[May-2018-New]70-744 PDF and 70-744 VCE Free Download in Braindump2go[111-121]
2018 May New Microsoft 70-743 Exam Dumps with PDF and VCE Just Updated Today! Following are some new 70-743 Real Exam Questions:
1.|2018 Latest 70-743 Exam Dumps (PDF & VCE) 160Q Download:
https://www.braindump2go.com/70-744.html
2.|2018 Latest 70-743 Exam Questions & Answers Download:
https://drive.google.com/drive/folders/0B75b5xYLjSSNMDN6VjRLbFVKaWM?usp=sharing
QUESTION 111
Your network contains an Active Directory domain named contoso.com.
The domain contains several shielded virtual machines.
You deploy a new server named Server1 that runs Windows Server 2016.
You install the Hyper-V server role on Server1.
You need to ensure that you can host shielded virtual machines on Server1.
What should you install on Server1?
A. Host Guardian Hyper-V Support
B. BitLocker Network Unlock
C. the Windows Biometric Framework (WBF)
D. VM Shielding Tools for Fabric Management
Answer: A
Explanation:
This questions mentions “The domain contains several shielded virtual machines.”, which indicates a workingHost Guardian Service deployment was completed.
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabricguarded-host-prerequisites
For a new Hyper-V server to utilize an existing Host Guardian Service, install the “Host Guardian Hyper-VSupport”.
QUESTION 112
You network contains an Active Directory forest named contoso.com.
All domain controllers run Windows Server 2016 Member servers run either Windows Server 2012 R2 or Windows Server 2016.
Client computers run either Windows 8.1 or Windows 10.
You need to ensure that when users access files in shared folders on the network, the files are encrypted when they are transferred over the network.
Solution: You enable SMB encryption on all the computers in domain.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
SMB Encryption could be enabled on a per-computer wide basis, after you have enabled SMB encryption on aserver-level basis, you could not disable encryptionfor any specific shared folder.
To enable Global level encryption on the server:Set- SmbServerConfiguration -EncryptData 1
QUESTION 113
The network contains an Active Directory domain named contoso.com.
The domain contains the servers configured as shown in the following table.
All servers run Windows Server 2016. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You enable deep script block logging for Windows PowerShell.
In which event log will PowerShell code that is generated dynamically appear?
A. Applications and Services Logs/Microsoft/Windows/PowerShell/Operational
B. Windows Logs/Security
C. Applications and Services Logs/Windows PowerShell
D. Windows Logs/Application
Answer: A
Explanation:
https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
While Windows PowerShell already has the LogPipelineExecutionDetails Group Policy setting to log theinvocation of cmdlets, PowerShell’s scripting language hasplenty of features that you might want to log and/or audit.The new Detailed Script Tracing feature lets you enable detailed tracking and analysis of Windows PowerShellscripting use on a system.After you enable detailed script tracing, Windows PowerShell logs all script blocks to the ETW (event tracing forwindows) event log ?Microsoft-WindowsPowerShell/Operational.If a script block creates another script block (for example, a script that calls the Invoke-Expression cmdlet on astring), that resulting script block is logged as well.Logging of these events can be enabled through the Turn on PowerShell Script Block Logging Group Policysetting (in Administrative Templates -> WindowsComponents -> Windows PowerShell).
QUESTION 114
Your network contains several Windows container hosts..
You plan to deploy three custom .NET applications.
You need to recommend a deployment solution for the applications.
Each application must:
– be accessible by using a different IP address.
– have access to a unique file system.
– start as quickly as possible.
What should you recommend? Choose Two.
A. Type of container: Hyper-V
B. Type of container: Windows
C. Number of containers: 1
D. Number of containers: 2
E. Number of containers: 3
Answer: BE
QUESTION 115
You implement Just Enough Administration (JEA) on several file servers that run Windows Server 2016.
The Role Capability file from a server named Server5 contains the following code.
Which action can be performed by a user who connects to Server5?
A. Create a new file share.
B. Modify the properties of any share.
C. Stop any process.
D. View the NTFS permissions of any folder.
Answer: B
Explanation:
https://docs.microsoft.com/en-us/powershell/jea/role-capabilities
Focus on the 3rd Visible Cmdlets in this question `SmbShare\\Set-*’
The PowerShell “SmbShare” module has the following “Set-*” cmdlets, as reported by “Get-Command -ModuleSmbShare” command:-
The “Set-SmbShare” cmdlet is then visible on Server5’s JEA endpoint, and allows JEA users to modify theproperties of any file share.
https://technet.microsoft.com/en- us/itpro/powershell/windows/smbshare/set-smbshare
QUESTION 116
Your network contains an Active Directory domain named contoso.com.
The domain contains a computer named Computer1 that runs Windows 10.
The network uses the 172.16.0.0/16 address space.
Computer1 has an application named App1.exe that is located in D:\\Apps\\.
App1.exe is configured to accept connections on TCP port 8080.
You need to ensure that App1.exe can accept connections only when Computer1 is connected to the corporate network.
Solution: You run the New-NetFirewallRule DisplayName “Rule1” Direction Inbound LocalPort 8080 Protocol TCP Action allow Profile Domain Command.
Does this meet the goal?
A. Yes
B. No
Answer: B
QUESTION 117
Your network contains several secured subnets that are disconnected from the Internet.
One of the secured subnets contains a server named Server1 that runs Windows Server 2016.
You implement Log Analytics in Microsoft Operations Management Suite (OMS) for the servers that connect to the Internet.
You need to ensure that Log Analytics can collect logs from Server1.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Install the OMS Log Analytics Forwarder on a server that has Internet connectivity.
B. Create an event subscription on a server that has Internet connectivity.
C. Create a scheduled task on Server1.
D. Install the OMS Log Analytics Forwarder on Server1.
E. Install Microsoft Monitoring Agent on Server1.
Answer: AE
Explanation:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway
OMS Log Analytics Forwarder = OMS GatewayIf your IT security policies do not allow computers on your network to connect to the Internet, such as point ofsale (POS) devices, or servers supporting IT services,but you need to connect them to OMS to manage and monitor them, they can be configured to communicatedirectly with the OMS Gateway (previous called “OMSLog Analytics Fowarder”) to receive configuration and forward data on their behalf.
You have to also install Microsoft Monitoring Agent on Server1 to generate and send events to the OMSGateway,since Server1 does not have direct Internet connectivity.
QUESTION 118
Your network contains an Active Directory domain.
The domain contains two organizational units (OUs) named ProdOU and TestOU.
All production servers are in ProdOU. All test servers are in TestOU. A server named Server1 is in TestOU.
You have a Windows Server Update Services (WSUS) server named WSUS1 that runs Windows Server 2016.
All servers receive updates from WSUS1.
WSUS is configured to approve updates for computers in the Test computer group automatically.
Manual approval is required for updates to the computers in the Production computer group.
You move Server1 to ProdOU, and you discover that updates continue to be approved and installed automatically on Server1.
You need to ensure that all the servers in ProdOU only receive updates that are approved manually.
What should you do?
A. Turn off auto-restart for updates during active hours by using Group Policy objects (GPOs).
B. Configure client-side targeting by using Group Policy objects (GPOs).
C. Create computer groups by using the Update Services console.
D. Run wuauclt.exe /detectnow on each server after the server is moved to a different OU.
Answer: B
Explanation:
Updates in WSUS are approved against “Computer Group” , not AD OUs.
For this example, to prevent Server1 to install automatically approved updates,you have to remove Server1 from “Test” computer group and add Server1 into “Production” computer group inWSUS console, manually or use the WSUS GPOClient-Side Targeting feature.
https://technet.microsoft.com/en-
us/library/cc720450%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
With client- side targeting, you enable client-computers to add themselves to the computer groups you create inthe WSUS console. You can enable client-side targeting through Group Policy (in an Active Directory network environment) or byediting registry entries (in a non-Active Directorynetwork environment) for the client computers. When the WSUS client computers connect to the WSUS server, they will add themselves into thecorrect computer group. Client-side targeting is an excellent option if you have many client computers and want to automate the processof assigning them to computer groups.
First, configure WSUS to allow Client Site Targeting.
Secondly, configure GPO to affect “ProdOU” , so that Server1 add itself to “Production” computer group.
https://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus
QUESTION 119
Your network contains an Active Directory domain named contoso.com.
The domain contains multiple servers that run multiple applications.
Domain user accounts are used to authenticate access requests to the servers.
You plan to prevent NTLM from being used to authenticate to the servers.
You start to audit NTLM authentication events for the domain.
You need to view all of the NTLM authentication events and to identify which applications authenticate by using NTLM.
On which computers should you review the event logs and which logs should you review?
A. Computers on which to review the event logs: Only client computers
B. Computers on which to review the event logs: Only domain controllers
C. Computers on which to review the event logs: Only member servers
D. Event logs to review: Applications and Services Logs\\Microsoft\\Windows\\Diagnostics- Networking\\Operational
E. Event logs to review: Applications and Services Logs\\Microsoft\\Windows\\NTLM\\Operational
F. Event logs to review: Applications and Services Logs\\Microsoft\\Windows\\SMBClient\\Security
G. Event logs to review: Windows Logs\\Security
H. Event logs to review: Windows Logs\\System
Answer: AE
Explanation:
Do not confuse this with event ID 4776 recorded on domain controller’s security event log!!!
This question asks for implementing NTLM auditing when domain clients is connecting to memberservers! See below for further information.
https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/network-security-restrict-ntlmaudit-ntlm-authentication-in-this-domain
Via lab testing, most of the NTLM audit logs are created on Windows 10 clients, except that you use WindowsServer 2016 OS as clients (but this is unusual)
QUESTION 120
Your company has an accounting department.
The network contains an Active Directory domain named contoso.com. The domain contains 10 servers.
You deploy a new server named Server11 that runs Windows Server 2016.
Server11 will host several network applications and network shares used by the accounting department.
You need to recommend a solution for Server11 that meets the following requirements:
– Protects Server11 from address spoofing and session hijacking
– Allows only the computers in We accounting department to connect to Server11
What should you recommend implementing?
A. AppLocker rules
B. Just Enough Administration (JEA)
C. connection security rules
D. Privileged Access Management (PAM)
Answer: C
Explanation:
In IPsec connection security rule, the IPsec protocol verifies the sending host IP address by utilize integrityfunctions like Digitally signing all packets.If unsigned packets arrives Server11, those are possible source address spoofed packets, when usingconnection security rule in-conjunction with inbound firewallrules, you can kill those un-signed packets with the action “Allow connection if it is secure” to prevent spoofingand session hijacking attacks.
QUESTION 121
You have a Hyper-V host named Server1 that runs Windows Server 2016.
Server1 has a generation 2 virtual machine named VM1 that runs Windows 10.
You need to ensure that you can turn on BitLocker Drive Encryption (BitLocker) for drive C:
on VM1. What should you do?
A. From Server1, install the BitLocker feature.
B. From Server1, enable nested virtualization for VM1.
C. From VM1, configure the Require additional authentication at startup Group Policy setting.
D. From VM1, configure the Enforce drive encryption type on fixed data drives Group Policy setting.
Answer: C
Explanation:
https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
If you don’t use TPM for protecting a drive, there is no such Virtual TPM or VM Generation, or VM Configurationversion requirement, you can even use Bitlockerwithout TPM Protector with earlier versions of Windows.How to Use BitLocker Without a TPMYou can bypass this limitation through a Group Policy change. If your PC is joined to a business or schooldomain, you can’t change the Group Policy settingyourself. Group policy is configured centrally by your network administrator.To open the Local Group Policy Editor, press Windows+R on your keyboard, type “gpedit.msc” into the Rundialog box, and press Enter.Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > WindowsComponents > BitLocker Drive Encryption > OperatingSystem Drives in the left pane.
Double-click the “Require additional authentication at startup” option in the right pane.
Select “Enabled” at the top of the window, and ensure the “Allow BitLocker without a compatible TPM(requires a password or a startup key on a USBflash drive)” checkbox is enabled here.Click “OK” to save your changes. You can now close the Group Policy Editor window. Your change takes effectimmediately–you don’t even need to reboot.
!!!RECOMMEND!!!
1.|2018 Latest 70-743 Exam Dumps (PDF & VCE) 160Q Download:
https://www.braindump2go.com/70-744.html
2.|2018 Latest 70-743 Study Guide Video: