Microsoft Securing Windows Server 2016

You are creating a Nano Server image for the deployment of 10 servers. You need to configure the servers as guarded hosts that use Trusted Platform Module (TPM) attestation. Which three packages should you include in the Nano Server image? Each correct answer presents part of the solution.

Your network contains an Active Directory domain named contoso.com. The domain contains several shielded virtual machines. You deploy a new server named Server1 that runs Windows Server 2016. You install the Hyper-V server role on Server1. You need to ensure that you can host shielded virtual machines on Server1. What should you install on Server1?

Your network contains an Active Directory domain named contoso.com. You deploy a server named Server1 that runs Windows Server 2016. Server1 is in a workgroup. You need to collect the logs from Server1 by using Log Analytics in Microsoft Operations Management Suite (OMS). What should you do first?

Your network contains an Active Directory domain named contoso.com. The domain contains a certification authority (CA). You need to implement code integrity policies and sign them by using certificates issued by the CA. You plan to use the same certificate to sign policies on multiple computers. You duplicate the Code Signing certificate template and name the new template CodeIntegrity. How should you configure the CodeIntegrity template?

Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers. You deploy the Local Administrator Password Solution (LAPS) to the network. You discover that the members of a group named FinanceAdministartors can view the password of the local Administrator accounts on the servers in an organizational unit (OU) named FinanceServers. You need to prevent the FinanceAdministartors members from viewing the local administrators 'passwords on the servers in FinanceServers. Which permission should you remove from FinanceAdministartors?

Your network contains an Active Directory Domain named contoso.com. The domain contains 10 servers that run Windows Server 2016 and 800 client computers that run Windows 10. You need to configure the domain to meet the following requirements: Users must be locked out from their computer if they enter an incorrect password twice. Users must only be able to unlock a locked account by using a one-time password that is sent to their mobile phone. You deploy all the components of Microsoft Identity Manager (MIM) 2016. Which three actions should you perform before you deploy the MIM add-ins and extensions? Each correct answer presents part of the solution.

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. The domain has Dynamic Access Control enabled. Server1 contains a folder named C:\Folder1. Folder1 is shared as Share1. You need to audit all access to the contents of Folder1 from Server2. The solution must minimize the number of event log entries. Which two audit policies should you enable on Server1? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

You implement Just Enough Administration (JEA) on several file servers that run Windows Server 2016. The Role Capability file from a server named Server5 contains the following code. Which action can be performed by a user who connects to Server5?

Your network contains an Active Directory forest named corp.contoso.com. You are implementing Privileged Access Management (PAM) by using a bastion forest named priv.contoso.com. You need to create shadow groups in priv.contoso.com. Which cmdlet should you use?

Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All domain controllers run Windows Server 2016. You deploy a second Active Directory forest named admin.contoso.com. The forest contains a domain member server named Server1. Server1 has Microsoft Identity Manager (MIM) 2016 deployed. You need to implement Privileged Access Management (PAM) and to use admin.contoso.com as an administrative forest. Which two actions should you perform? Each correct answer presents part of the solution.