HOTSPOT
Your network contains several Windows container hosts.. You plan to deploy three custom .NET applications.
You need to recommend a deployment solution for the applications. Each application must:
-be accessible by using a different IP address.
-have access to a unique file system.
-start as quickly as possible.
What should you recommend? To answer, select the appropriate options in the answer area.
Answer:
Explanation: References:
https://docs.microsoft.com/en-us/dotnet/standard/modernize-with-azure-andcontainers/ modernize-existing-apps-to-cloud-optimized/deploy-existing-net-apps-as-windowscontainers
https://blogs.msdn.microsoft.com/msgulfcommunity/2015/06/20/what-is-windows-servercontainers- and-hyper-v-containers/
NEW QUESTION 10
Your network contains an Active Directory domain named contoio.com. The domain contains a server named Server1 that runs Windows Server 2021.
You have an organizational unit (OU) named Administration that contains the computer account of Server1.
You import the Active Directory module to Served1.
You create a Group Policy object (GPO) named GPO1 You link GPO1 to the Administration OU. You need to log an event each time an Active Directory cmdlet is executed successfully from Server1. What should you do?
- A. From Advanced Audit Policy in GPO1 configure auditing for directory service changes.
- B. Run the (Get-Module ActiveDirectory).LogPipelineExecutionDetails - $false command.
- C. Run the (Get-Module ArtiveDirectory).LogPipelineExecutionDetails = $true command.
- D. From Advanced Audit Policy in GPO1 configure auditing for other privilege use event
Answer: C
NEW QUESTION 11
Your network contains an Active Directory domain named contoso.com.The domain contains 1,000 client computers that run either Windows 8.1 or Windows 10.
You have a Windows Server Update Services (WSUS) deployment All client computers receive updates from WSUS.
You deploy a new WSUS server named WSUS2.
You need to configure all of the client computers that run Windows 10 to send WSUS reporting data to WSUS2.
What should you configure?
- A. an approval rule
- B. a computer group
- C. a Group Policy object (GPO)
- D. a synchronization rule
Answer: C
Explanation: https://technet.microsoft.com/en-us/library/cc708574(v=ws.10).aspx
Under “Set the intranet update service for detecting updates”, type http://wsus:8530 Under “Set the intranet statistics server”, type http://wsus2:8531
NEW QUESTION 12
Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2021.
The local administrator credentials of Server1 are managed by using the Local Administrator Password Solution (LAPS).
You need to retrieve the password of the Administrator account on Server1. What should you do?
- A. From Windows PowerShell on Server1, run the Get-ADFineGrainedPasswordPolicy cmdlet and specify the -Credential parameter.
- B. From Windows PowerShell on Server1, run the Get-ADUser cmdlet and specify the -Credential parameter.
- C. From Active Directory Users and Computers, open the properties at Server1 and view the value at the msMcs-AdmPwd attribute
- D. From Active Directory Users and Computers, open the properties of Administrator and view the value of the userPassword attribute
Answer: C
Explanation: The “ms-Mcs-AdmPwd” attribute of a computer account in Active Directory Users and Computers stores the local Administrator password of a computer, which is configured by LAPS.
NEW QUESTION 13
HOTSPOT
Your network contains an Active Directory domain named contoso.com. You plan to deploy an application named App1.exe.
You need to verify whether Control Flow Guard is enabled for App1.exe.
Which command should you run? To answer, select the appropriate options in the answer area.
Answer:
Explanation: https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities.
By placing tight restrictions on where an application can execute code from, it makes it much harder for explogts to execute arbitrary code through vulnerabilities such as buffer overflows.To verify if Control Flow Guard is enable for a certain application executable:-
Run the dumpbin.exe tool (included in the Visual Studio 2015 installation) from the Visual Studio command
prompt with the /headers and /loadconfig options: dumpbin.exe /headers /loadconfig test.exe.
The output for a binary under CFG should show that the header values include “Guard”, and that the load
config values include “CF Instrumented” and “FID table present”.1
NEW QUESTION 14
Your network contains an Active Directory domain named contoso.com.
The domain contains four global groups named Group].., Group2, Group3, and Group4.A user named User1 is a member of Group3.
You have an organizational unit (OU) named OU1 that contains computer accounts.
A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1.
GPO1 has the User Rights Assignment configured as shown in the following table:
You need to ensure that User1 can access the shares on Computer1. What should you do?
- A. Modify the membership of Group1.
- B. In GPO1, modify the Access this computer from the network user right
- C. Modify the Deny access to this computer from the network user right.
- D. Modify the Deny log on locally user right
Answer: B
Explanation: You need to ensure that User1 can access the shares on Computer1, from network.
If not from network, where would you access a shared folder from? from Mars? from Space? from toilet?
Moreover, this question has explicitly state User1 is a member of Group3, and hence it is not possible for User1
to logon Computer1 locally to touch those shared folders on NTFS file system.
Only these two policies to be considered “Access this computer from network”, “Deny access to this computer
from network”.1
There’s no option to modify the group member ship of “Group2”, “Administrators”, or “Backup Operators”,
so we have to add a 4th entry “User1” to this policy setting “Access this computer from network”.
NEW QUESTION 15
You have a virtual machine named FS1 that runs Windows Server 2021. FS1 has the shared folders shown in the following table.
You need to ensure that each user can store 10 GB of files in \FS1Users. What should you do?
- A. From File Explorer, open the properties of volume D, and then modify the Quota settings.
- B. Install the File Server Resource Manager role service, and then create a file screen.
- C. From File Explorer, open the properties of D:Users, and then modify the Advanced sharing settings.
- D. Install the File Server Resource Manager role service, and then create a quota.
Answer: D
Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/storage/fsrm/create-quota
NEW QUESTION 16
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2021. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
You need to ensure that you can encrypt the operating system drive of VM1 by using BitLocker. Which Group Policy should you configure?
- A. Configure use of hardware-based encryption for operating system drives
- B. Configure TPM platform validation profile for native UEFI firmware configurations
- C. Require additional authentication at startup
- D. Configure TPM platform validation profile for BIOS-based firmware configurations
Answer: C
Explanation: As there is not a choice “Enabling Virtual TPM for the virtual machine VM1”, then we have to use a fall-back
method for enabling BitLocker in VM1.
https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
NEW QUESTION 17
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
You need to prevent NTLM authentication on Server1.
Solution: From a Group Policy, you configure the Kerberos Policy. Does this meet the goal?
- A. Yes
- B. No
Answer: B
Explanation:
References:
https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2021/
Recommend!! Get the Full 70-744 dumps in VCE and PDF From 2passeasy, Welcome to Download: https://www.2passeasy.com/dumps/70-744/ (New 176 Q&As Version)