Evernote Flashcards

Question

You upgrade a computer from Microsoft Windows Vista to Windows 7. You try to run one of the applications and it terminates unexpectedly. You need to resolve the problem. What should you try first? * Set the Compatibility mode to Windows Vista. * Uninstall and reinstall the application. * Set the Run this program as an administrator option. * Set the Disable visual themes option.

Answer 1

**Set the Compatibility mode to Windows Vista.** You should set the Compatibility mode to Windows Vista. The Compatibility mode option on the Compatibility tab of an application's properties dialog box allows you to configure an application to run in an environment that emulates an earlier version of Windows. In this case, because you know the program operated under Windows Vista, you should try to set the Compatibility mode to Windows Vista. You should not uninstall and reinstall the application as the first thing to try. Upgrading Windows preserves application settings. You should not need to reinstall the application. You should not set the Run this program as an administrator option. The Run this program as an administrator option is used when you need to support an application that requires administrative permissions. You would also need to add users who need to run the application to the Administrators group. You should not set the Disable visual themes option. You would set this compatibility option if you were experiencing problems with the title bar or menu bar of an application.

Answer 2

# Define AppLocker rules in a new GPO, separate from Software Restriction Policies. You should define AppLocker rules in a new GPO, separate from Software Restriction Policies. You can have both AppLocker rules and Software Restriction Policies, but if you define the AppLocker rules in the same GPO, only the AppLocker rules will apply. Software Restriction Policies must be maintained in a separate GPO. In most network environments, you will likely want to define both Software Restriction Policies and AppLocker rules. AppLocker rules provide more detailed control over applications, but currently apply to Windows Server 2008 and Windows 7 only. Older versions of Windows require Software Restriction Policies. You should not define AppLocker rules in the same GPO as existing Software Restriction Policies. If you do this, only AppLocker rules will apply, even if there is no conflict with the Software Restriction Policies. You should not unlink any GPOs containing Software Restriction Policies before defining AppLocker rules, and then relink when finished. This is not necessary and will not change the final result. You should not replace the Software Restriction Policies with AppLocker rules. While this is possible, it would be more work than necessary to meet your application restriction management requirements.

Answer 3

**Use Event Viewer to create and export a custom view.** You should use Event Viewer to create and export a custom view. You can create a custom view that contains events from one or more event logs. These events can be filtered by source, user, date, and event type. You can export a custom view and import it into another computer. You should not use Event Viewer to create a filter on the System log and save the filter to a custom view. The System log does not contain Application Hang or Application Error events. You should not launch Event Viewer and choose View | Show Analytic and Debug Logs. The Analytic and Debug logs provide extremely detailed event information for advanced troubleshooting and application debugging. You should not choose Windows Error Reporting in System Information. Although application hangs and errors are displayed in this report, service control events are not. Also, you cannot limit the information shown to only the past 24 hours.

Answer 4

**Start the computer by using the installation DVD. Select Repair your computer. Select Startup Repair.** You should start the computer by using the installation DVD, select Repair your computer, and select Startup Repair. The Startup Repair tool scans your system and locates missing or damaged operating system files. It can automatically correct problems caused by missing or damaged system files. You can access the Startup Repair tool from the System Recovery options menu, which is available by pressing the F8 key during startup and choosing Repair your computer, starting from the installation DVD and choosing Repair your computer, or starting from a system repair disc. You should not start the computer by using a system repair disc and select System Restore. System Restore allows you to restore the operating system to a restore point. A restore point is created when a driver or application is installed. You can also create restore points manually. In this case, you do not know when the problem occurred or if a restore point was created before the change that caused the problem. Therefore, you should first try Startup Repair. If Startup Repair does not resolve the problem, the next step is to try System Restore. You should not start the computer by using a system repair disc and selecting System Image Recovery. This option allows you to restore the system using a system image backup. All changes made since the backup will be lost, so this option should be used only if Startup Repair and System Restore fail to correct the problem. You should not start the computer by using the installation DVD and performing a custom installation. A custom installation is a clean installation. All system configuration settings and applications will be lost.

Answer 5

**Use User State Migration Tool (USMT) and manually configure ICS after migration.** You need to use USMT and manually configure ICS after migration. The USMT ScanState and LoadState commands do not migrate ICS configuration settings from Windows XP to Windows 7 because of the potential security risk. ICS is supported, but it must be configured manually after migration. You should not use Windows Easy Transfer to transfer computer settings. A manual network migration refers to using ScanState to transfer settings to a network server and LoadState to retrieve the settings from the server. Windows Easy Transfer is not used in this scenario, and even if it were used, it would not migrate ICS settings. You should not use USMT to run a default transfer as your only action. You will still need to manually configure ICS. You should not use USMT with a custom Config.xml file. A custom Config.xml file is used to identify components that you do not want to migrate.

Answer 6

**Enable Internet Protocol Version 6 (TCp/IPv6).** You should enable IPv6. DirectAccess relies on IPv6. With a DirectAccess connection, packets are tunneled through an Internet connection and secured using IP Security (IPSec). You do not need to enable the Quality of Service (QoS) Packet Scheduler. The QoS Packet Scheduler provides prioritized delivery for packets that require guaranteed delivery time. DirectAccess does not depend on QoS. You do not need to disable the Virtual Machine Network Service. The Virtual Machine Network Service is used to establish network communication with a Virtual PC. It is not related to DirectAccess. You do not need to disable File and Printer Sharing for Microsoft Networks. There are no limitations on sharing files or printers when connected to a DirectAccess server.

Answer 7

**Include a system image of drives: System Reserved, (C:).** You should select Include a system image of drives: System Reserved, (C:). The only option that allows you to back up program files is to create a system image. The drawback to creating a system image is that you cannot selectively restore files. Therefore, you might want to supplement a system image backup with periodic full backups of data files. You should not select Program Files. Even if the Program Files folder is selected, executable files within the Program Files folder or subfolders are ignored during backup. You should not select Local Disk (C:). Selecting this option would cause all data files on volume C or any subfolder of volume C to be backed up. However, executable files will not be backed up. You should not select Program Files and ProgramData. Even if the Program Files folder is selected, executable files within the Program Files folder or subfolders are ignored during backup.

Answer 8

**Install Windows Removable Storage Management (RSM).** You need to install RSM first. You must use Ntbackup to restore the files, but you must first install RSM before the computer will support Ntbackup. You should not launch Windows Backup and Restore. Windows Backup and Restore cannot be used to restore from a backup made with Ntbackup. You should not install the Ntbackup utility as your first action. You will need Ntbackup, but you need to install RSM before you install Ntbackup. You should not launch System Recovery. System Recovery cannot be used to restore from a backup made with Ntbackup.

Answer 9

**Create an image using ImageX and apply the image using Windows Setup** You should create an image using ImageX and apply the image using Windows Setup. You can boot the destination in Windows PE and then run Setup. By using Setup to apply the image, you have the option of selecting the destination volume. You should not create and apply an image using ImageX. This would require you to install to the volume from which the image was created. You should not use the DVD image for distribution through a network share. A DVD image is not designed for distribution in this manner.

Answer 10

**Sign the driver package with a certificate present in the computer's Trusted Publishers certificate store.** You should sign the driver package with a certificate present in the computer's Trusted Publishers certificate store. For a user to be able to install a driver from a network share, the computer must be configured to search that share for the driver, you must configure a device setup class for the driver in the Allow limited users to install drivers for these device classes policy, and you must sign the driver with a trusted certificate. You should not add the users to the Domain Admins group or the local Administrators group. Either action would grant the users more permissions than necessary and could result in a security risk. You should not provide users with a password to let them execute a command as an administrator. This would not enable them to automatically install the device driver. It would also let them run utilities in an administrator context, which is a security risk.

Answer 11

**Turn on InPrivate Browsing.** You should turn on InPrivate Browsing. When InPrivate Browsing is enabled, no information about your activity browsing the Internet is stored on the local computer. This includes cookies, history, and temporary Internet files. You should not turn on SmartScreen Filter. The SmartScreen Filter sends information about the Web site you are visiting to Microsoft. Microsoft then checks the site against its database to determine if it is a phishing site. A phishing site is one that looks like a legitimate site to trick users into providing their authentication credentials. For example, a phishing site might impersonate an online banking site to obtain a username, password, or account number. You should not turn on InPrivate Filtering. InPrivate Filtering allows you to block information about your browsing patterns from being sent to certain providers. You should not turn on Work Offline. When Work Offline is enabled, updated content is not downloaded from the Internet. Only cached content can be viewed.

Answer 12

**Run Sysprep.** You should run Sysprep. Specifically, you need to run Sysprep /generalize to remove unique computer information so that the image can be used for installation on one or more different computers. You should not run OCSetup. The OCSetup command is used to add system components to an online Windows image. It does not generalize the image for distribution. You should not run Deployment Image Servicing and Management (DISM). DISM is used to service offline Windows images, such as to add drivers to an image. It is not used to prepare a computer for imaging. You should not run ImageX. The ImageX command is used to create and manage images, but it requires that you first prepare the computer using Sysprep.

Answer 13

**Create an NTFS partition and enable BitLocker.** You should enable BitLocker. BitLocker is used to secure data on a drive so that it cannot be accessed if the drive is removed and inserted in a different computer, unless the necessary password is provided. You should also create an NTFS partition. BitLocker requires the computer to have a separate system partition that is formatted as NTFS and unencrypted. The partition must be at least 200 MB. If you do not create the partition, BitLocker will create it when you enable it. You should not create a FAT32 partition. The system partition must be an NTFS partition, not a FAT32 partition. You should not enable BitLocker To Go. BitLocker To Go is used to secure removable drives, such as a Universal Serial Bus (USB) flash drive. Encrypting the files with Encrypting File System (EFS) will not meet the requirements. EFS is per-user encryption enforced by Windows, so if the user can access the operating system drive, that user can potentially compromise the encrypted files.

Answer 14

**Open the Previous Versions tab of the Projects folder.** You should open the Previous Versions tab of the Projects folder. When System Protection is on, shadow copies of files are created each time a restore point is saved. If a file is deleted, the previous version of the file is listed on the Previous Versions tab of the folder that contained the file. You can copy or restore the file from this tab. You should not open the Previous Versions tab of the Documents library. To recover a file, you need to open Previous Versions on the folder that contained the file, not the library. You should not open Recovery in the Control Panel and select Restore your files. You use this option to restore files from backup, not to restore a deleted file that was saved in a restore point. You should not open Recovery in the Control Panel and select Open System Restore. You use this option to restore the operating system settings to a restore point, not to restore a data file.

Answer 15

**Ask her to repeat the steps using the Problem Steps Recorder and e-mail the output** You should ask her to repeat the steps using the Problem Steps Recorder and e-mail the output. The Problem Steps Recorder takes a screen shot of each step a user takes when performing a task. The user can add comments to the steps, save the output, and e-mail a compressed version of the saved output to a technician. You should not log onto her computer through Remote Desktop and view the Parental Controls log in Event Viewer. The Parental Controls Operational log stores setting changes related to Parental Controls, but it does not record each step a user takes. You should not ask her to save the Operational Log for Parental Controls and e-mail it to you. The Parental Controls Operational log stores setting changes related to Parental Controls, but it does not record each step a user takes. You should not log onto her computer through Remote Desktop and view the Application log in Event Viewer. Applications can write messages to the Application log. It is not used to troubleshoot problems related to a user's inability to configure Parental Controls.

Answer 16

**Configure your home network as a HomeGroup and choose to share resources automatically.** You should configure your home network as a HomeGroup and choose to share resources automatically. Resources, such as music, printers, videos, and so forth will be shared as libraries. You can choose the resource categories to be shared automatically when you set up the network. Because your computer is configured as a domain member at work, it will be able to access resources as part of the HomeGroup, but it will not be able to share resources to other computers. You should not configure your home network as an Active Directory domain and give all users permission to share resources from their computers. This would require you to set up a computer as an Active Directory domain controller and would carry extensive management and administrative overhead. It would also force you to change domain membership between work and home. You should not configure your home network manually as a peer-to-peer network and give all users permission to share resources from their computers. Resource sharing and network management would require significant more effort than setting up a HomeGroup. You should not configure your home network as a HomeGroup and choose to not share resources automatically. This would require you to manually share resources from each of the member computers.

Answer 17

**Scanstate /i:migapp.xml /i:miguser.xml \\fs1\migration /uel:90** You should use the following command: Scanstate /i:migapp.xml /i:miguser.xml \\fs1\migration /uel:90 The ScanState command is used to migrate user settings to a store. The /i option allows you to specify an Extensible Markup Language (XML) script that contains specifications for finding files to migrate. Migapp.xml is a default script that migrates application settings. MigUser.xml is a default script that migrates user profile data, including user settings and documents stored in a user's My Documents folder. The /uel option allows you to filter the users whose settings are migrated. By including an integer after /uel, you limit the users migrated to those who have logged in within that number of days. You should not use the following command: Scanstate /i:migapp.xml /i:migdocs.xml \\fs1\migration /ue:90 MigDocs.xml includes rules that locate documents on the computer that are not stored in My Documents and are not located by the rules in MigUsers.xml. The /ue option allows you to exclude a user by specifying a username or a domain name and a wildcard character. You should not use the following command: Scanstate /config:migapp.xml /config:migdocs.xml \\fs1\migration /uel:90 The /config option allows you to specify a custom XML file generated by running Scanstate /genConfig. Also, the MigUsers.xml script needs to be included if you want to migrate user settings and documents. You should not use the following command: Scanstate /config:miguser.xml \\fs1\migration /ue:90 The /config option allows you to specify a custom XML file generated by running Scanstate /genConfig. Also, the MigApp.xml script needs to be included if you want to migrate application settings.

Answer 18

**Use Windows Optional Component Setup (OCSetup) to service the image online.** You should use OCSetup to service the image online. You need to boot the image into audit mode. You must also prepare an unattended installation file for the application that specifies the path to the installation files. OCSetup calls the Windows Installer to run the actual installation. Audit mode lets you make changes to a Windows installation without requiring you to activate the installation or finalize the computer for end-user use. After making necessary changes to the image, you can then recapture the image and use it as a source for deploying Windows 7. You should not use DISM to service the image offline or online. DISM is not used to install applications that are distributed using an MSI file. When installing a Component-Based Servicing (CBS) package online, you will use OCSetup to initiate the installation, but OCSetup will internally invoke DISM to run the actual installation. You should not use OCSetup to service the image offline. The image must be online when installing a Windows Installer application.

Answer 19

**Use Credential Manager to add a Windows credential to the vault.** You should use Credential Manager to add a Windows credential to the vault. The vault stores credentials for Web sites, file servers, and other resources you access. You can add Windows credentials, certificates, and generic credentials to the vault. Because Integrated authentication uses Windows credentials, you should add a Windows credential to the vault. You should not use User Accounts to change your password to match the password specified on the Web site. Although the browser first sends the log on credentials for authentication when Integrated Security is used, both username and password must match. You should not create a separate user account that matches the credentials of the Web sites you need to access. Instead, you should use Credential Manager to store the authentication information securely. You should not use Windows CardSpace to add a card that contains your credentials. Windows CardSpace allows you to store personal information that can be sent to Web sites. It is not used to manage authentication credentials. You should not use Internet Options to configure InPrivate Filtering settings. InPrivate Filtering settings allow you to identify the Web sites you will allow to receive data about the Web sites you visit.

Answer 20

**Run ScanState Perform a custom install of Windows 7 Install the applications Run LoadState** You should do the following: \* Run ScanState \* Perform a custom install of Windows 7 \* Install the applications \* Perform LoadState You must perform a custom (clean) installation when migrating from Windows XP to Windows 7. To preserve application and user settings, you need to first run ScanState and save the settings to an external drive or a network share. Next, you need to install Windows 7 and the applications. Finally, you need to run LoadState to configure the computer with the saved settings. ScanState and LoadState are User State Migration Tool (USMT) commands. USMT migrates settings and data files, but not applications. Because the applications have custom settings, they must be installed before you restore the settings. You cannot perform an upgrade install of Windows 7 from Windows XP.

Answer 21

**Use ImageX to capture partitions C and D.** You should use ImageX to capture partitions C and D. Both C and D are primary partitions. You must capture all primary partitions except the System Reserved partition and (optionally) the System partition. You capture partitions using ImageX with the /capture option. You should not use ImageX to capture partition C only. You must also capture partition D. You must capture all primary partitions except the System Reserved partition and (optionally) the System partition. You should not use Diskpart to assign a drive letter to volume 1. Volume 1 is the System Reserved partition created by default during an installation of Windows 7. You should not create an image of the System Reserved partition. You should not use Diskpart to format volume 3 as NTFS. You can create an image of either NTFS or FAT32 partitions.

Answer 22

**Run the Standard User Analyzer (SUA) tool** You should run the SUA tool. The SUA tool lets you monitor specific applications for problems relating to the UAC feature. The SUA tool collects detailed data for analysis to help you fix any detected problems. There is also a SUA Wizard that steps you through potential fixes for UAC problems, but it does not perform detailed analysis. You should not run the SAT. The SAT is used to automate application installation and monitor the activities of the application's installer. You should not run USMT. USMT would be used to migrate user profile and application setting information. It is not used for troubleshooting compatibility problems. You should not run Windows AppLocker. AppLocker is used to create and manage rules to control user access to applications and files. AppLocker replaces the Software Restriction Policies feature in earlier versions of Windows.

Answer 23

**Use PowerShell scripts.** You should use PowerShell scripts to manage remote computers running Windows 7. You can use PowerShell Windows Management Interface (WMI) scripts to perform most management tasks that might be automated. Before you can use PowerShell to manage a remote computer, PowerShell must be installed on the computer. Because PowerShell is installed by default with Windows 7, you do not need to make changes to the target computer. You should not use RSAT. RSAT can be used to remotely manage a computer running Windows 2008 Server and, in many circumstances, Windows 2003 server from a computer running Windows 7. RSAT cannot be used to manage a computer running Windows 7. You should not use RD Gateway. RD Gateway enables Remote Desktop clients to access resources on remote servers and run applications remotely. RD Gateway is used to provide remote clients with a connection to RD Session Host resources and applications. You should not use Remote Desktop Services Manager. Remote Desktop Services replaces the Terminal Services support provided with earlier Windows releases. Remote Desktop Services Manager lets you view users, sessions, and processes on a Remote Desktop Session Host (RD Session Host) server. You can manage client connections to the RD Session Host, but you cannot directly manage client computers.

Answer 24

**Use the Windows System Image Manager (SIM) to create a file named Autounattend.xml. Save the file to a Universal Serial Bus (USB) flash drive.** You should use the Windows SIM to create a file named Autounattend.xml and save the file to a USB flash drive. The Windows SIM utility is part of the Windows Automated Installation Kit (AIK). It allows you to create answer files that can be used to limit the components installed and the features enabled during an automated installation. The answer file is an Extensible Markup Language (XML) file that is normally named Autounattend.xml. You can store the file on a USB flash drive (UFD) or in another location. If you use a different filename or store the file in a location not included in the implicit search path, you will need to specify the path to the file when you run Setup using the following command: setup.exe /unattend:filename You should not use the Windows System Image Manager (SIM) to create a file named Unattend.txt and save the file to a network share. Older versions of Windows used an answer file named Unattend.txt. Windows 7 uses an XML file. You should not use ImageX to create a file named Sysprep.inf and save the file to the root of drive C. ImageX is used to create an image, not to create an answer file. The Sysprep.inf file was used when creating a Windows XP installation image. It has been replaced by the Unattend.xml file in Windows 7. Also, Sysprep.inf was used with the Sysprep tool, not with Setup.exe. You should not create a file named Winbom.ini and save the file to a network share. The Winbom.ini file was another answer file used during Windows XP Setup.

Answer 25

* **Run Pnputil on the computer.** * **In System Properties, select Never install driver software from Windows Update.** You should run Pnputil on the computer. Windows 7 allows you to stage device drivers to a driver store on a computer. You use the Pnputil command to add a driver to a staged location. You should also enable Never install driver software from Windows Update in System Properties. By default, Windows searches the driver store, any paths specified in the DevicePath registry key, and Windows Update. If you prevent Windows from using Windows update, only device drivers in the store or in a path listed in the DevicePath registry key will be searched. The search order can be modified through the Specify search order for device driver source locations Group Policy setting. You should not enable the Only elevate permission for executables that are signed and validated policy. This policy affects whether an unsigned executable can execute with elevated permission. It does not affect which device drivers can be installed. You should not run Deployment Image Servicing and Management (Dism) on the computer. Dism is a command-line utility that is used to mount and modify installation images and create Windows PE images. You should not enable the Only elevate UIAccess applications that are installed in secure locations policy. This setting determines whether applications that request User Interface Accessibility access permissions can run if they are installed in a location that is not considered secure. Secure locations are: \Program Files\Windows\System32\Program Files (x86)

Answer 26

**Use the Wbadmin command.** You should use the Wbadmin command. You must use the Wbadmin command to restore system state information for Windows 7. To restore the system state, you would run the following from a command prompt run with administrator privileges: wbadmin start systemstaterecovery You should not use the System Restore application. System Restore lets you restore a computer to an established restore point or to a complete PC backup that was created earlier. You should not use the Windows Backup tool. You cannot use the Backup tool to back up or restore system state information. You must use Wbadmin to back up or restore system state. You should not use Windows RE to restore system state. Windows RE includes system recovery options, including recovering from a complete backup or a Windows system image, but it does not support system state recovery.

Answer 27

* **Use Wbadmin to back up directly to DVD.** * **Use Backup to back up directly to DVD.** In Windows 7, you can use Wbadmin or the Backup tool to back up directly to DVD as your backup destination. The disk can then be removed and stored in an offsite location. You should not use the Backup tool to back up to a network location and copy the backup file to DVD. This would work, but it requires more steps than necessary to accomplish the backup. You should not use Windows RE to back up the files to DVD. Windows RE provides several options for recovering a system, but not for producing a backup. You should not use Ntbackup to back up to a network location and copy the backup file to DVD. Windows 7 does not include Ntbackup. There is a version of Ntbackup available for download that will run on Windows 7, but it can only be used to restore files from a backup created using an earlier Windows version of the Ntbackup command.

Answer 28

**On the application's Compatibility tab, click Change settings for all users. Select Windows XP as the Compatibility mode.** You should open the application's Compatibility tab, click Change settings for all users, and select Windows XP as the Compatibility mode. You can configure application-specific compatibility settings through the Compatibility tab. The settings affect the user who is logged on. To access settings for all users, you need to click Change settings for all users. Because the application ran fine under Windows XP, the first setting you should try is to set the Compatibility mode to Windows XP. You should not select Windows XP as the Compatibility mode on the application's Compatibility tab. Doing so would affect the compatibility settings only for the user who is currently logged on. You should not modify the program's settings in Programs and Features. You can use Programs and Features to change installation options and uninstall a program. You cannot configure compatibility settings there. You should not modify the Application Compatibility settings in local Group Policy. The Application Compatibility settings in local Group Policy allow you to enable or disable application compatibility features, such as the Program Compatibility Assistant. It does not allow you to configure compatibility settings for a specific application.

Answer 29

**Add each user individually through the file's Advanced properties.** You should add each user individually through the file's Advanced properties. This will grant these specific users access to the file. Access must be granted on a user-by-user basis when limiting access to a single file. You should not run the cipher command with the /r option to export the recovery certificate and private key. This would not be necessary in this scenario. You would do this if you were creating a new recovery agent. A recovery agent enables you to recover all of a user's encrypted files. You should not modify Group Policy to identify DataSet members as recovery agents. This would provide access to all encrypted files and cannot be limited to a single file. You should not add the DataSet group through the file's Advanced properties. Users must be added individually.

Answer 30

**Defragment the volume.** You should tell the user to defragment the volume. Like an internal hard disk volume, a USB hard disk drive can become fragmented over time. You can defragment the volume by displaying the volume's properties, selecting the Tools tab, and clicking Defragment now. You cannot convert the volume to FAT32. You cannot convert from NTFS to FAT32. You must reformat, which will result in losing data. Also, NTFS provides better performance than FAT32. You cannot convert the volume to a dynamic disk. You can only convert an internal hard disk to a dynamic disk. Also, the advantage to using a dynamic disk is the ability to create spanned and striped disks, not to provide better performance. You should not update the USB controller driver. The problem is not related to the USB controller driver. If it were, the problem would not have gradually gotten worse. When disk access performance gradually worsens, the problem is most likely caused by fragmentation.

Answer 31

**Run Internet Explorer (No Add-ons) from All Programs \> Accessories \> System Tools** You should run Internet Explorer (No Add-ons) from All Programs \> Accessories \> System Tools. You need to disable the add-on that is causing the problem. To do this, you need to run the Manage Add-on utility. Unlike earlier Internet Explorer versions, Internet Explorer version 8, which ships with Windows 7, lets you manage add-ons after launching Internet Explorer without add-ons. You can disable the add-on causing the problem and then start Internet Explorer normally. You can also run iexplore -extoff from a command line to disable add-ons. You should not launch Add/Remove programs from the Control Panel. This does not necessarily give you access to the add-on you need to disable. You should not right-click Internet Explorer in the Start menu and click Properties. This lets you access the properties of the shortcut, but it does not let you manage add-ons. You should not revert to a system recovery point from before installation of the add-on. This could result in other changes to the computer.

Answer 32

**Configure a Routing and Remote Access server to use Secure Sockets Tunneling Protocol (SSTP).** You should configure a Routing and Remote Access server to use SSTP. SSTP is a virtual private network (VPN) protocol supported by Windows Server 2008, Windows Vista, and Windows 7. It uses port 443, so it can pass through firewalls that do not support other VPN protocols. You should not configure a Routing and Remote Access server to use NAP. NAP is a system health verification and quarantine service, not a VPN protocol. It can be used for VPN connections and other connections to ensure that clients have a supported configuration, including Windows updates and antivirus software. You should not configure a DirectAccess server in an end-to-edge configuration. Windows Vista computers cannot connect using DirectAccess. An end-to-edge configuration can be used to allow Windows 7 clients to access both Windows Server 2008 and Windows Server 2003 servers on the intranet. You should not configure a DirectAccess server in an end-to-end configuration. Windows Vista computers cannot connect using DirectAccess. An end-to-end configuration is the most secure because data is encrypted from the client to the server. However, Windows Server 2003 servers cannot be accessed in an end-to-end configuration.

Answer 33

**Use AppLocker to create default executable rules for all users.** You should use AppLocker to create default executable rules for all users. You must create a default rules set before creating the rules to limit users to running signed applications only. Default rules enable all users to run the programs in the default Program Files folder and in the Windows folder. You should not use AppLocker to create a new executable rule for each signed application. This is not necessary. After creating default rules, you would create a new executable rule for all signed applications. You should not use AppLocker to create a publisher rule for each signed application. A publisher rule is used to enable rules to apply to an application after an upgrade rather than having to create a new rule each time you upgrade an application.

Answer 34

**Enable the Specify intranet Microsoft Update Service location policy in Group Policy.** You should enable the Specify intranet Microsoft Update Service location policy in Group Policy. This policy allows you to identify a Windows Software Update Service (WSUS) computer to use for downloading Windows updates. Updates on a WSUS computer can be selectively approved. You cannot identify a WSUS server through Windows Update. You should not enable the Give me recommended updates the same way I receive important updates option in Windows Update. Enabling this option causes recommended updates to be downloaded using the same settings as for important or critical updates. You should not enable the Turn on recommended updates via Automatic Update policy in Group Policy. Enabling this policy causes recommended updates to be downloaded using the same settings as for important or critical updates. You should not disable the Allow all users to install updates on this computer option in Windows Update. This setting prevents users from manually installing updates, but it does not affect automatic updates.

Answer 35

**Use diskpart to create an active primary partition on the USB flash drive and format it as FAT32.** You should use diskpart to create an active primary partition on the USB flash drive and format it as FAT32. You need to first prepare the USB drive. To do so, you run diskpart, clean the disk, and then create an active primary partition. You should format the partition as a FAT32 partition. After the partition is prepared, you can copy the installation files from the DVD to the USB flash drive. You should not use ImageX to create an image and copy the image to the USB flash drive. Images are created using ImageX. However, you must boot using Windows Preinstallation Environment (Windows PE) to apply an image. You should not use Windows SIM to create an image. Windows SIM is used to create an answer file, not an image. You should not use diskpart to create an active primary partition on the USB flash drive and format it as NTFS. You must format the partition as FAT32.

Answer 36

**Allow incoming Hypertext Transfer Protocol (HTTP) and WS-Discovery traffic.** You should allow incoming HTTP and WS-Discovery traffic. BranchCache uses HTTP to transmit data in both Distributed Cache and Hosted Cache mode. In Distributed Cache mode, content can be cached on any client on which BranchCache is enabled. A client uses the WS-Discovery protocol to locate cached content. With Hosted Cache mode, clients are configured with the address of the host, so there is no need to use the WS-Discovery protocol. You should not allow incoming WS-Discovery and outgoing HTTP traffic. Clients must accept incoming HTTP traffic if they are to receive data. You should not allow incoming HTTP and SMB traffic. Although BranchCache can be used to cache file share data transmitted over SMB, the data is sent to and retrieved from the cache server using HTTP. You should not allow incoming HTTP traffic only. If you were using Hosted Cache mode, you would only need to allow incoming HTTP traffic. However, you need to allow WS-Discovery traffic in Distributed Cache mode.

Answer 37

**Use Microsoft Deployment Toolkit (MDT) to create a deployment point.** You should use MDT to create a deployment point. MDT is most suitable for high-volume installations. Clients access the deployment point using Windows Preinstallation Environment (PE), which you can create on removable media or share using Windows Deployment Service (WDS). You can install all necessary customizations in the deployment point. You cannot use Windows SIM to create an image. Windows SIM is used to create an unattended installation file. Windows SIM is part of the Windows AIK, which is more suitable for creating images to support medium-sized deployments. You should not use Package Manager to create a package. A package is a feature that can be referenced by an unattended installation file. It is not a full deployment of Windows 7. You cannot use Windows AIK to create a deployment point. AIK is used to create unattended installation files and images for medium-sized deployments.

Answer 38

**Enable InPrivate browsing.** You should enable InPrivate browsing. You can do this by choosing InPrivate browsing when you open a new browser window or tab. This prevents the computer from maintaining your browsing history. No record of made of addresses and links visited, form data, or passwords used. Any new cookies are treated as session cookies and are not stored. Temporary Internet files are deleted when the private browsing window is closed. You should not enable InPrivate filtering. InPrivate filtering does not prevent recording of browser history information. Instead, it warns you about third-party content that can view your browsing history and lets you block this access. You should not enable SmartScreen filter for this purpose, though you will typically want to have the SmartScreen filter enabled. The SmartScreen filter helps block malware and indentify potentially hazardous Web sites. You should not enable Phishing filter. Phishing filter was replaced by the SmartScreen filter in Windows 7 and Internet Explorer 8.

Answer 39

**Create a new image from the reference computer.** You should create a new image from the reference computer. When you create an image, it will contain the editions supported by that edition family, in this case, the retail family. The editions available in the retail and consumer families are: \* Windows 7 Starter \* Windows 7 Home Premium \* Windows 7 Professional \* Windows 7 Ultimate You can modify an image to have it install a higher edition by default, such as increasing from Windows 7 Home Premium to Windows 7 Professional, but you cannot modify an image to support a lower edition if it is already set to install a higher edition. You should not use DISM to modify the image. You can use DISM to raise the edition installed by the image, but not lower it. Because the image is set to Windows 7 Ultimate, you cannot drop the edition back to Windows 7 Professional. You should not boot the image on the reference computer and use OCSetup to modify the image. OCSetup can be used to modify an online image, but not to change the default edition installed by the image. You should not use Windows SIM to create a custom unattended installation file. This does not give you a way to install a lower Windows 7 edition.

Answer 40

**Turn on password protected file sharing.** You should turn on password protected file sharing. When password protected file sharing is enabled, a user can only access shared resources on a computer if that user has a user account and password on that computer. You enable password protected file sharing through Advanced sharing settings in the Network and Sharing Center. You should not create a homegroup. When you create a homegroup, you can share files that can be accessed only by other computers that are joined to the homegroup. You cannot disable Simple file sharing. Simple file sharing was a Windows XP file sharing method and is not supported by Windows 7. You should not turn off Network Discovery. Network Discovery allows your computer to locate and be located by other computers on the network.

Answer 41

**Create a .wim file that has both a 32-bit image and an x64 image. Create a separate .wim file that has an Itanium image.** You should create a Windows image (.wim) file that has both a 32-bit image and an x64 image and create a separate .wim file that has an Itanium image. You can store a 32-bit image and an x64 image in the same .wim file. To do so, you first create the 32-bit image and then use the /append option of ImageX to append the x64 image. However, you must have a separate .wim file to deploy the Itanium processor installation. You do not need to create a separate .wim file for each processor. You can store the 32-bit image and the x64 image in the same file. You should not create a .wim file that has a 32-bit image and create a separate .wim file that has an x64 and an Itanium image. You cannot store an x64 image and an Itanium image in the same file. You should not create one .wim file that has an image for each processor. The Itanium image must be stored in a separate .wim file.

Answer 42

**Windows Firewall with Advanced Security** You should use Windows Firewall with Advanced Security. Windows Firewall with Advanced Security allows you to create rules that limit traffic by protocol or port. It also allows you to configure security requirements for the connection, including requiring authentication and encryption. Windows Firewall with Advanced Security combines firewall rule definition and IP Security (IPSec) rule definition into one integrated tool. You should not use the IP Security Policy MMC. This tool can be used to configure more limited rules than Windows Firewall with Advanced Security. It does not allow you to segregate the rule so that it is only applied to the domain network location. You should not use Netsh firewall. You can configure a limited set of firewall configuration settings by using Netsh firewall. However, you could not configure the necessary rule by using Netsh advfirewall. You should not use Default Programs. Default Programs allows you to select the program that should be used for specific types of activities, such as browsing or e-mail. It is not used to configure security restrictions on network traffic.

Answer 43

**Use Device Manager to uninstall the driver. Restart the computer** You should use Device Manager to uninstall the driver and then restart the computer. When you uninstall the device driver, Windows 7 will automatically detect the plug-and-play device when it is restarted. It will locate the most appropriate driver for the device and install it. Normally, uninstalling a device will cause the computer to restart. However, if the computer does not automatically restart after uninstalling the device, you can also force plug-and-play to locate the device by using the Scan for hardware changes command. You should not disable the device. When you disable a device, the device driver remains installed. When you restart the computer, Windows 7 will see the device as disabled and will not try to load its device driver. You should not run Pnputil -d and restart the computer. The Pnputil command is used to manage the driver store. The driver store contains staged device driver files. The -d option removes the staged files from the store, but it does not affect installed device driver files. You should not use the Add Hardware Wizard to reinstall the driver. You use the Add Hardware Wizard to install drivers for legacy (non-plug-and-play) devices.

Answer 44

**Log on as Administrator and run cipher /r.** You should first log on as Administrator and run cipher /r. Running the cipher command with the /r option creates a Recovery Agent certificate. You can then install the certificate by using the Add Recovery Agent wizard. To launch the Add Recovery Agent wizard, open Local Security Policy, expand Public Key Policies, right-click Encrypting File System, and choose Add Data Recovery Agent. You should not log on as Administrator and run the Add Recovery Agent wizard as the first step. You must first create a Recovery Agent certificate. You should not log on as Administrator and run cipher /AddUser. You use the /AddUser option of the cipher command to associate an additional user certificate with a file. You should not log on as each user and run the Add Recovery Agent wizard. You must run the Add Recovery Agent wizard as an administrator. Although you can configure multiple recovery agents, any recovery agent can recover the encrypted files for all users.

Answer 45

* **Add the laptop computers to a security group named IntranetUsers.** * **Run the DirectAccess Setup Wizard on RA-Srv. Add IntranetUsers to the DirectAccess Client Setup list.** You should do the following: \* Add the laptop computers to a security group named IntranetUsers. \* Run the DirectAccess Setup Wizard on RA-Srv. Add IntranetUsers to the DirectAccess Client Setup list. DirectAccess allows client computers running Windows 7 or Windows Server 2008 R2 to connect to intranet resources. Connections to Internet resources can be made directly instead of passing through the intranet. A DirectAccess server must be a domain member running Windows Server 2008 R2 and must be located on the perimeter network. It must have two network adapters: a public network adapter and a private network adapter. Both network adapters must be configured for IPv6. The public network adapter must be assigned two publicly-accessible consecutive IPv4 addresses. You configure clients by adding them to a security group and adding that security group to the client list using the DirectAccess Setup Wizard. The necessary GPO containing the client settings is created by the wizard. You should not create a GPO that enables the Client (Respond only) IPSec policy. Configuring clients to use IPSec is not sufficient to enable them as DirectAccess clients. Other policies must be set so that they can find a network location server and connect to the intranet automatically. You should not configure a VPN connection on each computer or enable a VPN endpoint on RA-Srv. A VPN connection is used to connect to a VPN endpoint. When a user who is connected to a VPN endpoint attempts to connect to an Internet resource, the request is routed through the intranet.

Answer 46

* **Request a server certificate from the CA and import it to BC-Srv.** * **Run netsh http add sslcert on BC-Srv.** You should request a server certificate from the CA and import it to BC-Srv. When using BranchCache in Hosted Cache mode, you need to install a server certificate that is trusted by the clients. Because the CA is an Enterprise CA and the clients are domain members, the CA is trusted. You should also run netsh http add sslcert on BC-Srv. This command links the certificate to the BranchCache service. You will need to specify the IP address and port the service will listen on, the application identifier for the service, and the thumbprint of the certificate. You should not run netsh http add sslcert on each client computer. The certificate should be imported and linked on the server, not on each client. You should not import a certificate into the Windows Vault on each client computer. Windows Vault is used to store authentication credentials for a Windows 7 user. It is not used to store BranchCache certificates. You should not import the root certificate into Trusted Root Certification Authorities on each client computer. Because the CA is an Enterprise CA, the root certificate is already trusted by the computer.

Answer 47

**Upgrade the graphics adapter.** You should upgrade the graphics adapter. The performance tool analyzes each component and identifies a Windows Experience Index subscore. It then creates a base score based on the lowest subscore. The base score indicates the Windows Experience Index at which applications will run efficiently. Upgrading hardware that already has a higher Windows Experience Index than the base score will not affect the way applications run. In this case, the graphics adapter has the lowest subscore, so the best upgrade would be to replace the graphics adapter with a more efficient one. You should not add more RAM. The 1 GB of RAM is sufficient for running Windows 7. The system would be faster with more RAM, but the RAM is not the biggest bottleneck in this case. You should not upgrade to the 64-bit version of Windows 7. Although the computer has a 64-bit processor, it does not have enough RAM to support an upgrade to the 64-bit version of Windows 7. The 64-bit version requires 2 GB of RAM. You should not upgrade to Windows 7 Enterprise. Windows 7 Enterprise includes additional features suitable for use in an Active Directory domain environment. There is no performance difference between Windows 7 Ultimate and Windows 7 Enterprise.

Answer 48

**Add the network adapter driver to the Boot.wim file on the deployment server.** You should add the network adapter driver to the Boot.wim file on the deployment server. The Boot.wim file defines the Windows PE environment used to boot the computer. When the computer starts up, Pre-eXecution Environment (PXE) will locate the deployment server and obtain the Boot.wim file. If more than one Boot.wim file appropriate to the computer exists, the user will be prompted with a menu to select one. WDS allows you to add driver packages to the Boot.wim file that are necessary for booting the computer and connecting to the network share. In this case, you need a network adapter driver, but you can also add mass storage controllers to the Boot.wim file. You should not export the PE image, add the network adapter driver, and copy the PE image to a USB flash drive. While you could boot the computer from a USB flash drive, doing so requires more effort than using PXE-boot to access the install image from the WDS server. You should not export the PE image, add the network adapter driver, and import the PE image. Although you can use the Windows Automated Installation Kit (WAIK) to perform this task, doing so requires more effort than simply modifying the Boot.wim file using WDS. You should not create an Unattend.xml file and create a Group Policy Startup script that launches Setup using the Unattend.xml file. You cannot launch Windows 7 Setup from Group Policy. You must start the computer using a PE image to perform a clean installation

Answer 49

**Change the network location to Work.** You should change the network location to Work. By default, a Public network does not permit a user to connect to computers on the local network. It only allows limited access, such as browsing Web pages. You should not enable Network Discovery for Public networks. When Network Discovery is enabled, a computer can locate and be located by other computers on the local network. Network Discovery is enabled by default for Work and Home networks, but not for Public networks. If you enable Network Discovery for Public networks, you will be able to access other computers on the network, but this setting will affect all Public networks. Therefore, if you connect to a network at a Wi-Fi hotspot, other computers connected to that hotspot will be able to see the computer. You should not enable File sharing for Public networks. When file sharing is enabled, you can share files with other computers on the network. However, this setting would apply to all public networks, so it would negatively affect the computer's security. You should not change the address of the DNS server. The problem is not caused by incorrect DNS settings. The problem is caused by the fact that the network location is set to Public. DNS is used to resolve host names to IP addresses. If you had the wrong DNS setting, you would be unable to access resources on the Internet.

Answer 50

**In Group Policy, enable the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop policy.** You should enable the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop policy. Remote assistance is an example of a User Interface Accessibility (UIAccess) application. When this policy is enabled, the elevation prompt is displayed on the interactive desktop, and is therefore accessible to the remote technician. You should not disable the User Account Control: Switch to the secure desktop when prompting for elevation policy. When this policy is disabled, UAC will not switch to the secure desktop for any elevation prompt. This option is less secure than only allowing UIAccess applications to display an elevation prompt on the interactive desktop. You should not instruct users to select the Allow IT Expert to respond to User Account Control prompts option when creating the invitation. If users select this option without enabling the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop policy, remote technicians will not see or be able to respond to the elevation prompt. You should not change the User Account Control Settings to Never Notify on each computer. When UAC is set to this level, users logged on as an Administrator can perform actions without being prompted for elevation. Actions that require administrator permissions will not succeed when performed by a standard user.

Answer 51

* **Require BitLocker To Go on the mobile computers.** * **Configure access to encrypted data based on domain user credentials.** You should require BitLocker To Go on the mobile computers and configure access to encrypted data based on domain user credentials. BitLocker To Go is used to encrypt the contents of removable media, such as removable drives and USB flash drives. By basing access on domain user credentials, you can limit access to when users are logged on to the domain. Because users will be authenticated by user account, user requirements are kept to a minimum. You should not require BitLocker on the mobile computers. BitLocker is used to encrypt internal hard disk drives. Specific features vary depending on whether or not the computer includes Trusted Platform Module (TPM) version 1.2 hardware. You should not configure access to encrypted data based on password. This is not as secure as basing access on user credentials. If a user knows the password, he or she can access the data whether or not he or she is logged onto the domain. Also, passwords can be relatively easily compromised, completely circumventing the protection placed on the data. You should not configure access to encrypted data based on SmartCard and PIN. This is secure, but it is less convenient to users than basing access on user authentication credentials.

Answer 52

**Convert the two non-system disks to dynamic disks.** You should first convert the two non-system disks to dynamic disks. A basic disk can only support primary partitions, extended partitions, and logical disks. In this case, you want to create a striped volume across the two non-system disks to provide the best performance. A striped volume offers excellent performance because data can be read and written to two disks simultaneously. It does not offer fault tolerance. However, this scenario does not require fault tolerance. You cannot create a striped volume using the two non-system disks first. You must first convert the disks to dynamic disks. You should not create a spanned volume using the two non-system disks. A spanned volume increases disk space on a logical volume by extending a volume onto a second physical disk. However, data is written and read sequentially, so it provides no performance boost. Also, a spanned volume can only be created on dynamic disks. You should not create a mirrored volume using the two non-system disks. A mirrored volume provides fault tolerance by storing a copy of the same data on two disks. A mirrored volume can only be created on dynamic disks.

Answer 53

**specialize** You should apply the settings during the specialize configuration pass. The specialize configuration pass is used to apply machine-specific settings, such as network settings, domain membership, or configuring a default home page. You should not apply the settings during the oobeSystem configuration pass. The oobeSystem configuration pass occurs the first time a user logs in, before the Windows Welcome screen displays. This is the configuration pass in which the Windows Welcome screen displays. You should use this configuration pass to configure user environment settings. You should not apply the settings during the windowsPE configuration pass. A setting applied during the windowsPE configuration pass configures the environment used to run Setup. For example, you would partition the hard disk during the windowsPE configuration pass. You should not apply the settings during the offlineServicing configuration pass. The offlineServicing configuration pass is used to apply packages to an offline image. A package might include updates, language packs, or drivers.

Answer 54

**RAM** You need to upgrade the RAM. The 64-bit version of Windows 7 requires a 64-bit processor, 2 GB of RAM, 20 GB of hard disk space, and a DirectX 9 graphics device with WDDM 1.0 or higher. The computers only have 1 GB of RAM, so the RAM must be upgraded. You do not need to upgrade the hard disk space. The operating system will use 20 GB of disk space. Therefore, the total disk space used by operating system and applications is 120 GB, leaving 80 GB for the paging file and data files. You do not need to upgrade the graphics card. The graphics card meets the minimum requirement.

Answer 55

**Use the Application Compatibility Toolkit (ACT).** You should use the ACT. The primary purpose of the ACT is to determine if installed applications are compatible and, if not, how to make them compatible. However, the ACT includes the ability to collect information about installed applications without having to do the analysis for compatibility. This gives you a quick way to generate an application inventory. You should not use AppLocker. AppLocker lets you control the applications installed on client computers and limit clients to approved applications. It does not include a way to create an application inventory for client computers. You should not use the Add or Remove Programs utility. This Control Panel utility can be used to display a list of applications that have been installed on each of the clients, but this must be done separately on each client, and the inventory list must be compiled manually. You should not use enhanced auditing. Enhanced auditing can be used to track various types of user and system activity, but it does not provide a way to track installed software as a central inventory database.

Answer 56

**System Configuration** You should use System Configuration. The Startup tab of the System Configuration tool (msconfig.exe) allows you to select the programs that load during startup. You should not use Services. The Services utility allows you to manage which Windows services start automatically, manually, or are disabled. The problem is caused by an application, not a Windows service. You should not use Default Programs. The Default Programs Control Panel allows you to configure which browser, e-mail program, and instant messaging program are used by default. You should not use Programs and Features. The Programs and Features Control Panel allows you to uninstall programs and change the program features that are installed. It does not allow you to configure whether a program is loaded at startup.

Answer 57

**Configure TCP/IP on the new Windows 7 computers.** You should manually configure TCP/IP on the new Windows 7 computers. The scenario states that the other computers in the office have static IP addresses. There is also no mention of a DHCP server. Also, the new Windows 7 computers have addresses in the Automatic Private IP Addressing (APIPA) range, which includes 169.254.0.0 through 169.254.255.255, and have no default gateway assigned. When an address is assigned by APIPA, only an address and subnet mask are assigned. Default gateway values are not generated. A Windows 7 computer is assigned an address in the APIPA range when it is configured to receive its IP address automatically and it cannot contact the DHCP server. Therefore, you can conclude that the computers need to have their IP configuration set manually. You should not configure the computers running Windows 7 to receive IPv4 address information automatically. The most likely problem is that the computers are already configured to receive an address automatically. Because the remote office is configured with static IP addresses, you can assume that there is no DHCP server. The new Windows 7 computers are automatically generating addresses through APIPA. The computer's IPv4 addresses are part of the APIPA range, which includes 169.254.0.0 through 169.254.255.255. When an address is assigned by APIPA, only an address and subnet mask are assigned. Default gateway values are not generated. You should not specify the nearest gateway as the default gateway for each of the computers running Windows 7. Lack of a default gateway would not prevent the new Windows 7 computers from communicating with other local computers. A default gateway is used to communicate with other subnets, but clients with APIPA addresses would not be able to communicate through the gateway. You should not update the computers running Windows XP to Windows Vista or Windows 7. The new Windows 7 computers are attempting to contact the DHCP server for IP addresses. Computers running Windows XP do not prevent computers running Windows 7 in the same subnet from receiving DHCP address leases.

Answer 58

**Create an online identification (ID) for each valid user.** You should create an online ID for each valid user. The online ID is linked to a Windows user and is used to authenticate access to shared resources. This process relies on the Public Key Cryptography Based User-to-User (PKU2U) protocol. This protocol is specifically designed to support the use of online IDs for authentication. You should not configure the default location as a public location on each computer. To set up HomeGroup with online IDs, you need to configure the computers for a home location. You should not require the computers to use Kerberos authentication. Kerberos is used as the default authentication in Active Directory domains to provide mutual authentication. You should not reconfigure the network as an Active Directory domain. This is not necessary to meet the scenario requirements and would require excessive reconfiguration and ongoing management.

Answer 59

**Boot using the Last Known Good Configuration.** You should boot using the Last Known Good Configuration. Because the computer has been unable to restart since installing the new driver, using the Last Known Good Configuration will revert to the original device driver. This should enable you to boot the computer successfully. You should not boot in Windows RE to run a system restore. This would take longer than trying the Last Known Good Configuration and would not necessarily work. Depending on how the computer is configured, a restore point might not have been created when you installed the device driver. You should not boot from the installation DVD and reinstall Windows 7 as a repair installation. While this will likely correct the problem, it will take much longer than using the Last Known Good Configuration. You should not boot in Windows RE and disable the hard disk driver. Some critical drivers cannot be disabled. If you can disable the hard disk driver, the computer will not be able to restart.

Answer 60

**Run the BCDedit command.** You should run the BCDedit command. The BCDedit command lets you edit Boot Configuration Data (BCD) files. The BCDedit /bootsequence command makes a one-time change to the boot order. On the next boot, the boot menu reverts to its original setting. You can use the BCDedit /displayorder option to permanently change the boot order to boot to a different operating system by default. You should not run the Bootcfg.exe command. This command is similar to BCDedit, but it was used with earlier Windows versions and does not support the same functionality as BCDedit. You should not edit the Boot.ini file. This is how you could change the boot order on earlier Windows versions, but any changes made are permanent until you reedit the file. You should not use Windows SIM. Windows SIM is not used to manage Windows installations. It is used to manage installation images and catalogs.

Answer 61

**Enable ReadyBoost on a USB flash drive** You should enable ReadyBoost on a USB flash drive. ReadyBoost allows you to allocate space on a USB flash drive or flash memory card to use as RAM. Using ReadyBoost can speed performance because less paging will be required to the paging file. You cannot move the paging file to the USB flash drive. You cannot place a paging file on removable storage. You cannot enable ReadyBoost on the hard disk. You can only enable ReadyBoost on a USB flash drive or flash memory card. You should not move the paging file to a different hard disk volume than the operating system. Moving the paging file to a different volume on the same physical disk will not affect performance. Moving a paging file to a different physical disk than the one where the operating system is installed will improve performance.

Answer 62

**Configure the domain Group Policy that is currently linked to domain computers to run PowerShell scripts first.** You should configure the domain Group Policy that is currently linked to domain computers to run PowerShell scripts first. You can control this through the Run Windows PowerShell scripts first at user logon, logoff setting, which can be set through either user or computer policies. When this setting is enabled, PowerShell scripts execute before other (non-PowerShell) scripts. The default setting for this policy (Not configured) causes non-PowerShell scripts to run first. Because of this, you must configure the policy and set it to Enabled. You should not create a local policy that includes the scripts as logon scripts. Local policies must be managed on a per-computer basis and would require significantly more effort to maintain. You should not modify the current linked policy to ensure that PowerShell scripts are listed first. The relative order of execution between PowerShell and non-PowerShell scripts is not controlled through the order in which they are listed. You should not create a new GPO to control execution and link it to the appropriate Organizational Units (OUs) within the domain. There is no need to do this because the existing GPO, linked at the domain level, can be used.

Answer 63

**Create an Executable rule that allows access based on the Publisher condition.** You should create an Executable rule that allows access based on the Publisher condition. An AppLocker Executable rule is used to limit the users who can launch .EXE and.COM files. When Executable rules are enforced, all applications except those that match an Allow rule are prevented from running. An Allow rule based on the Publisher condition allows only applications signed by that publisher to be launched. You can use a wildcard character (\*) to create a rule that allows all signed applications to run. You should not create an Executable rule that allows access based on the Hash condition. The Hash condition compares the hash of a file being launched to make sure no bits have changed. While a Hash condition is very secure, it is not very maintainable because the rule would need to be updated each time a new version of the application is deployed. You should not create an Executable rule that allows access based on the Path condition. The Path condition checks the path of the program being launched. You can easily circumvent a Path rule by installing unauthorized applications into an authorized path. You should not create an Executable rule that denies access based on the Path condition. By default, access is denied to all applications that do not match an Allow rule

Answer 64

**Run the Sigverif command** You should run the Sigverif command. The Sigverif command launches the File Signature Verification tool. The File Signature Verification tool scans the system and identifies any system files and drivers that do not have a valid digital signature. The File Signature Verification tool is included with Windows 7 and can be launched from a command prompt. It creates a log file with a default name of Sigverif.log that lists each file scanned, its version, modification date, whether it is signed, the name of the catalog if there is one, and the file's signer. You should not run the SignTool utility. The SignTool utility can be used to sign a file or to verify the signature of a specific file. It does not scan the computer for system files and drivers and verify their signatures. The SignTool utility is available by installing the Windows Driver Kit. You should not use Credential Manager. You use Credential Manager to manage Windows authentication credentials, user certificates, and other authentication credentials, such as your Windows Live sign-on credentials. You should not use Device Manager. You use Device Manager to troubleshoot device configuration problems, such as drivers that are not loaded correctly or device conflicts. There is no option to scan for unsigned device drivers

Answer 65

**Turn off Managing SmartScreen Filter** You need to enable the Turn off Managing SmartScreen Filter policy. This will prevent users from making changes to the SmartScreen filter policy configured for their computers. The SmartScreen filter is similar to the Phishing filter introduced with Internet Explorer 7, but it contains several improvements, including improved anti-malware support. You should not enable the Turn off InPrivate Filtering policy or the Turn off InPrivate Browsing policy. These policies are used to control InPrivate settings. InPrivate browsing and InPrivate filtering prevent retention of browsing history for the current session. You should not enable the Disable the Security Page policy. This would prevent the user from making any changes to Internet Explorer security configuration settings.

Answer 66

**Manually connect to the network listed as Unnamed Network and enter the SSID when prompted.** You should manually connect to the network listed as Unnamed Network and enter the SSID when prompted. This solution ensures that the WAP is sent probe packages only when the client connects, minimizing the possibility of compromising the SSID. Configuring a WAP to not broadcast its SSID is not a reliable security measure. Even though the WAP is not regularly broadcasting its SSID, it will send its SSID as the response to a probe by a wireless client. Wireless clients configured for automatic connection will probe the WAP every 60 seconds, increasing the possibility that the SSID could be detected. You should not configure the network properties to connect automatically to the WAP when in range. This setting is used to automatically connect to wireless networks that broadcast their SSIDs. You should not configure the network properties to connect automatically to the WAP when in range and connect even if the network is not broadcasting. This will cause the WAP's SSID to be listed as an available network and will cause the WAP to be probed regularly, potentially exposing it to unauthorized users. You should not modify the WAP to have it broadcast its SSID. This would make the WAP readily visible to any client in range. Even though not broadcasting the SSID is not a reliable security measure, broadcasting the SSID is even less secure. This is because broadcasting the SSID announces the existence of the WAP whether or not any valid clients are attempting to connect to the WAP.

Answer 67

**The Windows Vista Business and Windows Vista Enterprise computers** You can directly upgrade Windows Vista Business and Windows Vista Enterprise computers to Windows 7 Enterprise edition. You cannot upgrade Windows XP Professional computers to Windows 7. You must perform a migration. You can migrate settings using either Easy Transfer or the User Settings Migration Tool (USMT). You must select a Custom installation. Supported upgrade paths do not affect the availability of upgrade pricing. You can purchase Windows 7 for an upgrade price even if your current edition of Windows Vista does not support an upgrade to the edition of Windows 7 you purchase. However, you would need to migrate settings and perform a Custom installation instead of performing an upgrade.

Answer 68

**Create a Windows PE image that includes the network adapter driver and ImageX.** You should create a Windows Preinstallation Environment (PE) image that includes the network adapter driver and ImageX. System images are applied by booting to Windows PE and running ImageX with the /apply option. Because the network adapter driver is not included in Windows 7, you need to ensure that it is installed on the Windows PE image. You should not boot each computer to the existing operating system. You can only apply an image if the computer is booted to Windows PE. You should not create a Windows PE image that includes the network adapter driver and Windows SIM. Windows SIM is used to create answer files, not to apply images. You should not create a system repair disc that includes the network adapter driver. A system repair disc is used to boot a computer to the Windows Recovery Environment (RE) and can be used to recover a failed system. It cannot be used to apply an installation image.

Answer 69

**255.255.255.224** You should use 255.255.255.224 as the subnet mask. This provides for three network address bits, which supports up to eight subnets. This subnet mask supports up to 30 hosts per subnet, enough to meet current and future requirements. You should not use 255.255.255.192. This configuration supports four subnets, so it does not meet the requirements. You should not use 255.255.255.240. This subnet mask supports up to 16 subnets, but only 14 hosts per subnet. It meets current needs, but not future requirements. You should not use 255.255.255.248. This subnet mask supports no more than six hosts per subnet.

Answer 70

**Create the VHD as a fixed VHD file on a local hard disk.** You should create the VHD as a fixed VHD file on a local hard disk. The three supported VHD file types are fixed, dynamic, and differencing. A fixed-type VHD is recommended for production environment use. Creating the VHD as a fixed VHD file on a local hard disk lets you ensure that the VHD file is created at a fixed size. A fixed-type VHD provides the best disk performance. For best performance, the volume hosting the VHD should also have sufficient space to host the paging file. You should not compress the VHD file by using NTFS compression. A compressed VHD file does not support native boot. You should not create the VHD as a dynamic VHD file on a local hard disk. The VHD is expanded to its maximum file size during startup. A dynamic VHD does not make the best use of disk space or provide disk performance as good as a fixed-type VHD. You should not create the VHD as a differencing VHD on a remote share. A VHD on a remote share or a USB flash drive does not support native boot.

Answer 71

**Boot the reference computer from a Windows PE image and run ImageX.** You should boot the reference computer from a Windows Preinstallation Environment (PE) image and run ImageX. The ImageX utility allows you to capture, mount, and apply images. Before you can capture an image, you need to create a Windows PE image that includes ImageX and then boot the reference computer from that image. You should not boot the reference computer from a Windows PE image and run Windows SIM. Windows SIM is used to create answer files, not to capture images. You cannot execute Windows SIM from a Windows PE environment. You should not boot the reference computer from the Windows 7 installation DVD and run ImageX. You must boot the computer to a Windows PE environment that includes the ImageX tool. Your only options when booting from the Windows 7 installation DVD are to install Windows 7 or repair a Windows 7 installation. You should not boot the reference computer from the Windows 7 installation DVD and run Windows SIM. Windows SIM is used to create answer files, not to capture images. Also, you cannot launch Windows SIM by booting from the Windows 7 installation DVD. Your only options when booting from the Windows 7 installation DVD are to install Windows 7 or repair a Windows 7 installation.

Answer 72

**Run BCDedit.** You need to run BCDedit. BCDedit lets you modify an existing Boot Configuration Data (BCD) store to include the VHD in the boot menu. Windows 7 can boot directly from the VHD. You should not restart the computer as your only action. The computer will restart using the current default boot option and will not modify the boot menu. You should not run BCDboot. You would use BCDboot if the computer were running an earlier Windows version to update the boot environment and support booting from a VHD. Because you already have an instance of Windows 7 installed on the computer, there is no need to run BCDboot. You should not run ImageX. You would use ImageX to create a bootable image and prepare a VHD, not to make the VHD available for startup.

Answer 73

**Assign the DataProc group the shared Print permission.** You should assign the DataProc group the shared Print permission. This enables members of the DataProc group to submit documents for printing and for each user to manage his or her own documents. Users cannot manage other users' documents. By default, the Everyone group is assigned the print permission when you share a printer. Because you removed the default share permissions, you must explicitly assign the Print permission to the DataProc group. You should not create a new printer filter. A printer filter is used to control what printers are displayed, not to control printer permissions. You should not add the DataProc group to the Printer Operators group. Members of the Printer Operators group can manage their own print jobs as well as other users' print jobs. You should not deploy the printer and assign permissions through Group Policy. Client computers not running Windows 7 are not supported by default when you deploy printers through Group Policy. For other clients, you would need to have the PushPrinterConnections.exe tool run from a startup script on the client

Answer 74

**Upgrade the computer to Windows 7 Ultimate.** You should upgrade the computer to Windows 7 Ultimate. Although you can create AppLocker rules on a computer running Windows 7 Professional, you cannot enforce them. You must upgrade to either Windows 7 Ultimate or Windows 7 Enterprise to enforce AppLocker rules. You should not create a Script rule that denies Temps access to applications in C:\CompanyData. A script rule is used to allow or limit access to a specific script. A script rule does not affect executable files. You should not configure executable rules and select Enforce in AppLocker Properties. You cannot enforce AppLocker rules on a computer running Windows 7 Professional. You should not delete the default rules. The default rules allow Everyone access to programs in the Program Files folder and the Windows folder and allow Administrators access to all programs.

Answer 75

**192.168.123.154** You should use 192.168.123.154. This is part of the subnet defined as 192.168.123.128/26. This is equivalent to a network address of 192.168.123.128 with a subnet address of 255.255.255.192. The default gateway must have a valid address in the subnet's address range. The valid range, in this case, is 192.168.123.129 - 192.168.123.190. You should not use 192.168.123.001. This host address is part of a different subnet, the 192.168.123.0/26 subnet. You should not use 192.168.123.128 or 192.168.123.192. These are both network addresses in this configuration and cannot be assigned as host addresses.

Answer 76

**Use ImageX.** You should use ImageX to apply the image to the VHD. After creating the VHD, you would prepare a reference computer, use ImageX to capture the image, and then use ImageX to copy that image to the VHD. You would then dismount the VHD and use Copy to copy it to a network share or USB drive for distribution. You should not use BCDboot to prepare the native-boot VHD image. You would need BCDboot if you applied the VHD to a computer that did not already support a Windows 7 boot environment to enable the computer to boot from the VHD. You should not use DISM. DISM is used to service a Windows image, not to distribute the image or apply it to a VHD. You should not use the Copy command to apply the image to the VHD. After applying the image, you would use the Copy command to distribute the image.

Answer 77

**Deploy downstream WSUS servers in the remote offices and have them retrieve a list of updates to be installed, but not the updates, from an upstream server in the main office. Have remote computers directly download the updates.** You should deploy downstream WSUS servers in the remote offices and have them retrieve a list of updates to be installed, but not the updates, from an upstream server in the main office. You should have remote computers directly download the updates. This gives you central control over which updates are applied, but because only the list of updates is downloaded to the remote servers, the traffic generated is kept to a minimum. Downloading the updates does not impact traffic over the remote links because remote computers connect directly to the Internet. You should not deploy a central WSUS server in the main office and have remote computers download a list of the updates to be installed, but not the updates, from the main office and then have remote computers directly download the updates. Because each computer retrieves the list of updates individually from the WSUS server in the main office, traffic over the link is not minimized. You should not deploy a central WSUS server in the main office and downstream servers in the remote offices in replica mode. In this configuration, updates, approval status, and computer groups are downloaded to the downstream server, so traffic over the remote link is not minimized. You should not deploy a central WSUS server in the main office and downstream servers in the remote offices in autonomous mode. In this configuration, downstream servers are managed separately, so updates are not centrally managed. This configuration also has the greatest bandwidth requirements.

Answer 78

**Use Diskpart to attach the VHD.** You should use Diskpart to attach the VHD. You must attach the VHD as a hard disk before you can boot from it. You can use either Diskpart or Disk Management to attach the VHD. After attaching the VHD, you can use Bcdedit to add the VHD to the boot menu and, if applicable, set it as the default boot option. You should not use Hyper-V to create a virtual machine. A virtual machine runs inside a session of Windows. You cannot boot a computer from a virtual machine. You should not execute Bcdedit first. You must attach the VHD and then run Bcdedit to add it to the boot menu. You should not modify the Boot.ini file. In older versions of Windows, you created a boot menu by editing the Boot.ini file. The default partitioning scheme of Windows 7 creates a hidden partition that is used to boot the system. You can change the boot menu by using Bcdedit.

Answer 79

**PowerShell scripting** Support personnel should use PowerShell scripting to remotely create and restore from system restore points. PowerShell 2.0 on Windows 7 lets you use the WS-Management (WS-MAN) protocol to run cmdlets to perform these actions on remote computers. They should not use Windows RE. Windows RE is run locally, not remotely. Also, you can use Windows RE to restore from a system restore point, but not create a restore point. They should not use Wbadmin. Wbadmin is the Windows backup and restore command line utility and is not used to create restore points. They should not use RSAT. RSAT is used with PowerShell for remote group policy management.

Answer 80

* **Launch a command prompt with elevated permission and run wecutil qc** * **Create an event subscription.** You should launch a command prompt with elevated permission and run wecutil qc. The Windows Event Collector Utility (wecutil) configures a computer to perform WS-Management data collection when run with the qc option. You should also create an event subscription on the collector computer. You can create an event subscription using Event Viewer or by using the cs option of wecutil. You do not need to launch a command prompt with elevated permission and run winrm quickconfig on the technician computer. The Windows Remote Management Command Line Tool (winrm) allows you to configure a computer to accept WS-Management requests. These requests are sent by the collector to the source computers by default. You would only need to run winrm quickconfig on the collector computer if you needed to optimize collection by minimizing either bandwidth or latency. You should not add the computer accounts for the source computers to the Administrators group on the technician computer. Instead, you need to add the computer account for the technician computer to the Administrators group on each source computer.

Answer 81

**Access Devices and Printers. Select a printer and choose Manage Default Printers.** You should access Devices and Printers, select a printer, and choose Manage Default Printers. The Manage Default Printers dialog box allows you to associate a printer with a network location. You should not access Network and Sharing Center and select Change advanced sharing settings. The Change advanced sharing settings option allows you to change the security settings for Home, Work, and Public networks. For example, you can enable or disable Network Discovery and configure file sharing options. You should not access Default Programs and select Set program access and computer defaults. This option is used to identify the programs used for certain activities, such as Web browsing and e-mail. You should not access the Hardware tab of System Properties and select Device Installation Settings. This option is used to configure whether device drivers can be downloaded from Windows Update.

Answer 82

**Create a configuration set.** You should create a configuration set. A configuration set is a subset of a distribution share that is suitable for installations from removable media. It contains the binaries that are referenced in the Unattend.xml file. You should not create a package. A package is used to deploy operating system updates and language packs. You should not append the distribution share to the image. The /append option of ImageX is used to append multiple images to a .wim file, not to append files in a distribution share. You should not dismount the image. You mount an image to make changes to it and dismount it after changes have been made.

Answer 83

**Use IP Security (IPSec) Tunnel Mode with Internet Key Exchange version 2 (IKEv2).** You should use IKEv2. The ability to automatically reestablish a VPN tunnel, known as VPN reconnect, is a feature of Windows 7 and Windows Server 2008. IKEv2 is the only tunneling protocol that supports VPN reconnect. When using IKEv2 and VPN reconnect, a client is automatically reconnected when switching between wired and wireless connections, moving between different wireless access points, or temporarily losing Internet connection. Typically, if a VPN connection is lost, even temporarily, it must be manually reestablished. You should not use SSTP, PPTP, or L2TP/IPSec. These are all valid tunneling protocols and supported by Windows 7, but none of these protocols support VPN Reconnect.

Answer 84

**Netsh** You should use Netsh. The Netsh utility allows you to view and configure IPv6 settings on a local computer or a remote computer. To view the addresses on a local computer, you would run the following: netsh interface ipv6 show addresses To view the addresses on a remote computer, run netsh with the -r option and specify the name of the computer. You should not use Ipconfig. You can use IPconfig to display the IPv6 configuration of the local computer, but not of the remote computer. You should not use Netstat. The Netstat utility is used to list the listening ports on a computer. You should not use Net view. The Net view command is used to list the computers on the network.

Answer 85

**Configure the startup type as Automatic.** You should configure the startup type as Automatic. This setting is used for device drivers that should start after drivers critical to basic system operation. This setting enables the driver to support detection. You configure the Startup type through Device Manager. Before you can manage non-plug-and-play devices, you must select Show hidden devices from the Device Manager View menu. You can then choose to view and manage non-plug-and-play devices. You should not configure the startup type as Boot. The Boot startup type is used for the first device drivers to start during system startup and should be used only for drivers critical to basic system operations. You should not configure the startup type as Demand. Demand is used to identify drivers that are started on an as-needed basis. This setting does not support device detection. You should not configure the startup type as System. Like Boot devices, this is used for devices that are essential for system operation. System startup type devices start after devices configured as Boot startup type devices.

Answer 86

**Insert the smart card in the computers' smart card readers.** You should insert the smart card in the computers' smart card readers. This is all that is necessary for a PIV-compliant smart card on a computer running Windows 7. Even if the vendor-specific driver is not available, the correct minidriver for a smart card is retrieved automatically and will support smart card logon. You should not manually install the device driver after inserting the smart card in the computers' smart card readers. Smart card logon does not require a vendor-specific driver. In many cases, the appropriate driver is published through Windows Update rather than shipped with the smart card. If the computers could connect to the Internet, you would likely let the computers download a manufacturer-specific driver. This is not possible in this case because the computers cannot connect to the Internet. You should not manually install support middleware after inserting the smart card in the computers' smart card readers. When used with Windows 7, additional middleware is not required in this scenario. You should not download the appropriate driver from Windows Update from a computer with Internet access and install the driver. This requires more effort than necessary because the Windows 7 minidriver supports this type of smart card logon.

Answer 87

**Create and link a domain Group Policy for power management to require a password when a computer resumes from Standby.** You should create and link a domain Group Policy for power management to require a password when a computer resumes from Standby. This will cause the client computers for a password when waking. This policy will apply to computers running Windows 7, Windows Vista, and Windows XP. You should not create and link a domain Group Policy or configure Local Policy for power management to have the computers enter Hibernation instead of Standby. This does nothing to cause a computer to prompt for a password when waking. You should not create Local Policy for startup to execute Powercfg.exe on each computer. Powercfg.exe can be used to configure power management, but this solution would require more effort than necessary. You should not configure Local Policy for power management to require a password when a computer resumes from Standby. This would properly configure the clients, but it would require more effort than using Group Policy.

Answer 88

**Use Protected Extensible Authentication Protocol (PEAP)-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).** You should use PEAP-MS-CHAP-v2. MS-CHAP-v2 provides authentication based on user name and password. PEAP provides a secure TLS-encrypted channel between the client and the authenticating server. You should not use EAP-TLS or PEAP-TLS. These authentication methods are based on the use of client certificates or smart cards, rather than user name and password. You should not use EAP-MS-CHAP-v2. EAP does not provide an encrypted channel between the client and authenticating server.

Answer 89

**Deploy a single Domain Name System (DNS) server.** You should deploy a single DNS server. A DNS server can provide host name resolution for both IPv6 and IPv4 addresses. You can use a single DNS server to provide host name support throughout the network if network clients are configured as DNS clients configured with the DNS server's address. You should not deploy a DNS server on each subnet. Typically, there is no reason to configure and deploy a DNS server on each subnet. One DNS server can typically support all hosts at a single site. You should not use LLMNR for name resolution. LLMNR supports name resolution on the local subnet only. You should not deploy separate DNS servers for IPv4 and IPv6. There is no need for separate servers, so this would require more effort than necessary. A single DNS server can be used to support both IPv4 and IPv6 addresses.

Answer 90

**Create separate Oobe.xml files for English and French. Do not create an Unattend.xml file.** You need to create separate Oobe.xml files for English and French. You should not create an Unattend.xml file in this scenario because it is not required for the scenario. You can accomplish the scenario requirements using Oobe.xml files only. The Oobe.xml file is used to customize Windows Welcome, OEM First Run application, and ISP Signup for an installation image. You can support multiple languages through a single image by providing a separate Oobe.xml file for each language. You would place the United States English file in the folder: \%WINDIR%\system32\oobe\info\244\1033 You would place the French language file with the Canadian settings in the folder: \%WINDIR%\system32\oobe\info\39\1036 You should not create a single Oobe.xml file. To keep the deployment as simple as possible, you should use a single deployment image. To support multiple languages, you need multiple Oobe.xml files. You should not create an Unattend.xml file. If you are only customizing Windows Welcome and regional settings, a custom Unattend.xml file is not needed.

Answer 91

**Use Windows System Image Manager (SIM).** You should use Windows SIM. Windows SIM provides a graphic user interface (GUI) that lets you create unattended installation answer files based on the components available in a Windows image file. This makes it possible to quickly create an answer file based on a specific image. You should not manually create and edit the Unattend.xml file. While this is possible, it is not recommended because of the amount of editing required and the potential for introducing errors in the file. You should not use Sysprep. Sysprep is used to prepare a source computer for use to create an image, not for creating an answer file from an existing image. You should not use DISM. DISM lets you apply an unattended answer file to an image when installing multiple packages to a Windows image. It is not used to create or modify answer files.

Answer 92

**Change the Turn Off the Display (Plugged In) policy in Group Policy.** You should change the Turn Off the Display (Plugged In) policy in Group Policy. When power settings are applied through Group Policy, they override settings defined in Power Options and prevent users from changing those settings using Power Options. You should not select the High Performance power plan. The High Performance power plan's default value for turning off the display is 15 minutes. Also, the setting in Group Policy will override the setting that is set by the High Performance power plan. You should not plug in the laptop and then change the Plugged in (Minutes) setting. Plugging in the laptop will not affect the availability of the setting. You should not create a custom power plan. A custom power plan would allow you to change the setting if it was not being set by Group Policy. However, Group Policy overrides all power plans, including custom power plans.

Answer 93

**Roll back to the previous driver and restart the computer normally.** You should roll back to the previous driver and restart the computer normally. You would use the Device Manager to display driver information and then roll back to the previous driver. When you install a new device driver, Windows retains the previous driver version. You should not restart the computer and select the option to start from the last known good configuration. Because the computer completed a successful startup after changing the device driver, using the last known good configuration will not change the device driver used and will not modify the computer's configuration. You should not restore the computer from the most recent backup. This will revert the computer to the state it was in when the backup was made. This might correct the problem, but it would make more changes than necessary to the computer. You should not recover to the most recent system restore point. This would rollback any changes back to that point and could make more changes than necessary to the computer unless the restore point was created just before the new driver was installed.

Answer 94

**Log on as TedS at the destination and run the following: LoadState \\myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml** You should log on as TedS at the destination and run the following command: LoadState \\myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml When you run LoadState as a user other than an administrator, user profile information for that user only is migrated. You should not log on as TedS at the destination and run the following command: LoadState \\myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml /lac /lae The /lac and /lae options are used for migrating local account profiles. You should not log on as an administrator before running LoadState. This will cause all user profiles collected by the ScanState command to be migrated. If you include the /lac and /lae options, you will migrate all domain and all local user profiles.

Answer 95

**Implement transparent caching.** You should implement transparent caching. With transparent caching, the requested file is cached locally on the client. Subsequent access requests are serviced from the cache, as long as the file has not changed on the source server. The server is contacted to determine if the file has changed before the client accesses the cached copy. Any changes are written to the server, not the cached copy. You should not implement mobile broadband device support. This is a feature of Windows 7 that provides for a consistent user interface for working with broadband devices from various manufacturers. You should not implement DirectAccess. DirectAccess allows users to connect to enterprise network resources over the Internet. This makes the user experience when connecting to resources over the Internet nearly the same as when connecting directly to the enterprise network. You should not implement BranchCache. BranchCache caches a copy of a file locally, but not necessarily on the requesting client. In distributed mode, the file is cached on the first client to access the file and access is provided from that client to other clients on the remote subnet. In host mode, files are cached centrally on a remote server. With either configuration, the cached copy is used only after verifying that the file has not changed on the source server.

Answer 96

**Run Migsetup from the Windows 7 installation DVD.** You should run Migsetup from the Windows 7 installation DVD. You cannot upgrade directly from Windows XP to Windows 7. You can migrate files and settings to Windows 7, but you must first use Migsetup to launch Windows Easy Transfer to transfer the files and settings to removable media or a network storage location. You would then install Windows 7 and run Windows Easy Transfer to migrate the settings. Applications are not migrated, so you will have to reinstall any applications after Windows 7 installation. You should not launch a default or custom installation from the Windows 7 installation DVD. Neither supports direct upgrade from Windows XP to Windows 7. You must first copy files for migration and then run the installation. You should not upgrade installed applications to Windows 7 compatible versions. This does not accomplish anything for you because installed applications are not migrated during Windows 7 installation when upgrading from Windows XP.

Answer 97

**Configure BitLocker to use a startup key stored on a USB flash drive.** You should configure BitLocker to use a startup key stored on a USB flash drive. It is strongly recommended, but not required, that you deploy BitLocker on a computer that supports TPM version 1.2. This provides for a more secure environment, but it is not required. When using BitLocker on a computer that does not support TPM version 1.2 hardware, you must use it with a startup key stored on removable media, such as a USB flash drive. You should not replace the computer motherboards with TPM 1.2 compliant motherboards. Even if an appropriate motherboard were available, this would be a more expensive and more time-consuming solution. You should not configure the boot drive to use BitLocker To Go. BitLocker To Go is used to encrypt removable media, not the computer's boot drive. You should not configure BitLocker to use a SmartCard to unlock encrypted drives. This is one of the options for unlocking drives encrypted with BitLocker To Go. You should not force system integrity verification at system boot. This is a check of the boot environment and prevents system startup if the boot environment has changed. Integrity verification requires TPM version 1.2, so it could not be used in this scenario.

Answer 98

**Run ScanState on the computer running Windows XP and copy settings to a server.** You need to perform a simple manual migration. The first thing you need to do is run ScanState on the computer running Windows XP and copy settings to a server. After upgrading the operating system, you would then run LoadState on the computer running Windows 7 and copy settings from the server to finish the user migration. User Settings Migration Tool (USMT), which is what you are using when you run ScanState and LoadState, does not migrate Office application settings for versions earlier than Office 2003. You should not run ScanState on the computer running Windows 7 and copy settings to a server. ScanState is run on the source operating system. You should not run ScanState to modify the Config.xml file. You are not running a default migration, so you have no reason to modify the Config.xml file. If you were running a default migration and wanted to identify what not to migrate, you could modify the Config.xml file by running ScanState with the /genconfig option. You should not manually modify the MigApp.xml file. There is no need to change the file because the settings do not migrate by default.

Answer 99

**Create a new public profile that blocks FTP access.** You should create a new public profile that blocks FTP access. Windows 7 supports multiple active Windows Firewall location-aware configuration profiles. Domain connections fall under the domain profile, and Internet connections are managed by the public profile. The public profile has no impact on domain connections. You should not create a new private profile that blocks FTP access. A private profile is applied for network connections that you have identified as private connections. Internet connections are always treated as public network connections. You should not modify the domain profile to block FTP access and enable FTP access by domain user for each authorized user. This would require more work than necessary to configure and would not meet the solution requirements. You should not deploy a domain isolation policy. A domain isolation policy uses mutual authentication to isolate computers that are domain members from computers that are not domain members. Client computers must support IP Security (IPSec) to connect to the protected computer. If you need to provide access for computers that do not support IPSec, you must create exemption rules for those computers.

Answer 100

**Upgrade client computers running Windows Vista to Windows 7.** You must upgrade client computers running Windows Vista to Windows 7. Desktop composition is not supported for RDC sessions between computers running Windows 7 and Vista, even if both are running RDC 7.0. Desktop composition provides a "like local" experience for remote client sessions using the Aero theme. You should not install Aero-capable graphics drivers on all clients. Windows 7 includes Aero-capable graphics drivers. This would be necessary if you wanted to support desktop composition on client computers running Windows Server 2008 R2. You should not configure the RDSH role on all clients. This is necessary on client computers running Windows Server 2008 R2. The RDSH role is supported on computers running Windows Server 2008 R2, but not on computers running Windows 7 or older Windows versions. RDSH enables a computer running Windows Server 2008 R2 to act as a Remote Desktop session host server. This makes it possible for remote desktop client computers to run programs on the server, save files to the server, and use server network resources. You should not shut down and restart all remote desktop clients. This will do nothing to enable desktop composition support on clients running Windows Vista.

Answer 101

**Authenticated bypass** You need to create an authenticated bypass rule. This lets you specify users, by user or group, or computers that can bypass inbound connection rules. You should not create an allow rule. An allow rule is used to explicitly allow a specific type of incoming or outgoing traffic. Traffic is not filtered by user or computer. You should not configure Windows Service Hardening. This is used to prevent services running on a computer from establishing connections. You should not configure a connection security rule. This type of rule is used to control how computers can authenticate under IPSec, not to filter access by user.

Answer 102

**Default Programs** You should use Default Programs. The Default Programs utility allows you to change the programs that are used by default when opening files with certain extensions or links that use a specific protocol. In this case, you can specify that Internet Explorer should open FTP URLs. You should not use the Content tab of the Internet Options utility. The Internet Options utility's Content tab allows you to set parental controls, manage certificates, and configure AutoComplete settings. It does not allow you to associate a program with a protocol. You should not use Compatibility View Settings. Compatibility View Settings allows you to configure a list of Web sites that should be displayed as if you were using an earlier version of Internet Explorer. Compatibility View is helpful when troubleshooting Web sites that do not display correctly in Internet Explorer 8. You should not use Windows Firewall. Windows Firewall allows you to allow or block specific types of traffic. It does not allow you to configure which program is used to handle requests for a specific protocol.

Answer 103

**oobeSystem** You should configure the script to run during the oobeSystem configuration pass. The oobeSystem configuration pass executes after Windows 7 installs and the system reboots, but before the Windows Welcome screen appears. You should not configure the script to run during the auditUser configuration pass. The auditUser configuration pass occurs only when you restart the reference computer in audit mode. It does not occur during setup. You should not configure the script to run during the windowsPE configuration pass. The windowsPE configuration pass occurs before Windows 7 is installed. You should configure tasks such as setting Windows PE environment settings, partitioning the hard drive, installing boot-critical drivers, and identifying the path to the image during the windowsPE configuration pass. You should not configure the script to run during the offlineServicing configuration pass. The offlineServicing configuration pass is used to apply packages to an offline image. A package might include updates, language packs, or drivers.

Answer 104

**Enable the Set BranchCache Hosted Cache mode policy in the Group Policy object (GPO).** You should enable the Set BranchCache Hosted Cache mode policy in the GPO. BranchCache can be configured to operate in either Hosted Cache mode or Distributed Cache mode. Group Policy currently configures the client computers to operate in Distributed Cache mode. However, the scenario requires that all data be cached to a service, which is the way Hosted Cache mode works. Therefore, you need to modify the GPO by enabling Hosted Cache mode. You should not enable the Configure BranchCache for network files policy in the GPO. This policy affects the latency that can be supported when using Distributed Cache mode. You should not execute the following command on each Windows 7 client: netsh branchcache set service mode=HOSTEDCLIENT location=BC-Srv While this command can be used to configure a client for Hosted Cache mode, it cannot be used in this scenario because Group Policy settings override a configuration set using netsh. You should not execute the following command on each Windows 7 client: netsh branchcache set cachesize = 0 This command is used to set the size of the cache. While setting the cachesize to 0 on the clients will prevent the client from caching data, it will not cause data to be cached on BC-Srv because clients are not configured to use Hosted Cache mode.

Answer 105

**Enable Public folder sharing. Move the photos to the Public Pictures folder.** You should enable Public folder sharing. All Windows clients can access files shared using Public folder sharing. To enable Public folder sharing, open the Network and Sharing Center and click Change advanced sharing settings. Under the Home or Work profile, select the Turn on sharing so anyone with network access can read and write files in the Public folders option. You should also move the photos to the Public Pictures folder. The Pictures library can only be accessed on the local computer by default. To share pictures using Public folder sharing, you need to move them to the Public Pictures folder. You should not create a homegroup or share the pictures to the homegroup. Only Windows 7 computers can access files shared to a homegroup. You should not share the pictures to the Public group. There is no group named Public by default. You share files using Public folder sharing by moving them to a Public folder, such as the Public Pictures folder.

Answer 106

**Modify and save the file.** You should modify and save the file. The previous version of a file is only listed if the file has been modified since the last restore point was saved. Therefore, you can force the file to be shown by opening, modifying, and saving the file. After the older version is shown, you can select it and choose Restore. System Restore is only supported on NTFS partitions. You do not need to enable shadow copy. Shadow copy is the technology used by System Protection to save previous versions of files. When System Protection is enabled, shadow copy is used automatically. You should not open Recovery in the Control Panel and select Restore your files. You use this option to restore files from backup, not to restore a deleted file that was saved in a restore point. You should not open the Previous Versions tab of the Document library. You can open Previous Versions for a folder or file, not the Documents library.

Answer 107

**Install a DirectAccess server on the perimeter network.** You should install a DirectAccess server on the perimeter network. DirectAccess allows client computers running Windows 7 or Windows Server 2008 to connect to intranet resources. A DirectAccess server must be a domain member and must be located on the perimeter network. It must have two network adapters: a public network adapter and a private network adapter. Both network adapters must be configured for IPv6. The public network adapter must be assigned two publicly-accessible consecutive IPv4 addresses. You should not install a DirectAccess server on the corporate network. The DirectAccess server must be installed on the perimeter network. You should not install a VPN server on the perimeter network or the corporate network. A VPN cannot work from some locations because it is blocked by firewalls. Also, remote management is not supported through a VPN connection.

Answer 108

**Use System Restore.** You should use System Restore, which is accessed through the System Properties dialog box. You can choose to restore the folder and its contents from a shadow copy made as a system restore point. Restore points are stored on the local hard disk, making them easily accessible. You should not use Windows Backup and Restore. Because the weekly backup is stored offsite, you would have to request that it be brought onsite before you could use it for recovery. You should not use Windows RE. You can run a system restore from Windows RE, but this would revert the computer back to the earlier version. You should not use Last Known Good Configuration. This does not restore data on the system, only configuration information after configuration changes have made a system unbootable.

Answer 109

**Install additional memory to reach 1 GB of memory.** You should install additional memory to reach 1 GB of memory. Current minimum installation requirements for Windows 7 are: \* 1 GHz 32-bit or 64-bit processor \* 1 GB of system memory \* 16 GB of available disk space \* Support for DirectX 9 graphics with 128 MB memory (to enable the Aero theme) In addition, a DVD drive is also needed if you are installing from the Windows 7 installation DVD. Microsoft recommends a DVD-R/W drive, but you do not need to write to DVD during a typical installation. There is no reason to replace the motherboard. A 1 GHz 32-bit processor is supported. There is no need to increase available disk space. There is no need to replace the graphics adapter. You should not use the computers as configured. As configured, they do not meet the minimum recommended configuration requirements.

Answer 110

**Use Task Scheduler to schedule a task that executes the wbadmin command with the -vsscopy option.** You should use Task Scheduler to schedule a task that executes the wbadmin command with the -vsscopy option. You can create a task that executes when an event that logs data to a log occurs. In this case, you will use the event generated by the payroll application as the trigger. Wbadmin is the Windows 7 command-line utility that can be used to start, stop, or view information about a backup. The -vsscopy option causes the files to be copied without clearing the archive bit. Therefore, it will not interfere with other backup programs. You should not use Task Scheduler to schedule a task that executes the wbadmin command with the -vssfull option. The -vssfull option causes the archive bit to be cleared. Therefore, the file will not be backed up the next time the third-party backup runs unless the file has been modified since the scheduled backup ran. You should not use Task Scheduler to schedule a task that executes the ntbackup command. The ntbackup command was used in older versions of Windows and is not supported in Windows 7. You should not create a scheduled Backup using Backup and Restore. Although you can create a backup that runs on a schedule using the Backup and Restore utility, you cannot use this utility to create a backup that runs in response to an event.

Answer 111

**ScanState.exe \\fs1\migration /p:c:\spaceNeeded.xml** You should use the following command: ScanState.exe \\fs1\migration /p:c:\spaceNeeded.xml The ScanState command allows you to migrate settings to a store. When you run it with the /p option, it estimates the amount of disk space necessary to store the files. By specifying a filename after the /p option, you cause the estimation to be performed using User State Migration Tool (USMT) 4.0 algorithms. An Extensible Markup Language (XML) file with a format similar to the following is generated: The storeSize reports the amount of disk space required at the location where the settings and documents will be stored. The temporarySpace reports the amount of temporary disk space required on the source machine while saving the files and on the target machine when restoring the files. When you use the /p option without a filename, the USMT 3.0 algorithm is used to calculate the space required. You should not use the following command: ScanState.exe \\fs1\migration /localonly /targetVista You use the /targetVista option when you are using USMT to migrate settings to a computer running Windows Vista. You use the /localonly option to migrate only settings and files that are located on the internal hard disk volumes, not on external drives or network shares. This command would create a store instead of just estimating the space required. However, the store would be optimized for Windows Vista. You should not use the following commands: ScanState.exe \\fs1\migration /genConfig:c:\spaceNeeded.xml Or ScanState.exe \\fs1\migration /genConfig:c:\spaceNeeded.xml /targetVista The /genConfig option is used to generate a configuration file without creating a store. These commands would not estimate the space required because you did not include the /p option.

Answer 112

**Windows Firewall** You should use the Windows Firewall utility to configure the computer. Windows Firewall allows you to configure whether notifications are displayed when an attempt to access the computer is blocked by Windows Firewall. Public networks and home/work networks are configured separately. As an alternative, you can configure these settings through Group Policy or by running netsh firewall or netsh advfirewall. You should not use Network and Sharing Center Advanced Options. This utility allows you to enable or disable network discovery and configure file sharing options for public and home/work networks. You should not use the Security tab of the Internet Options utility. The Security tab of Internet Options allows you to set a security level for Web sites in different zones. For example, you can set a different security level for accessing an Internet Web site than for accessing one on the local network. You should not use Notification Area Icons. This utility is used to determine whether a notification icon should be displayed in the notification area to show the status of various operations, such as a network connection, power, or Windows Update. Windows Firewall notifications cannot be configured through this utility.

Answer 113

**Run Enable-PSRemoting on the Windows 7 and Windows Vista computers.** You should run Enable-PSRemoting on the Windows 7 and Windows Vista computers. The Enable-PSRemoting cmdlet enables the computer to listen for WS-Management protocol messages. WS-Management protocol messages are sent when executing cmdlets in a remote PowerShell session. Both Windows 7 and Windows Vista can support remote PowerShell sessions. You should not run Enable-PSRemoting on the technician computer. You do not need to run Enable-PSRemoting on the sending computer, only on the receiving computer. You should not create Windows Firewall rules to enable Remote Desktop. You do not need to run Remote Desktop to remotely troubleshoot the computers. You can use PowerShell commands remotely over the WS-Management protocol.

Answer 114

**Create a system image on volume E.** You should create a system image on volume E. A system image is an exact image of your computer at the time it is taken. It includes applications and data files. You can recover a computer to a system image using the Recovery Control Panel utility if the operating system can be booted. If the operating system cannot be booted, you can recover to a system image by choosing Repair your computer from Advanced Boot Options or by booting from the installation DVD or a system repair disc and choosing Repair your computer. You can only create a system image on an NTFS partition, one or more DVD discs, or a network location. If you schedule a system image backup, you can only use an NTFS partition or a network location. You cannot create a system image on volume D because volume D is formatted as FAT32. You should not create a system repair disc on volume E. A system repair disc is used to boot the computer. It contains boot files and system tools you can use to repair a damaged system that will not boot to Windows. You cannot create a system repair disc on volume D. You can only create a system repair disc on a CD or DVD drive. In this case, you should not create a system repair disc at all.

Answer 115

**Use Recovery in Control Panel to recover to the last restore point.** You should use Recovery in Control Panel to recover to the last restore point. System Restore saves information about your system configuration before making a change, such as installing a device driver or application. You can try restoring to various restore points until your system is stable. You should not boot to the Last Known Good Configuration. The Last Known Good Configuration is stored each time a computer successfully starts. Because you successfully logged on before the computer stopped responding, Last Known Good Configuration does not store a stable configuration. You should not boot using the Windows installation DVD and select Repair your computer. This option displays the System Recovery options. The Startup Repair option allows you to replace damaged or missing operating system files, not recover from corrupted device drivers or application problems. You can, however, start System Restore from the System Recovery options menu. You should not use Recovery in Control Panel to recover a system image. This option is a last resort, as it will restore the computer to the last system image you backed up. You will lose all data, programs, and settings that have changed since the last system image backup.

Answer 116

**Start the computer in Windows 7. Insert the installation DVD and choose Upgrade.** You should start the computer in Windows 7, insert the installation DVD, and choose Upgrade. You can upgrade a computer running Windows 7 Home Premium to either Windows 7 Professional or Windows 7 Ultimate. To do so, you start the computer in Windows 7, insert the installation DVD, and when prompted for an installation type, choose Upgrade. You should not start the computer from the DVD and choose Custom. A Custom installation overwrites existing settings with a clean installation. You should not start the computer in Windows 7, insert the installation DVD, and run Migsetup.exe. The Migsetup.exe application is Windows Easy Transfer, which allows you to transfer settings from an old installation to a new installation. You would use Windows Easy Transfer if the upgrade path were not supported. You should not start the computer in Windows 7 and launch Windows Update. Windows Update is used to configure automatic updates for security updates and service packs. It is not used to upgrade to a different edition of Windows 7.

Answer 117

* **In Group Policy, enable the User Account Control: Only elevate executables that are signed and validated policy.** * **Add the publisher's certificate for each approved application to the Trusted Publishers certificate store.** You should do the following: \* Enable the User Account Control: Only elevate executables that are signed and validated policy in Group Policy. \* Add the publisher's certificate for each approved application to the Trusted Publishers certificate store. When the User Account Control: Only elevate executables that are signed and validated policy is enabled, an executable can only be allowed elevated permissions if it has been digitally signed and a publisher's certificate has been added to the Trusted Publishers certificate store on the computer. When this policy is not enabled, an application can request elevation even if it has not been digitally signed by a certificate belonging to a trusted publisher. You should not create an AppLocker Executable rule. You can create an AppLocker Executable rule to limit which applications can run, not which applications can request elevated permissions. You should not modify User Account Control Settings and select Always notify. This was the default UAC setting for Windows Vista. It does not prevent applications that are not signed from requesting and obtaining elevated permissions when run by an administrator. You should not enable the User Account Control: Only elevate UIAccess applications that are installed in secure locations policy. When this policy is enabled, applications that require User Interface Accessibility programs can only be given elevated permissions if they are installed in a secure location, such as %systemroot% or System32. However, the requirements in this scenario are not limited to UIAccess applications. They need to apply to all applications.

Answer 118

**Boot the image in audit mode and use Windows Update Stand-alone Installer (WUSA) to apply the update.** You should boot the image in audit mode and use WUSA to apply the update. You can apply updates to an online image only, so you must boot the image. However, you do not want to activate the image if it will be used as an installation source, so audit mode is required. Audit mode lets you make changes to a Windows installation without requiring you to activate the installation or finalize the computer for end-user use. After making necessary changes to the image, you can then recapture the image and use it as a source for deploying Windows 7. You should not use DPInst to apply the update. DPInst is used to install non-boot-critical hardware device drivers for hardware that is present in the computer. It is not used to apply system updates. You should not boot the image in audit mode and use OCSetup to apply the update. OCSetup can be used to make changes to an online image, such as installing applications or enabling Windows features, but it is not used to apply updates. You should not take the image offline and use DISM to apply the update. DISM can be used to install updates packaged as .msu files, but updates can be applied to an online image only.

Answer 119

* **Move the files to a network share.** * **Mount the new volume using the path to the Podcasts folder.** * **Move the files to the Podcasts folder.** You should do the following: \* Move the files to a network share. \* Mount the new volume using the path to the Podcasts folder. \* Move the files to the Podcasts folder. You can mount a volume to an empty NTFS folder to allow the fact that there is a separate hard disk to be transparent to users. Users can continue to access the folder just as they had before. The NTFS folder can be on a basic disk or a dynamic disk. You should not just mount the new volume using the path to the Podcasts folder. You need to move the files first because the folder must be empty. You should not create a VHD named Podcasts. A VHD is a block of disk space on a volume that is assigned a separate drive letter and name. You can host a VHD in a virtual machine or you can configure a Windows 7 computer to boot from a VHD. You should not do the following: \* Move the files to a network share. \* Create a virtual hard disk (VHD) named Podcasts. \* Move the files to the Podcasts VHD. A VHD is a block of disk space on a volume that is assigned a separate drive letter and name. You can host a VHD in a virtual machine or you can configure a Windows 7 computer to boot from a VHD.

Answer 120

**Run ScanState and then LoadState, both with the /hardlink option.** You should run ScanState and then LoadState, both with the /hardlink option. When you install Windows 7 to the Windows XP system folder, a Windows.old directory is created that contains files from the previous operating system. Running ScanState and LoadState with the /hardlink option identifies information that can be migrated and then performs the migration. You should not run LoadState without first running ScanState. You must run ScanState first to identify the information to be migrated. You should not run Windows Easy Transfer. Windows Easy Transfer is used to migrate files and settings, but not in this situation. You would need to back up information from the Windows XP installation first. You should not restore the backup made before installation. This would overwrite critical files and compromise the computer.

Answer 121

**Configure the WSUS server to store update metadata and update files and configure it as a BranchCache content server.** You should configure the WSUS server to store update metadata and update files and configure it as a BranchCache content server. This lets you manage updates from a central location. Update information is downloaded to the remote office once and shared from that location to other computers needing the update, so traffic is kept to a minimum. Updates are cached on client computers, so there are no additional hardware requirements. You should not configure the WSUS server to store update metadata and configure clients to download update files from Microsoft. This does not minimize traffic requirements because each client will be downloading update files individually. You should not configure the WSUS server to store update metadata and update files and configure a second WSUS server in the remote office in autonomous mode. This requires you to manage updates separately on the two WSUS servers, so management requirements are not minimized. This also does not minimize hardware requirements because an additional server is required. You should not configure the WSUS server to store update metadata and configure a second WSUS server in the remote office in replica mode. This solution requires an additional server and results in higher than necessary traffic levels to download update files.

Answer 122

**Open Power Options and access Advanced Power Settings for the Balanced power plan.** You should open Power Options and access Advanced Power Settings for the Balanced power plan. The Advanced Power Settings dialog box allows you to configure whether the user needs to supply the password when waking a computer up from sleep based on whether the computer is plugged in or on battery power. You can access Advanced Power Settings for a default power plan or a custom power plan. Another way to make this configuration change would be to apply it through Group Policy. You should not open Power Options and click Require a password on wakeup. This option allows you to select whether to require a password for wakeup, but it does not allow you to set the option separately based on whether the computer is running on battery power or plugged in. You should not open User Accounts and access User Account Control Settings. These settings allow you to configure the circumstances under which you are prompted for elevation of permissions. It does not allow you to configure whether a user is prompted for a password during wakeup. You should not open the Ease of Access Center. The Ease of Access Center is used to configure accessibility options, such as the narrator and magnifier.

Answer 123

**Use DISM to modify the existing image.** You should use the Deployment Image Servicing and Management (DISM) tool to modify the existing image. DISM is designed to let you service offline images. Available service options include adding language packs and international settings to an existing custom image. You should not create a new reference image containing the necessary language packs and recreate the image. This requires both more effort and more hardware than using DISM to modify the existing custom image. You should not use Windows SIM to modify the existing image. You can use Windows SIM to create an answer file that can be used, in turn, with DISM to modify an offline image. You cannot use Windows SIM to directly modify the image. You should not use DISM to reconfigure and modify a default retail image. It would require more effort to match the modified image to the custom image than to directly modify the custom image.

Answer 124

**Create an AppLocker Windows Installer rule based on the Publisher condition.** You should create an AppLocker Windows Installer rule based on the Publisher condition. An AppLocker Windows Installer rule is used to limit which .msi and .msp files a user can execute. When you create an Allow rule based on the Publisher condition, you limit the Windows Installer files that can be installed to those signed by a publisher. You can allow any signed files to execute by using the wildcard (\*) character. You should not create an AppLocker Script rule based on the Hash condition. A Script rule is used to limit which script files a user can execute, including PowerShell files, VB Script files, JavaScript files, and batch files. The Hash condition calculates a hash of the file and compares it with the hash specified in the rule. If the two values do not match, the rule is not enforced. In this case, you cannot calculate a hash because any digitally signed .msi file should be permitted. You should not create a Certificate rule in Software Restriction Policies. Software Restriction Policies can be used to limit which applications a user can execute on a Windows XP, Windows Vista, or Windows 7 computer. It is used for backwards compatibility. A Certificate rule is used to configure a rule that is enforced for an application signed by a specific publisher. You must select a certificate when configuring a certificate rule. You should not create a Hash rule in Software Restriction Policies. The Hash rule calculates a hash of the file and compares it with the hash specified in the rule. If the two values do not match, the rule is not enforced.

Answer 125

**Execute ScanState and store the results on a network share.** You should execute ScanState and store the results on a network share. ScanState is a User State Migration Tool (USMT) command that allows you to save local user profiles and documents in a compressed or uncompressed format. When performing an installation that does not have a supported upgrade path, you can use ScanState to store the data and LoadState to configure the computer using the stored state data and documents. Because you must repartition the drive, you need to store the data to a network share. You should not execute ScanState with the hardlink option. The hardlink option provides better performance because it stores the data locally. However, you cannot use the hardlink option when you need to repartition the drive. You cannot perform an upgrade. Although you can upgrade from Windows Vista Business to Windows Vista Ultimate, you cannot repartition the drive during an upgrade. You should not create an image backup of each computer. An image backup can be used to recover a system to its exact state. It is not used during migration.

Answer 126

**Convert volume D to NTFS.** You should first convert volume D to NTFS. You need to create unallocated space by either deleting a volume or shrinking a volume. Deleting a volume results in data loss. Shrinking a volume does not result in data loss. However, you can only shrink an NTFS volume. Therefore, you need to convert volume D to NTFS before shrinking it. You should not shrink volume C. You cannot shrink a volume beyond the amount of used disk space. You need a 15 GB volume, and there is only 10 GB of unused space available on volume C. You do not need to convert the disk to a dynamic disk. You can shrink a volume on a basic disk. You should not shrink volume D first. You must convert volume D to NTFS before you can shrink it.

Answer 127

**In Local Group Policy, enable Deny write access to removable data drives not protected by BitLocker.** You should enable Deny write access to removable data drives not protected by BitLocker in Local Group Policy. BitLocker To Go allows you to protect the contents of a removable drive to prevent unauthorized access by users who cannot authenticate using a PIN or smart card. The policies that govern BitLocker To Go are located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives. You should not enable Removable Disks: Deny write access. Enabling this policy will prevent users from writing data to a removable drive. If this policy and the Deny write access to removable data drives not protected by BitLocker policy are enabled, the Removable Disks: Deny write access policy takes precedence. You should not encrypt all confidential files using EFS. If an encrypted file is copied to a non-NTFS file system, it loses encryption. Therefore, a user could copy a confidential file to a FAT32 removable drive, and security of the data would be compromised. You should not execute the cipher /r command. The cipher /r command is used to create an EFS Recovery Agent certificate. You would use an EFS Recovery Agent certificate to decrypt files if the certificate used to encrypt files using EFS was no longer available.

Answer 128

**Modify the Remote Desktop Inbound rule of Windows Firewall.** You should modify the Remote Desktop Inbound rule of Windows Firewall. Inbound rules allow you to configure which computers are allowed to access specific applications using an inbound request. In this case, you will enable the Remote Desktop inbound rule and add the technician computers to the Authorized Computers list. You cannot modify the Remote Desktop Outbound rule of Windows Firewall. Remote Desktop is an inbound rule, not an outbound rule because another computer initiates the communication. You should not add Remote Desktop to the Allowed Programs list of Windows Firewall. If you add Remote Desktop to the Allowed Programs list, Remote Desktop sessions will be allowed from any computer, not just from technician computers. You should not add the technician computers to the Remote Desktop Users group. You use the Remote Desktop Users group to assign permission for a user to log on through a Remote Desktop session. You do not add computers to the Remote Desktop Users group. Also, by default, Windows Firewall does not allow Remote Desktop sessions.

Answer 129

**Implement BitLocker drive encryption on the client.** You should implement BitLocker drive encryption on the client. You need to implement some type of encryption on the client to protect the files. BitLocker provides a high level of protection even if the computer is lost or stolen. Not only is data on the hard disk encrypted, but you can require multifactor authentication before the computer can be booted. You should not implement EFS on the client. EFS provides less protection if the computer is lost or stolen, which would give a hacker time to break the encryption. You should not implement EFS or BitLocker drive encryption on the server as a way of protecting cached files. Encrypting the file on the server does not cause the file to be automatically encrypted when it is cached on the client. You should not implement BitLocker To Go drive encryption on the client or the server. BitLocker To Go is a version of BitLocker that can be used on removable media to provide encryption.

Answer 130

**Create and link a Group Policy defining File System Object Access.** You should create and link a Group Policy File defining System Object Access. The enhanced auditing supported for Windows Server 2008 and Windows 7 gives you the ability to configure a file system access control list (SACL) for any or all file system objects, including both files and folders. You can specify the audit events and specific events to be audited. You should not create and link a Group Policy defining File Share Object Access. This policy would apply to all shared folders on the computer and does not let you limit auditing to specific folders. You should not create and link a Group Policy defining File System Global Object Access Auditing. When you define a Global Object Access Auditing SACL, the SACL applies to every object of that type. If a computer is configured with both a file system SACL and global SACL, the effective audit policy will be a combination of both the file system and global policy settings. You should not configure resource auditing locally on each computer or create scripts to enable auditing and run the scripts on each computer to be audited. Either of these methods would take more effort than necessary. These methods would be necessary to configure the auditing needed on older Windows versions, but not for Windows 7 or Windows Server 2008.

Answer 131

**Set the default gateway for the Wireless Network Connection to the correct value.** You should set the default gateway for the Wireless Network Connection to the correct value. Because you can access local resources, but not Internet resources, you know that the problem is caused by an invalid default gateway or an invalid subnet mask. When the default gateway is not correctly configured, the network is displayed as an unidentified public network. You cannot change the network location of the Wireless Network Connection to Home network. You cannot change the network location until after you resolve the IP configuration issue. You should not change the network location of the Wireless Network Connection 2 to Public network. The Wireless Network Connection 2 network is not currently connecting to a network. Also, you configure a network as a Public network to increase security when connecting to public Wi-Fi networks. You should not set the default gateway address for the Wireless Network Connection 2 to the correct value. The Wireless Network Connection 2 network is not currently connecting to a network. The network settings that need to be reconfigured are those associated with Wireless Network Connection.

Answer 132

1. **Create a second custom shim database and add the shim you need to test** 2. **Test the shim through customer acceptance testing** 3. **Open the master copy of the shim database** 4. **Copy and paste the shims from the secondary database to the master database** When adding a shim to a custom shim database, you should: \* Create a second custom shim database and add the shim you need to test. \* Test the shim through customer acceptance testing. \* Open the master copy of the shim database. \* Copy and paste the shims from the secondary database into the master database. You should not add the shim directly to the master copy of the shim database for testing in case the shim introduces additional problems. Instead, you should test the shim from a second database. Once you have verified that the fix works and does not introduce new problems, you can copy the shim (or shims) into the master copy of the shim database.

Answer 133

1. Vista Home Basic 2. Vista Home Premium 3. Vista Ultimate 4. Vista Business 5. Vista Enterprise

Answer 134

1. Windows 7 Home Basic 2. Windows 7 Home Premium 3. Windows 7 Ultimate 4. Windows 7 Professional 5. Windows 7 Enterprise

Answer 135

1. Windows 7 Home Basic 2. Windows 7 Home Premium 3. Windows 7 Ultimate

Answer 136

1. Windows 7 Home Premium 2. Windows 7 Ultimate

Answer 137

1. Windows 7 Ultimate

Answer 138

1. Windows 7 Professional 2. Windows 7 Enterprise 3. Windows 7 Ultimate

Answer 139

1. Windows 7 Enterprise

Answer 140

1. TKIP or AES 2. 802.1x server or a pre-shared key 3. No

Answer 141

1. TKIP or AES 2. Pre-shared key (PSK) 3. Yes

Answer 142

1. WEP 2. Protected Extensible Authenticatioin Protocol (PEAP) or certificate authentication 3. No

Evernote Flashcards

(166 cards)