Correct: You need to specify the DRA to be used in the Computer Configuration\ Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption policy to configure BitLo
Trang 1Lesson 2
1. Correct Answer: D
a Incorrect: PPTP VPNs do not support the VPN Reconnect feature in Windows 7
B Incorrect: L2TP/IPsec VPNs do not support the VPN Reconnect feature in Windows 7
c Incorrect: SSTP VPNs do not support the VPN Reconnect feature in Windows 7
D Correct: The IKEv2 VPN type is the only VPN type that supports the VPN Reconnect
feature in Windows 7
2. Correct Answer: A
a Correct: SSTP VPN connections work using the same ports as secure Web browsing
connections This allows users who can browse the Web using a motel Internet
connection to connect through VPN
B Incorrect: IKEv2 uses UDP port 500, which is likely to be blocked by firewalls that block
other forms of traffic except common protocols used by Web browsers
c Incorrect: PPTP uses port 1723, which is likely to be blocked by firewalls that block other
forms of traffic except common protocols used by Web browsers
D Incorrect: L2TP/IPsec uses UDP port 1701, which is likely to be blocked by firewalls that
block other forms of traffic except common protocols used by Web browsers
3. Correct Answers: C and D
a Incorrect: SSTP is supported only on Routing and Remote Access servers running
Windows Server 2008 and Windows Server 2008 R2
B Incorrect: IKEv2 is supported only on Routing and Remote Access servers running
Windows Server 2008 R2
c Correct: PPTP is supported by Routing and Remote Access servers running Windows
Server 2003 R2
D Correct: L2TP/IPsec is supported by Routing and Remote Access servers running
Windows Server 2003 R2
4. Correct Answers: A, B, and C
a Correct: You can use the PEAP authentication protocol with an IKEv2 VPN
B Correct: You can use the EAP-MSCHAP v2 authentication protocol with an IKEv2 VPN
c Correct: You can use Microsoft Smart Card or Other Certificate to authenticate an
IKEv2 VPN
D Incorrect: You cannot use the CHAP protocol with an IKEv2 VPN IKEv2 VPNs can be
authenticated only using EAP or computer certificates
5. Correct Answer: C
a Incorrect: DirectAccess is not available on computers running Windows 7 Professional If DirectAccess were available, this solution would work
Trang 2B Incorrect: You should not configure Remote Desktop Connection to use the Remote Desktop Gateway at remote-desktop contoso internal and then connect to rdgateway contoso com as the remote desktop gateway is located at rdgateway contoso com In this answer, the positions of the RD gateway server and the remote desktop services server are switched
c Correct: You should configure Remote Desktop Connection to use the Remote Desktop Gateway at rdgateway contoso com and then connect to remote-desktop contoso internal
D Incorrect: DirectAccess is not available on computers running Windows 7 Professional
If it were, you would want to connect to remote-desktop contoso internal rather than to the Remote Desktop Gateway server
Chapter 10: Case Scenario answers
Case Scenario 1: Wingtip Toys DirectAccess
1 Upgrade the server to Windows Server 2008 R2 The rest of the server’s configuration supports DirectAccess because it is a member of the domain, has two consecutive public IP addresses assigned to its Internet interface, and has the appropriate computer certificates installed You can install the DirectAccess feature on this server once it has been upgraded to the newer operating system
2 You should create a global security group in the Wingtip Toys domain
3 Upgrade the client computers to Windows 7 Enterprise or Ultimate edition Add them to the security group that you have configured to support DirectAccess Install computer certificates
Case Scenario 2: Remote Access at Tailspin Toys
1 Windows 7 Enterprise supports IKEv2 VPNs, though Windows Server 2003 R2 x64 Routing and Remote Access servers do not It is necessary to upgrade the Routing and Remote Access server to Windows Server 2008 R2 to support IKEv2 VPNs
2 Install an antivirus update server and a WSUS server on the quarantine network so that clients can update themselves to become compliant
3 You should use the EAP-MS-CHAPv2 authentication protocol because this allows password authentication
Chapter 11: Lesson review answers
Lesson 1
1. Correct Answers: A, D, and E
a Correct: A BitLocker-encrypted volume must be configured with a unique identifier
to be used with a DRA You must configure the Prove The Unique Identifiers For Your Organization policy to assign this identifier
Trang 3B Incorrect: The Choose Default Folder For Recovery Password policy allows the recovery
password to be saved in a particular location A recovery password is different for a DRA, which involves a special certificate that can be used to recover all BitLocker-encrypted
volumes in an organization
c Incorrect: The Choose How Users Can Recover BitLocker Protected Drivers policy
specifies whether recovery occurs via a password or a USB flash drive and key This is
separate from a DRA, which involves a special certificate that can be used to recover all
BitLocker-encrypted volumes in an organization
D Correct: You need to specify the DRA to be used in the Computer Configuration\
Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption policy
to configure BitLocker to support DRAs
e Correct: You need to configure the Choose How BitLocker-Protected Operating System
Drives Can Be Recovered policy and specify that a DRA can be used to recover protected
operating system drives
2. Correct Answers: C and D
a Incorrect: The Control Use Of BitLocker On Removable Drives policy allows BitLocker to
be used on removable drives You cannot use this policy to restrict usage of removable
drives only to those configured with BitLocker
B Incorrect: The Store BitLocker Recovery Information In Active Directory Domain Services policy, which applies to clients running Windows Vista rather than Windows 7, allows for
BitLocker recovery keys to be stored within AD DS You cannot use this policy to restrict
usage of removable drives only to those configured with BitLocker
c Correct: You need to configure the Deny Write Access To Removable Drives Not Protected
By BitLocker policy This policy allows you to deny write access to drives not protected by
BitLocker and to specify which BitLocker identifiers are associated with your organization
D Correct: The Provide The Unique Identifiers For Your Organization policy allows you to
specify which BitLocker identifiers are associated with your organization If the BitLocker
identifier that is used with a removable device does not match one of the identifiers
configured in this policy and the Deny Write Access To Removable Drives Not Protected
By BitLocker policy is configured appropriately, users are unable to write data to these
removable devices
3. Correct Answer: A
a Correct: By configuring the Require Additional Authentication At Startup policy, it is possible
to disable the BitLocker requirement that a computer have a compatible TPM chip
B Incorrect: The Allow Enhanced PINs for Startup policy allows you to use an enhanced
PIN with startup Configuring this policy does not allow you to bypass the BitLocker
requirement for a TPM chip
c Incorrect: The Configure TPM Platform Validation Profile policy configures how the TPM
chip secures the BitLocker encryption key Configuring this policy does not allow you to
bypass the BitLocker requirement for a TPM chip
Trang 4D Incorrect: The Configure Minimum PIN Length For Startup policy allows you to configure
a minimum PIN length for the startup PIN Configuring this policy does not allow you to bypass the BitLocker requirement for a TPM chip
4. Correct Answer: B
a Incorrect: The Configure Use Of Passwords For Removable Data Drives policy allows you
to configure password policies for removable data drives You cannot use this policy to ensure that BitLocker To Go Reader is available on all FAT-formatted removable devices protected with BitLocker
B Correct: The Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy allows you to ensure that BitLocker To Go Reader is available
on all FAT-formatted removable devices protected with BitLocker
c Incorrect: The Choose How BitLocker-Protected Removable Drives Can Be Recovered policy allows you to configure removable device recovery options You cannot use this policy to ensure that BitLocker To Go Reader is available on all FAT-formatted removable devices protected with BitLocker
D Incorrect: The Control Use Of BitLocker On Removable Drives policy determines whether you can use BitLocker with removable devices on the computer to which the policy applies You cannot use this policy to ensure that BitLocker To Go Reader is available on all FAT-formatted removable devices protected with BitLocker
5. Correct Answer: A
a Correct: You can use the Manage-bde.exe command-line utility to determine the
identification string assigned to a BitLocker-protected volume
B Incorrect: The Cipher exe utility allows you to manage EFS rather than BitLocker
encryption You cannot use Cipher exe to determine the identification string associated with a BitLocker-protected volume
c Incorrect: The Bcdedit exe utility allows you to manage boot configuration You cannot use Bcdedit exe to determine the identification string associated with a BitLocker-protected volume
D Incorrect: The Sigverif exe utility allows you to verify the digital signatures of files You cannot use Sigverif exe to determine the identification string associated with
a BitLocker-protected volume
Lesson 2
1. Correct Answer: C
a Incorrect: The command powercfg.exe –devicequery all_devices lists all devices It does not provide information about which devices are configured to wake the computer from any sleep state
B Incorrect: The command powercfg.exe –hibernate enables the hibernate option You cannot use this command to provide a list of devices that are configured to wake the computer from any sleep state
Trang 5c Correct: The command powercfg.exe –devicequery wake_armed displays a list of devices
on a computer running Windows 7 that are configured to wake the computer from any
sleep state
D Incorrect: The command powercfg.exe –list displays a list of all power schemes in the
current user’s environment It does not display a list of devices that are configured to
wake the computer from a sleep state
2. Correct Answers: A, B, and C
a Correct: A user account that is not a member of the local administrators group can be
used to select a different power plan
B Correct: A user account that is not a member of the local administrators group can be
used to create a new power plan
c Correct: A user account that is not a member of the local administrators group can be
used to change what the power buttons do
D Incorrect: A user account that is not a member of the local administrators group cannot
be used to change the Require A Password On Wakeup setting
3. Correct Answer: C
a Incorrect: You cannot use the Power Options control panel to migrate a custom power
plan from one computer running Windows 7 to another
B Incorrect: Although you can use the Local Group Policy Editor (Gpedit msc) to edit power plan settings, you cannot use the Local Group Policy Editor to migrate power plan settings Only security-related settings can be migrated using the Local Group Policy Editor
c Correct: You can use Powercfg exe to migrate a power plan from one computer running
Windows 7 to another
D Incorrect: Bcdedit exe is used to modify a computer’s boot configuration; it cannot be
used to modify a power plan
4. Correct Answer: B
a Incorrect: Credential Manager is used to manage stored authentication credentials You
cannot use Credential Manager to resolve offline file sync conflicts
B Correct: The Sync Center control panel can be used to resolve offline file sync conflicts
c Incorrect: HomeGroup is used to manage HomeGroup settings HomeGroup cannot be
used to resolve offline file sync conflicts
D Incorrect: Network And Sharing Center cannot be used to resolve offline file sync
conflicts Network And Sharing Center is used to manage network configuration
5. Correct Answer: D
a Incorrect: The Configure Slow Link Speed policy allows you to configure a threshold
value for transitioning to Slow Link mode Slow Link mode works with files configured
to be available offline The question states that it is not necessary to specify that a file is
available offline
Trang 6B Incorrect: The Configure Slow Link Mode policy allows you to configure the computer to
be able to use Slow Link mode, which is the default setting for clients running Windows 7 Slow Link mode works with files configured to be available offline The question states that it is not necessary to specify that a file is available offline
c Incorrect: The Exclude Files From Being Cached policy is used to block certain file types from being available offline This policy cannot be used to configure a client running Windows 7 to cache files
D Correct: Transparent caching allows Windows 7 to cache files locally when the round-trip latency to the remote file server exceeds a specific value in milliseconds
Chapter 11: Case Scenario answers
Case Scenario 1: Accessing Offline Files at Contoso
1 You need to use Powercfg exe to export the custom power plan from the reference computer and import the custom power plan on each of the other branch office computers Group Policy cannot be used with computers that are not members of an AD DS domain
2 Enable transparent caching You cannot enable BranchCache because none of the file servers
at Contoso have the Windows Server 2008 R2 operating system installed
3 Sync Center is the tool used to resolve offline file synchronization conflicts
Case Scenario 2: Using BitLocker at Tailspin Toys
1 You can allow users to use BitLocker To Go–encrypted USB storage devices on computers that are running Windows XP or Windows Vista by configuring the Allow Access To
BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy
2 You can restrict removable device usage through Group Policy so that only devices that are protected by BitLocker To Go and which have a specific organizational string configured within BitLocker can be used on clients running Windows 7 You can do this through the Deny Write Access To Removable Drives Not Protected By BitLocker policy and through the Provide The Unique Identifiers For Your Organization policy
3 You can configure a DRA to be used with removable volumes and configure policies to back
up keys and passwords to AD DS
Chapter 12: Lesson review answers
Lesson 1
1. Correct Answer: B
a Incorrect: Uninstalling installed updates requires elevated privileges and cannot be performed with a standard user account
Trang 7B Correct: The default Windows 7 Windows Update settings allow standard users to install
updates
c Incorrect: The default Windows 7 Windows Update settings do not allow standard
users to change when updates are installed It is necessary to use elevated privileges to
perform these tasks
D Incorrect: The default Windows 7 Windows Update settings do not allow standard users
to change update download and installation behavior It is necessary to use elevated
privileges to perform these tasks
e Incorrect: The default Windows 7 Windows Update settings do not allow standard users
to hide updates It is necessary to use elevated privileges to perform this task
2. Correct Answers: B and C
a Incorrect: You should not change the update settings Changing the update settings to
stop updates being installed does not ensure that other important updates published
through Windows Update are deployed to clients running Windows 7
B Correct: You should uninstall the update This allows the custom software package to run
c Correct: You should hide the update after uninstalling the update If you do not hide the
update, the update becomes available for installation Because standard users are able
to install updates by default, this could lead to the problematic update being reinstalled
Once the fix for the custom software application becomes available, you can unhide the
update and then reinstall it
D Incorrect: You should not install the update This causes problems with the custom
software application
3. Correct Answer: C
a Incorrect: You should not configure the Re-Prompt For Restart With Scheduled
Installations policy because it sets the amount of time that a user can postpone
a scheduled restart It does not ensure that updates scheduled for installation when the
computer was switched off are installed the next time the computer is switched on
B Incorrect: You should not configure the Delay Restart For Scheduled Installations policy
because it determines how long Windows waits before automatically restarting after
a scheduled installation It does not ensure that updates scheduled for installation when
the computer was switched off are installed the next time the computer is switched on
c Correct: You should configure the Reschedule Automatic Updates Scheduled Installations policy because it allows you to configure a computer that is switched off during the
scheduled update period to install updates after it is turned on
D Incorrect: You should not configure the No Auto-Restart With Logged On Users For
Scheduled Automatic Updates Installation policy because it allows a user to remain
logged on when installed updates require a restart It does not ensure that updates
scheduled for installation when the computer was switched off are installed the next time the computer is switched on
Trang 84. Correct Answer: D
a Incorrect: You should not configure the Turn Off Software Notification policy This policy relates to user notification about available updates You cannot use it to configure Windows Update to use a WSUS server rather than the Microsoft Update servers
B Incorrect: You should not configure the Automatic Updates Detection Frequency policy This policy determines how often Windows Update checks for updates You cannot use it to configure Windows Update to use a WSUS server rather than the Microsoft Update servers
c Incorrect: You should not configure the Configure Automatic Updates policy This policy configures which updates should be installed and whether they should be downloaded or installed, or whether the logged-on user should be notified You cannot use it to configure Windows Update to use a WSUS server rather than the Microsoft Update servers
D Correct: You should configure the Specify Intranet Microsoft Update Service Location policy because it allows you to specify a local WSUS server for updates
5. Correct Answer: D
a Incorrect: Microsoft Update does not provide centralized reports for organizations telling them which clients in the organization are missing specific updates Microsoft Update serves as the source for updates in organizations that do not use solutions like WSUS, System Center Essentials 2007, and SCCM 2007
B Incorrect: Because a WSUS server is not deployed in the organization, you cannot use
a WSUS server to determine if updates are missing
c Incorrect: You cannot use the Group Policy Management Console to determine whether updates are missing The Group Policy Management Console is used to manage Group Policy in a domain environment
D Correct: You can use the MBSA to scan computers that you have administrative
privileges to as a way of determining if they are missing software updates
Lesson 2
1. Correct Answer: D
a Incorrect: You should not configure the security level of the Intranet Zone The security level manages how Internet Explorer deals with downloads and cookies Configuring this setting does not enable Internet Explorer to trust the CA that issued the certificate to
timesheet.contoso.internal.
B Incorrect: Turning off the Pop-Up Blocker allows pop-ups, but does not allow Internet Explorer to trust this Web site certificate
c Incorrect: Browsing to the Web site using InPrivate Mode does not allow Internet Explorer to trust the certificate issued to the Web site Using InPrivate Mode stops Internet Explorer from recording browser navigation information
D Correct: Because the Web site’s certificate has been issued by an internal CA and you
do not work for the organization directly, Internet Explorer has not been configured to
Trang 9trust the internal CA To trust the internal CA, navigate to its Web site and download and install the CA’s certificate
2. Correct Answers: A and B
a Correct: To ensure that users do not accidentally blog using the default Blog With
Windows Live accelerator, you should disable it
B Correct: To ensure that users are able to use the custom blog accelerator, it is necessary
to install the accelerator
c Incorrect: You should not set the Blog With Windows Live accelerator as the default Blog accelerator for Internet Explorer Because you do not want users to use this accelerator
accidentally, you should disable it
D Incorrect: You should not disable the custom blog accelerator because you want users to use this accelerator to blog to the intranet site
3. Correct Answers: A and C
a Correct: You should configure the www.wingtiptoys.com site as an exception so that
pop-up windows on this site are displayed by Internet Explorer
B Incorrect: You should not set the blocking level to Medium because this lets pop-ups
through from sites other than those that are on the exception list
c Correct: You should configure the blocking level to High because this blocks all pop-up
windows except those from sites on the exceptions list
D Incorrect: You should not set the blocking level to Low because this lets pop-ups
through from sites other than those that are on the exception list
4. Correct Answer: D
a Incorrect: The problem is not related to InPrivate Browsing; the problem is related to
Compatibility View as indicated by the statement in the question that the Web sites
display without problems on Windows XP and Vista clients running Internet Explorer
Although Windows XP and Vista clients can run Internet Explorer 8, this hint suggests
that compatibility is the issue
B Incorrect: The problem is not related to InPrivate Filtering; the problem is related to
Compatibility View as indicated by the statement in the question that the Web sites
display without problems on Windows XP and Vista clients running Internet Explorer
Although Windows XP and Vista clients can run Internet Explorer 8, this hint suggests
that compatibility is the issue
c Incorrect: The question states that the Web sites display without problems on Windows
XP and Vista clients running Internet Explorer Although Windows XP and Vista clients
can run Internet Explorer 8, this hint suggests that compatibility is the issue Disabling
Compatibility View does not resolve the problem
D Correct: You should configure the list of intranet sites that do not display properly
through the Use Policy List Of Internet Explorer 7 Sites policy Internet Explorer displays
these sites using Compatibility View
Trang 105. Correct Answer: B
a Incorrect: Starting an InPrivate Browsing session does not stop third-party Web sites from tracking you if they provide content to multiple sites that you visit InPrivate Browsing sessions still accept cookies and transmit data
B Correct: Enabling InPrivate Filtering allows Internet Explorer to locate and block content from third-party Web sites that appear across multiple separate sites during a browsing session
c Incorrect: Disabling the Pop-Up Blocker does not block third-party Web sites that provide content to a number of sites that you visit from tracking your browsing session across those sites Disabling the Pop-Up Blocker means that you are presented with pop-up Web pages that normally would be blocked
D Incorrect: You should not disable SmartScreen Filter SmartScreen Filter protects you from phishing attacks If you disable SmartScreen Filter, Internet Explorer does not warn you when you visit a Web site that contains malicious software or is suspected of being involved in phishing
Chapter 12: Case Scenario answers
Case Scenario 1: Windows Update at Contoso
1 You should configure the Specify Intranet Microsoft Update Service Location policy for the computers in the Canberra office This policy allows you to specify the local WSUS server address
2 You should configure the Enabling Windows Update Power Management To Automatically Wake Up The System To Install Scheduled Updates When this policy is configured on compatible computers, the computer wakes from hibernation at the scheduled update time
3 Log on to each computer at the Brisbane and Adelaide offices remotely using Remote Desktop Uninstall the update and then hide the update This ensures that the update is not installed again automatically
Case Scenario 2: Internet Explorer at Wingtip Toys
1 You can disable the use of Internet Explorer accelerators through Group Policy Although it is possible to disable accelerators manually, unless you disable accelerators through Group Policy,
it is possible for users to reinstall them, or other accelerators, manually
2 Instruct them to enable InPrivate Filtering InPrivate Filtering stops browsing sessions being tracked across multiple sites InPrivate Browsing does not block browsing sessions being tracked across multiple sites; it blocks browsing history and data being recorded by Internet Explorer
3 Add them to the list of sites to use with Compatibility View, either through the Compatibility View Settings dialog box or by distributing the list through Group Policy