Microsoft 70-744 Securing Windows Server 2016 Study Guide

Microsoft 70-744 Securing Windows Server 2016 Exam Study Guide

This page is a directory that links to posts I have written that cover the official objectives in the Microsoft’s 70-744 Securing Windows Server 2016 exam. Basically if you’re after detailed information on any of the exam objectives below simply click the link for further information. I am working on these posts while studying for my own exam.

The official objectives for the 70-744 exam can be found here.

Study Materials

Below is a list of material that I am using while studying for the 70-744 exam.



Below you will find links to posts that I have created covering different areas of the 70-744 exam which will help you study for the exam.

Implement server hardening solutions (25-30%)

  • Configure disk and file encryption
    • Determine hardware and firmware requirements for secure boot and encryption key functionality
    • Deploy BitLocker encryption
    • Deploy BitLocker without a Trusted Platform Module (TPM)
    • Deploy BitLocker with a TPM only
    • Configure the Network Unlock feature
    • Configure BitLocker Group Policy settings
    • Enable Bitlocker to use secure boot for platform and BCD integrity validation
    • Configure BitLocker on Clustered Shared Volumes (CSVs) and Storage Area Networks (SANs)
    • Implement BitLocker Recovery Process using self-recovery and recovery password retrieval solutions
    • Configure BitLocker for virtual machines (VMs) in Hyper-V
    • Determine usage scenarios for Encrypting File System (EFS)
    • Configure the EFS recovery agent
    • Manage EFS and BitLocker certificates, including backup and restore
  • Implement server patching and updating solutions
  • Implement malware protection
    • Implement antimalware solution with Windows Defender
    • Integrate Windows Defender with WSUS and Windows Update
    • Configure Windows Defender using Group Policy
    • Configure Windows Defender scans using Windows PowerShell
    • Implement AppLocker rules
    • Implement AppLocker rules using Windows PowerShell
    • Implement Control Flow Guard
    • Implement Code Integrity (Device Guard) Policies
    • Create Code Integrity policy rules
    • Create Code Integrity file rules
  • Protect credentials
    • Determine requirements for implementing Credential Guard
    • Configure Credential Guard using Group Policy, WMI, Command Prompt, and Windows PowerShell
    • Implement NTLM blocking
  • Create security baselines
    • Install and configure Security Compliance Manager (SCM)
    • Create, view, and import security baselines
    • Deploy configurations to domain and non-domain joined servers

Secure a virtualization infrastructure (5-10%)

  • Implement a Guarded Fabric solution
    • Install and configure the Host Guardian Service (HGS)
    • Configure Admin-trusted attestation
    • Configure TPM-trusted attestation
    • Configure the Key Protection Service using HGS
    • Migrate Shielded VMs to other guarded hosts
    • Configure Nano Server as TPM attested guarded host
    • Troubleshoot guarded hosts
  • Implement Shielded and encryption-supported VMs
    • Determine requirements and scenarios for implementing Shielded VMs
    • Create a Shielded VM using only a Hyper-V environment
    • Enable and configure vTPM to allow an operating system and data disk encryption within a VM
    • Determine requirements and scenarios for implementing encryption-supported VMs
    • Troubleshoot Shielded and encryption-supported VMs

Secure a network infrastructure (10-15%)

  • Configure Windows Firewall
    • Configure Windows Firewall with Advanced Security
    • Configure network location profiles
    • Configure and deploy profile rules
    • Configure firewall rules for multiple profiles using Group Policy
    • Configure connection security rules using Group Policy, the GUI management console, or Windows PowerShell
    • Configure Windows Firewall to allow or deny applications, scopes, ports, and users using Group Policy, the GUI management console, or Windows PowerShell
    • Configure authenticated firewall exceptions
    • Import and export Windows Firewall settings
  • Implement a software-defined Distributed Firewall
    • Determine requirements and scenarios for Distributed Firewall implementation with software-defined networking
    • Determine usage scenarios for Distributed Firewall policies and network security groups
  • Secure network traffic
    • Configure IPsec transport and tunnel modes
    • Configure IPsec authentication options
    • Configure connection security rules
    • Implement isolation zones
    • Implement domain isolation
    • Implement server isolation zones
    • Determine SMB 3.1.1 protocol security scenarios and implementations
    • Enable SMB encryption on SMB Shares
    • Configure SMB signing via Group Policy
    • Disable SMB 1.0
    • Secure DNS traffic using DNSSEC and DNS policies
    • Install and configure Microsoft Message Analyzer (MMA) to analyze network traffic

Manage privileged identities (25-30%)

  • Implement an Enhanced Security Administrative Environment (ESAE) administrative forest design approach
    • Determine usage scenarios and requirements for implementing ESAE forest design architecture to create a dedicated administrative forest
    • Determine usage scenarios and requirements for implementing clean source principals in an Active Directory architecture
  • Implement Just-in-Time (JIT) Administration
    • Create a new administrative (bastion) forest in an existing Active Directory environment using Microsoft Identity Manager (MIM)
    • Configure trusts between production and bastion forests
    • Create shadow principals in bastion forest
    • Configure the MIM web portal
    • Request privileged access using the MIM web portal
    • Determine requirements and usage scenarios for Privileged Access Management (PAM) solutions
    • Create and implement MIM policies
    • Implement Just-in-Time administration principals using time-based policies
    • Request privileged access using Windows PowerShell
  • Implement Just-Enough-Administration (JEA)
    • Enable a JEA solution on Windows Server 2016
    • Create and configure session configuration files
    • Create and configure role capability files
    • Create a JEA endpoint
    • Connect to a JEA endpoint on a server for administration
    • View logs
    • Download WMF 5.1 to a Windows Server 2008 R2
    • Configure a JEA endpoint on a server using Desired State Configuration (DSC)
  • Implement Privileged Access Workstations (PAWs) and User Rights Assignments
    • Implement a PAWS solution
    • Configure User Rights Assignment group policies
    • Configure security options settings in Group Policy
    • Enable and configure Remote Credential Guard for remote desktop access
  • Implement Local Administrator Password Solution (LAPS)
    • Install and configure the LAPS tool
    • Secure local administrator passwords using LAPS
    • Manage password parameters and properties using LAPS

Implement thread detection solutions (15-20%)

  • Configure advanced audit policies
    • Determine the differences and usage scenarios for using local audit policies and advanced auditing policies
    • Implement auditing using Group Policy and AuditPol.exe
    • Implement auditing using Windows PowerShell
    • Create expression-based audit policies
    • Configure the Audit PNP Activity policy
    • Configure the Audit Group Membership policy
    • Enable and configure Module, Script Block, and Transcription logging in Windows PowerShell
  • Install and configure Microsoft Advanced Threat Analytics (ATA)
    • Determine usage scenarios for ATA
    • Determine deployment requirements for ATA
    • Install and configure ATA Gateway on a dedicated server
    • Install and configure ATA Lightweight Gateway directly on a domain controller
    • Configure alerts in ATA Center when suspicious activity is detected
    • Review and edit suspicious activities on the attack time line
  • Determine threat detection solutions using Operations Management Suite (OMS)
    • Determine usage and deployment scenarios for OMS
    • Determine security and auditing functions available for use
    • Determine Log Analytics usage scenarios

Implement workload-specific security (5-10%)

  • Secure application development and server workload infrastructure
    • Determine usage scenarios, supported server workloads, and requirements for Nano Server deployments
    • Install and configure Nano Server
    • Implement security policies on Nano Servers using Desired State Configuration (DSC)
    • Determine usage scenarios and requirements for Windows Server and Hyper-V containers
    • Install and configure Hyper-V containers
  • Implement a secure file services infrastructure and Dynamic Access Control (DAC)
    • Install the File Server Resource Manager (FSRM) role service
    • Configure quotas
    • Configure file screens
    • Configure storage reports
    • Configure file management tasks
    • Configure File Classification Infrastructure (FCI) using FSRM
    • Implement work folders
    • Configure file access auditing
    • Configure user and device claim types
    • Implement policy changes and staging
    • Perform access-denied remediation
    • Create and configure Central Access rules and policies
    • Create and configure resource properties and lists

Please note that Microsoft may update these at any time in the future, so if you find any differences please let me know.