Loading questions...
Updated
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant by using password hash synchronization.
You have a Microsoft 365 subscription.
All devices are hybrid Azure AD-joined.
Users report that they must enter their password manually when accessing Microsoft 365 applications.
You need to reduce the number of times the users are prompted for their password when they access Microsoft 365 and Azure services.
What should you do?
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have 50 Azure virtual machines that run Windows Server.
You need to ensure that any security exploits detected on the virtual machines are forwarded to Defender for Cloud.
Which extension should you enable on the virtual machines?
HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains the domains shown in the following table.
You have 10 servers that run Windows Server in a workgroup.
You need to configure the servers to encrypt all the network traffic between the servers. The solution must be as secure as possible.
Which authentication method should you configure in a connection security rule?
You have an Azure virtual machine named VM1 that runs Windows Server.
You need to encrypt the contents of the disks on VM1 by using Azure Disk Encryption.
What is a prerequisite for implementing Azure Disk Encryption?
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains two servers named Server1 and Server2 that run Windows
Server.
You need to ensure that you can use the Computer Management console to manage Server2. The solution must use the principle of least privilege.
Which two Windows Defender Firewall with Advanced Security rules should you enable on Server2? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
You have a server that runs Windows Server. The server is configured to encrypt all incoming traffic by using a connection security rule.
You need to ensure that Server1 can respond to the unencrypted tracert commands initiated from computers on the same network.
What should you do from Windows Defender Firewall with Advanced Security?
You have an Azure virtual machine named VM1.
You enable Microsoft Defender SmartScreen on VM1.
You need to ensure that the SmartScreen messages displayed to users are logged.
What should you do?
HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that runs Windows Server.
You run Get-BitLockerVolume -MountPoint C,D | fl *, which generates the following output.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Tamper Protection
Does this meet the goal?
HOTSPOT -
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the accounts shown in the following table.
HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains servers that run Windows Server as shown in the following table.
You have an Azure subscription that contains a user named User1 and the resources shown in the following table.
You have a generation 1 Azure virtual machine named VM1 that runs Windows Server and is joined to an Active Directory domain.
You plan to enable BitLocker Drive Encryption (Bit-Locker) on volume C of VM1.
You need to ensure that the BitLocker recovery key for VM1 is stored in Active Directory.
Which two Group Policy settings should you configure first? To answer, select the settings in the answer area.
NOTE: Each correct selection is worth one point.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From App & browser control, you configure Reputation-based protection.
Does this meet the goal?
You have an Azure subscription that contains an Azure key vault named Vault1.
You plan to deploy a virtual machine named VM1 that will run Windows Server.
You need to enable encryption at host for VM1. The solution must use customer-managed keys.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server. All the servers are on the same network and have network connectivity.
On Server1, Windows Defender Firewall has a connection security rule that has the following settings:
• Rule Type: Server-to-server
• Endpoint 1: Any IP address
• Endpoint 2: Any IP address
• Requirements: Require authentication for inbound connections and request authentication for outbound connections
• Authentication Method: Computer (Kerberos V5)
• Profile: Domain, Private, Public
• Name: Rule1
Server2 has no connection security rules.
On Server3, Windows Defender Firewall has a connection security rule that has the following settings:
• Rule Type: Server-to-server
• Endpoint 1: Any IP address
• Endpoint 2: Any IP address
• Requirements: Request authentication for inbound and outbound connections
• Authentication Method: Computer (Kerberos V5)
• Profile: Domain, Private, Public
• Name: Rule1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Your network contains an Active Directory Domain Services (AD DS) forest. The forest functional level is Windows Server 2012 R2. The forest contains the domains shown in the following table.
You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains the resources shown in the following table.
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains an organizational unit (OU) named OU1. OU1 contains servers that run sensitive workloads.
You plan to add connection security rules that meet the following requirements:
• The servers in OU1 must only accept connections from domain-joined
• The servers in OU1 must only be able to communicate with domain-joined
You create a Group Policy Object (GPO) named GPO1 and link GPO1 to contoso.com.
You need to configure a connection security rule in GPO1 by using Windows Defender Firewall with Advanced Security.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From App & browser control, you configure the Exploit protection settings.
Does this meet the goal?
You have a Windows Server 2022 failover cluster named Cluster that contains the Cluster Shared Volumes (CSV) shown in the following table.
All the nodes in Cluster1 have BitLocker Drive Encryption (BitLocker) installed.
You need to use PowerShell to enable BitLocker on Volume1.
In which order should you run the commands? To answer, drag the appropriate commands to the correct order. You may need to drag the split bar between panes or scroll to view content.
You have an on-premises server named Server1 that runs Windows Server 2022 Standard.
You have an Azure subscription that contains the virtual machines shown in the following table.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Controlled folder access.
Does this meet the goal?
You have a Microsoft Sentinel deployment and 100 Azure Arc-enabled on-premises servers. All the Azure Arc-enabled resources are in the same resource group.
You need to onboard the servers to Microsoft Sentinel. The solution must minimize administrative effort.
What should you use to onboard the servers to Microsoft Sentinel?
You are implementing Microsoft Defender for Identity sensors.
You need to install the sensors on the minimum number of domain controllers. The solution must ensure that Defender for Identity will detect all the security risks in both the domains.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
You need to ensure that volume D will be unlocked automatically when Server1 restarts.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
The domain is configured to store BitLocker recovery keys in Active Directory.
Admin1 and Admin2 perform the following configurations:
Server1 has the connection security rules shown in the following table.
Server2 has the connection security rules shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
User1 has a computer named Computer1 that runs Windows 11. User1 works from home and establishes a Point-to-Site (P2S) connection to GW1 to access AppSvr1.
You deploy the resources shown in the following table.
User1 cannot access AppSvr2.
You need to ensure that User1 can access AppSvr2.
What should you do?
You create a user named Admin1.
You need to ensure that Admin1 can add a new domain controller that runs Windows Server 2022 to the east.contoso.com domain. The solution must follow the principle of least privilege.
To which groups should you add Admin1?
Sub1 has Microsoft Defender for Servers enabled. You are assigned the Contributor role for Sub1.
You need to implement just-in-time (JIT) VM access for VM1.
What should you do first?
NOTE: Each correct selection is worth one point.
The subscription contains a Microsoft Sentinel instance named Sentinel1 in the Central US Azure region.
You need to implement the Windows Firewall connector.
Which servers can send Windows Firewall logs to Sentinel1?