Chapter 10: Lesson Review Answers Answers 823 Lesson 2 1. Correct Answer: D a. Incorrect: PPTP VPNs do not support the VPN Reconnect feature in Windows 7. B. Incorrect: L2TP/IPsec VPNs do not support the VPN Reconnect feature in Windows 7. c. Incorrect: SSTP VPNs do not support the VPN Reconnect feature in Windows 7. D. Correct: The IKEv2 VPN type is the only VPN type that supports the VPN Reconnect feature in Windows 7. 2. Correct Answer: A a. Correct: SSTP VPN connections work using the same ports as secure Web browsing connections. This allows users who can browse the Web using a motel Internet connection to connect through VPN. B. Incorrect: IKEv2 uses UDP port 500, which is likely to be blocked by firewalls that block other forms of traffic except common protocols used by Web browsers. c. Incorrect: PPTP uses port 1723, which is likely to be blocked by firewalls that block other forms of traffic except common protocols used by Web browsers. D. Incorrect: L2TP/IPsec uses UDP port 1701, which is likely to be blocked by firewalls that block other forms of traffic except common protocols used by Web browsers. 3. Correct Answers: C and D a. Incorrect: SSTP is supported only on Routing and Remote Access servers running Windows Server 2008 and Windows Server 2008 R2. B. Incorrect: IKEv2 is supported only on Routing and Remote Access servers running Windows Server 2008 R2. c. Correct: PPTP is supported by Routing and Remote Access servers running Windows Server 2003 R2. D. Correct: L2TP/IPsec is supported by Routing and Remote Access servers running Windows Server 2003 R2. 4. Correct Answers: A, B, and C a. Correct: You can use the PEAP authentication protocol with an IKEv2 VPN. B. Correct: You can use the EAP-MSCHAP v2 authentication protocol with an IKEv2 VPN. c. Correct: You can use Microsoft Smart Card or Other Certificate to authenticate an IKEv2 VPN. D. Incorrect: You cannot use the CHAP protocol with an IKEv2 VPN. IKEv2 VPNs can be authenticated only using EAP or computer certificates. 5. Correct Answer: C a. Incorrect: DirectAccess is not available on computers running Windows 7 Professional. If DirectAccess were available, this solution would work. 8 2 4 Answers B. Incorrect: You should not configure Remote Desktop Connection to use the Remote Desktop Gateway at remote-desktop.contoso.internal and then connect to rdgateway. contoso.com as the remote desktop gateway is located at rdgateway.contoso.com. In this answer, the positions of the RD gateway server and the remote desktop services server are switched. c. Correct: You should configure Remote Desktop Connection to use the Remote Desktop Gateway at rdgateway.contoso.com and then connect to remote-desktop.contoso.internal. D. Incorrect: DirectAccess is not available on computers running Windows 7 Professional. If it were, you would want to connect to remote-desktop.contoso.internal rather than to the Remote Desktop Gateway server. Chapter 10: Case Scenario Answers Case Scenario 1: Wingtip Toys DirectAccess 1. Upgrade the server to Windows Server 2008 R2. The rest of the server’s configuration supports DirectAccess because it is a member of the domain, has two consecutive public IP addresses assigned to its Internet interface, and has the appropriate computer certificates installed. You can install the DirectAccess feature on this server once it has been upgraded to the newer operating system. 2. You should create a global security group in the Wingtip Toys domain. 3. Upgrade the client computers to Windows 7 Enterprise or Ultimate edition. Add them to the security group that you have configured to support DirectAccess. Install computer certificates. Case Scenario 2: Remote Access at Tailspin Toys 1. Windows 7 Enterprise supports IKEv2 VPNs, though Windows Server 2003 R2 x64 Routing and Remote Access servers do not. It is necessary to upgrade the Routing and Remote Access server to Windows Server 2008 R2 to support IKEv2 VPNs. 2. Install an antivirus update server and a WSUS server on the quarantine network so that clients can update themselves to become compliant. 3. You should use the EAP-MS-CHAPv2 authentication protocol because this allows password authentication. Chapter 11: Lesson Review Answers Lesson 1 1. Correct Answers: A, D, and E a. Correct: A BitLocker-encrypted volume must be configured with a unique identifier to be used with a DRA. You must configure the Prove The Unique Identifiers For Your Organization policy to assign this identifier. Chapter 11: Lesson Review Answers Answers 825 B. Incorrect: The Choose Default Folder For Recovery Password policy allows the recovery password to be saved in a particular location. A recovery password is different for a DRA, which involves a special certificate that can be used to recover all BitLocker-encrypted volumes in an organization. c. Incorrect: The Choose How Users Can Recover BitLocker Protected Drivers policy specifies whether recovery occurs via a password or a USB flash drive and key. This is separate from a DRA, which involves a special certificate that can be used to recover all BitLocker-encrypted volumes in an organization. D. Correct: You need to specify the DRA to be used in the Computer Configuration\ Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption policy to configure BitLocker to support DRAs. e. Correct: You need to configure the Choose How BitLocker-Protected Operating System Drives Can Be Recovered policy and specify that a DRA can be used to recover protected operating system drives. 2. Correct Answers: C and D a. Incorrect: The Control Use Of BitLocker On Removable Drives policy allows BitLocker to be used on removable drives. You cannot use this policy to restrict usage of removable drives only to those configured with BitLocker. B. Incorrect: The Store BitLocker Recovery Information In Active Directory Domain Services policy, which applies to clients running Windows Vista rather than Windows 7, allows for BitLocker recovery keys to be stored within AD DS. You cannot use this policy to restrict usage of removable drives only to those configured with BitLocker. c. Correct: You need to configure the Deny Write Access To Removable Drives Not Protected By BitLocker policy. This policy allows you to deny write access to drives not protected by BitLocker and to specify which BitLocker identifiers are associated with your organization. D. Correct: The Provide The Unique Identifiers For Your Organization policy allows you to specify which BitLocker identifiers are associated with your organization. If the BitLocker identifier that is used with a removable device does not match one of the identifiers configured in this policy and the Deny Write Access To Removable Drives Not Protected By BitLocker policy is configured appropriately, users are unable to write data to these removable devices. 3. Correct Answer: A a. Correct: By configuring the Require Additional Authentication At Startup policy, it is possible to disable the BitLocker requirement that a computer have a compatible TPM chip. B. Incorrect: The Allow Enhanced PINs for Startup policy allows you to use an enhanced PIN with startup. Configuring this policy does not allow you to bypass the BitLocker requirement for a TPM chip. c. Incorrect: The Configure TPM Platform Validation Profile policy configures how the TPM chip secures the BitLocker encryption key. Configuring this policy does not allow you to bypass the BitLocker requirement for a TPM chip. 8 2 6 Answers D. Incorrect: The Configure Minimum PIN Length For Startup policy allows you to configure a minimum PIN length for the startup PIN. Configuring this policy does not allow you to bypass the BitLocker requirement for a TPM chip. 4. Correct Answer: B a. Incorrect: The Configure Use Of Passwords For Removable Data Drives policy allows you to configure password policies for removable data drives. You cannot use this policy to ensure that BitLocker To Go Reader is available on all FAT-formatted removable devices protected with BitLocker. B. Correct: The Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy allows you to ensure that BitLocker To Go Reader is available on all FAT-formatted removable devices protected with BitLocker. c. Incorrect: The Choose How BitLocker-Protected Removable Drives Can Be Recovered policy allows you to configure removable device recovery options. You cannot use this policy to ensure that BitLocker To Go Reader is available on all FAT-formatted removable devices protected with BitLocker. D. Incorrect: The Control Use Of BitLocker On Removable Drives policy determines whether you can use BitLocker with removable devices on the computer to which the policy applies. You cannot use this policy to ensure that BitLocker To Go Reader is available on all FAT-formatted removable devices protected with BitLocker. 5. Correct Answer: A a. Correct: You can use the Manage-bde.exe command-line utility to determine the identification string assigned to a BitLocker-protected volume. B. Incorrect: The Cipher.exe utility allows you to manage EFS rather than BitLocker encryption. You cannot use Cipher.exe to determine the identification string associated with a BitLocker-protected volume. c. Incorrect: The Bcdedit.exe utility allows you to manage boot configuration. You cannot use Bcdedit.exe to determine the identification string associated with a BitLocker-protected volume. D. Incorrect: The Sigverif.exe utility allows you to verify the digital signatures of files. You cannot use Sigverif.exe to determine the identification string associated with a BitLocker-protected volume. Lesson 2 1. Correct Answer: C a. Incorrect: The command powercfg.exe –devicequery all_devices lists all devices. It does not provide information about which devices are configured to wake the computer from any sleep state. B. Incorrect: The command powercfg.exe –hibernate enables the hibernate option. You cannot use this command to provide a list of devices that are configured to wake the computer from any sleep state. Chapter 11: Lesson Review Answers Answers 827 c. Correct: The command powercfg.exe –devicequery wake_armed displays a list of devices on a computer running Windows 7 that are configured to wake the computer from any sleep state. D. Incorrect: The command powercfg.exe –list displays a list of all power schemes in the current user’s environment. It does not display a list of devices that are configured to wake the computer from a sleep state. 2. Correct Answers: A, B, and C a. Correct: A user account that is not a member of the local administrators group can be used to select a different power plan. B. Correct: A user account that is not a member of the local administrators group can be used to create a new power plan. c. Correct: A user account that is not a member of the local administrators group can be used to change what the power buttons do. D. Incorrect: A user account that is not a member of the local administrators group cannot be used to change the Require A Password On Wakeup setting. 3. Correct Answer: C a. Incorrect: You cannot use the Power Options control panel to migrate a custom power plan from one computer running Windows 7 to another. B. Incorrect: Although you can use the Local Group Policy Editor (Gpedit.msc) to edit power plan settings, you cannot use the Local Group Policy Editor to migrate power plan settings. Only security-related settings can be migrated using the Local Group Policy Editor. c. Correct: You can use Powercfg.exe to migrate a power plan from one computer running Windows 7 to another. D. Incorrect: Bcdedit.exe is used to modify a computer’s boot configuration; it cannot be used to modify a power plan. 4. Correct Answer: B a. Incorrect: Credential Manager is used to manage stored authentication credentials. You cannot use Credential Manager to resolve offline file sync conflicts. B. Correct: The Sync Center control panel can be used to resolve offline file sync conflicts. c. Incorrect: HomeGroup is used to manage HomeGroup settings. HomeGroup cannot be used to resolve offline file sync conflicts. D. Incorrect: Network And Sharing Center cannot be used to resolve offline file sync conflicts. Network And Sharing Center is used to manage network configuration. 5. Correct Answer: D a. Incorrect: The Configure Slow Link Speed policy allows you to configure a threshold value for transitioning to Slow Link mode. Slow Link mode works with files configured to be available offline. The question states that it is not necessary to specify that a file is available offline. 8 2 8 Answers B. Incorrect: The Configure Slow Link Mode policy allows you to configure the computer to be able to use Slow Link mode, which is the default setting for clients running Windows 7. Slow Link mode works with files configured to be available offline. The question states that it is not necessary to specify that a file is available offline. c. Incorrect: The Exclude Files From Being Cached policy is used to block certain file types from being available offline. This policy cannot be used to configure a client running Windows 7 to cache files. D. Correct: Transparent caching allows Windows 7 to cache files locally when the round-trip latency to the remote file server exceeds a specific value in milliseconds. Chapter 11: Case Scenario Answers Case Scenario 1: Accessing Offline Files at Contoso 1. You need to use Powercfg.exe to export the custom power plan from the reference computer and import the custom power plan on each of the other branch office computers. Group Policy cannot be used with computers that are not members of an AD DS domain. 2. Enable transparent caching. You cannot enable BranchCache because none of the file servers at Contoso have the Windows Server 2008 R2 operating system installed. 3. Sync Center is the tool used to resolve offline file synchronization conflicts. Case Scenario 2: Using BitLocker at Tailspin Toys 1. You can allow users to use BitLocker To Go–encrypted USB storage devices on computers that are running Windows XP or Windows Vista by configuring the Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy. 2. You can restrict removable device usage through Group Policy so that only devices that are protected by BitLocker To Go and which have a specific organizational string configured within BitLocker can be used on clients running Windows 7. You can do this through the Deny Write Access To Removable Drives Not Protected By BitLocker policy and through the Provide The Unique Identifiers For Your Organization policy. 3. You can configure a DRA to be used with removable volumes and configure policies to back up keys and passwords to AD DS. Chapter 12: Lesson Review Answers Lesson 1 1. Correct Answer: B a. Incorrect: Uninstalling installed updates requires elevated privileges and cannot be performed with a standard user account. Chapter 12: Lesson Review Answers Answers 829 B. Correct: The default Windows 7 Windows Update settings allow standard users to install updates. c. Incorrect: The default Windows 7 Windows Update settings do not allow standard users to change when updates are installed. It is necessary to use elevated privileges to perform these tasks. D. Incorrect: The default Windows 7 Windows Update settings do not allow standard users to change update download and installation behavior. It is necessary to use elevated privileges to perform these tasks. e. Incorrect: The default Windows 7 Windows Update settings do not allow standard users to hide updates. It is necessary to use elevated privileges to perform this task. 2. Correct Answers: B and C a. Incorrect: You should not change the update settings. Changing the update settings to stop updates being installed does not ensure that other important updates published through Windows Update are deployed to clients running Windows 7. B. Correct: You should uninstall the update. This allows the custom software package to run. c. Correct: You should hide the update after uninstalling the update. If you do not hide the update, the update becomes available for installation. Because standard users are able to install updates by default, this could lead to the problematic update being reinstalled. Once the fix for the custom software application becomes available, you can unhide the update and then reinstall it. D. Incorrect: You should not install the update. This causes problems with the custom software application. 3. Correct Answer: C a. Incorrect: You should not configure the Re-Prompt For Restart With Scheduled Installations policy because it sets the amount of time that a user can postpone a scheduled restart. It does not ensure that updates scheduled for installation when the computer was switched off are installed the next time the computer is switched on. B. Incorrect: You should not configure the Delay Restart For Scheduled Installations policy because it determines how long Windows waits before automatically restarting after a scheduled installation. It does not ensure that updates scheduled for installation when the computer was switched off are installed the next time the computer is switched on. c. Correct: You should configure the Reschedule Automatic Updates Scheduled Installations policy because it allows you to configure a computer that is switched off during the scheduled update period to install updates after it is turned on. D. Incorrect: You should not configure the No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installation policy because it allows a user to remain logged on when installed updates require a restart. It does not ensure that updates scheduled for installation when the computer was switched off are installed the next time the computer is switched on. 8 3 0 Answers 4. Correct Answer: D a. Incorrect: You should not configure the Turn Off Software Notification policy. This policy relates to user notification about available updates. You cannot use it to configure Windows Update to use a WSUS server rather than the Microsoft Update servers. B. Incorrect: You should not configure the Automatic Updates Detection Frequency policy. This policy determines how often Windows Update checks for updates. You cannot use it to configure Windows Update to use a WSUS server rather than the Microsoft Update servers. c. Incorrect: You should not configure the Configure Automatic Updates policy. This policy configures which updates should be installed and whether they should be downloaded or installed, or whether the logged-on user should be notified. You cannot use it to configure Windows Update to use a WSUS server rather than the Microsoft Update servers. D. Correct: You should configure the Specify Intranet Microsoft Update Service Location policy because it allows you to specify a local WSUS server for updates. 5. Correct Answer: D a. Incorrect: Microsoft Update does not provide centralized reports for organizations telling them which clients in the organization are missing specific updates. Microsoft Update serves as the source for updates in organizations that do not use solutions like WSUS, System Center Essentials 2007, and SCCM 2007. B. Incorrect: Because a WSUS server is not deployed in the organization, you cannot use a WSUS server to determine if updates are missing. c. Incorrect: You cannot use the Group Policy Management Console to determine whether updates are missing. The Group Policy Management Console is used to manage Group Policy in a domain environment. D. Correct: You can use the MBSA to scan computers that you have administrative privileges to as a way of determining if they are missing software updates. Lesson 2 1. Correct Answer: D a. Incorrect: You should not configure the security level of the Intranet Zone. The security level manages how Internet Explorer deals with downloads and cookies. Configuring this setting does not enable Internet Explorer to trust the CA that issued the certificate to timesheet.contoso.internal. B. Incorrect: Turning off the Pop-Up Blocker allows pop-ups, but does not allow Internet Explorer to trust this Web site certificate. c. Incorrect: Browsing to the Web site using InPrivate Mode does not allow Internet Explorer to trust the certificate issued to the Web site. Using InPrivate Mode stops Internet Explorer from recording browser navigation information. D. Correct: Because the Web site’s certificate has been issued by an internal CA and you do not work for the organization directly, Internet Explorer has not been configured to Chapter 12: Lesson Review Answers Answers 831 trust the internal CA. To trust the internal CA, navigate to its Web site and download and install the CA’s certificate. 2. Correct Answers: A and B a. Correct: To ensure that users do not accidentally blog using the default Blog With Windows Live accelerator, you should disable it. B. Correct: To ensure that users are able to use the custom blog accelerator, it is necessary to install the accelerator. c. Incorrect: You should not set the Blog With Windows Live accelerator as the default Blog accelerator for Internet Explorer. Because you do not want users to use this accelerator accidentally, you should disable it. D. Incorrect: You should not disable the custom blog accelerator because you want users to use this accelerator to blog to the intranet site. 3. Correct Answers: A and C a. Correct: You should configure the www.wingtiptoys.com site as an exception so that pop-up windows on this site are displayed by Internet Explorer. B. Incorrect: You should not set the blocking level to Medium because this lets pop-ups through from sites other than those that are on the exception list. c. Correct: You should configure the blocking level to High because this blocks all pop-up windows except those from sites on the exceptions list. D. Incorrect: You should not set the blocking level to Low because this lets pop-ups through from sites other than those that are on the exception list. 4. Correct Answer: D a. Incorrect: The problem is not related to InPrivate Browsing; the problem is related to Compatibility View as indicated by the statement in the question that the Web sites display without problems on Windows XP and Vista clients running Internet Explorer. Although Windows XP and Vista clients can run Internet Explorer 8, this hint suggests that compatibility is the issue. B. Incorrect: The problem is not related to InPrivate Filtering; the problem is related to Compatibility View as indicated by the statement in the question that the Web sites display without problems on Windows XP and Vista clients running Internet Explorer. Although Windows XP and Vista clients can run Internet Explorer 8, this hint suggests that compatibility is the issue. c. Incorrect: The question states that the Web sites display without problems on Windows XP and Vista clients running Internet Explorer. Although Windows XP and Vista clients can run Internet Explorer 8, this hint suggests that compatibility is the issue. Disabling Compatibility View does not resolve the problem. D. Correct: You should configure the list of intranet sites that do not display properly through the Use Policy List Of Internet Explorer 7 Sites policy. Internet Explorer displays these sites using Compatibility View. 8 3 2 Answers 5. Correct Answer: B a. Incorrect: Starting an InPrivate Browsing session does not stop third-party Web sites from tracking you if they provide content to multiple sites that you visit. InPrivate Browsing sessions still accept cookies and transmit data. B. Correct: Enabling InPrivate Filtering allows Internet Explorer to locate and block content from third-party Web sites that appear across multiple separate sites during a browsing session. c. Incorrect: Disabling the Pop-Up Blocker does not block third-party Web sites that provide content to a number of sites that you visit from tracking your browsing session across those sites. Disabling the Pop-Up Blocker means that you are presented with pop-up Web pages that normally would be blocked. D. Incorrect: You should not disable SmartScreen Filter. SmartScreen Filter protects you from phishing attacks. If you disable SmartScreen Filter, Internet Explorer does not warn you when you visit a Web site that contains malicious software or is suspected of being involved in phishing. Chapter 12: Case Scenario Answers Case Scenario 1: Windows Update at Contoso 1. You should configure the Specify Intranet Microsoft Update Service Location policy for the computers in the Canberra office. This policy allows you to specify the local WSUS server a d d r e s s . 2. You should configure the Enabling Windows Update Power Management To Automatically Wake Up The System To Install Scheduled Updates. When this policy is configured on compatible computers, the computer wakes from hibernation at the scheduled update time. 3. Log on to each computer at the Brisbane and Adelaide offices remotely using Remote Desktop. Uninstall the update and then hide the update. This ensures that the update is not installed again automatically. Case Scenario 2: Internet Explorer at Wingtip Toys 1. You can disable the use of Internet Explorer accelerators through Group Policy. Although it is possible to disable accelerators manually, unless you disable accelerators through Group Policy, it is possible for users to reinstall them, or other accelerators, manually. 2. Instruct them to enable InPrivate Filtering. InPrivate Filtering stops browsing sessions being tracked across multiple sites. InPrivate Browsing does not block browsing sessions being tracked across multiple sites; it blocks browsing history and data being recorded by Internet Explorer. 3. Add them to the list of sites to use with Compatibility View, either through the Compatibility View Settings dialog box or by distributing the list through Group Policy. . feature in Windows 7. B. Incorrect: L2TP/IPsec VPNs do not support the VPN Reconnect feature in Windows 7. c. Incorrect: SSTP VPNs do not support the VPN Reconnect feature in Windows 7. D. Correct:. Answers Answers 829 B. Correct: The default Windows 7 Windows Update settings allow standard users to install updates. c. Incorrect: The default Windows 7 Windows Update settings do not allow standard. cannot be used to configure a client running Windows 7 to cache files. D. Correct: Transparent caching allows Windows 7 to cache files locally when the round-trip latency to the remote file server