Evernote

Question 1

You are using the Windows Automated Installation Kit (Windows AIK) to deploy Microsoft Windows 7 in your organization. You configure a technician computer and install the Windows AIK.

You need to create an automated answer file that you can use to perform an automated installation on your reference computer.

What should you do first?

• Copy a Windows image (WIM) file to the reference computer.
• Copy a Windows image (WIM) file to the technician computer.
• Launch Windows System Image Manager (SIM) on the technician computer.
• Run Sysprep on the reference computer.

Answer 1

Copy a Windows image (WIM) file to the technician computer.

You need to copy a WIM file to the technician computer. After you do this, you will use Windows SIM to create an answer file based on that image. You can then copy the answer file to a USB flash drive (UFD) to control the installation on the reference computer. Installation on the reference computer will require the Windows installation DVD and automated answer file.

You should not copy a WIM file to the reference computer. You will install from an image to create the reference computer, but you must first create the answer file.

You should not launch Windows SIM on the technician computer. You will use Windows SIM to create the answer file, but not until after you have copied an image to the technician computer.

You should not run Sysprep on the reference computer. You would not need to do this until after you have installed and configured the reference computer to prepare it for image creation.

Question 2

You are configuring a small number of remote client computers running Microsoft Windows 7. The client computers are configured to use IPv6 for communication over the Internet. Your local network is configured to use IPv4 and IPv6.

You need to configure end-to-end DirectAccess to give remote clients access to resources on your intranet. Some devices do not support IPv6. You need to ensure that DirectAccess clients can access these devices.

What should you do?

• Configure the remote clients to use IPv4 only.
• Configure the remote clients to use IPv4 and IPv6.
• Deploy multiple DirectAccess servers.
• Deploy a Network Address Translation-Protocol Translation (NAT-PT) device.

Answer 2

Deploy a Network Address Translation-Protocol Translation (NAT-PT) device.

You should deploy a NAT-PT device. This provides DirectAccess clients access to the IPv4-only devices without having to make other changes to the network, clients, or resource servers. The NAT-PT device provides a gateway between the DirectAccess server and the IPv4-only resources.

DirectAccess clients connect to the network using IP Security (IPSec) through one or more DirectAccess servers. If the target network is not configured to support IPv6 traffic, you must use the 6to4 and Teredo IPv6 transition technologies to support DirectAccess traffic across an IPv4 network. Because the network is configured to support both IPv4 and IPv6, this is not required in this situation.

You should not configure remote clients to use IPv4 only or IPv4 and IPv6. This does nothing to get you closer to a solution. DirectAccess requires client computers running Windows 7 and connecting to the target network using IPv6.

You should not deploy multiple DirectAccess servers. Even if you deploy multiple servers, each would provide the same service to the network, providing IPv6 connections for DirectAccess clients. It does nothing to add support for resources that support IPv4 only.

Question 3

You manage client computers for your organization.

You need to upgrade a computer running Microsoft Windows Vista to Windows 7. The target computer exceeds the minimum hardware requirements for Windows 7. You need to keep the requirements to complete the upgrade to a minimum. You insert the Windows 7 installation DVD.

What should you do next?

• Run Windows Easy Transfer.
• Run a custom installation.
• Run a default installation.
• Run the User State Migration Tool (USMT).

Answer 3

Run a default installation.

You should run a default installation. Setup should launch automatically when you insert the installation DVD. When you run the installation, you will be prompted to upgrade the computer by default.

You should not run Windows Easy Transfer. Windows Easy Transfer is used to transfer files and settings between computers. This is not necessary in this scenario.

You should not run a custom installation. A custom installation is more complicated to run than a default installation and is not required.

You should not run USMT. USMT is used to migrate user profiles, application settings, operating system settings, and so forth to a computer after a clean installation.

Question 4

You upgraded a computer to Microsoft Windows 7. Several folders on the computer were configured to use Encrypted File System (EFS) encryption. Group Policy allows for self-signed certificates if a certificate authority (CA) is not available.

You need to ensure that all files and folders are encrypted using elliptic curve cryptography (ECC). In the Group Policy Public Key Policies, you configure the Elliptic Curve Cryptography policy to Require.

What else should you do?

• Configure the Elliptic Curve Cryptography policy to Allow.
• Deny the use of self-signed certificates.
• Decrypt encrypted files and folders and re-enable encryption.
• Shut down and reboot the computer.

Answer 4

Decrypt encrypted files and folders and re-enable encryption.

You should decrypt encrypted files and folders and then re-enable encryption. Setting Elliptic Curve Cryptography to Require requires ECC encryption for all new encryption, but files and folders encrypted under an earlier Windows version are still encrypted under RSA encryption.

You should not configure the Elliptic Curve Cryptography policy to Allow. This would allow the use of both ECC and RSA encryption for new encryption.

You should not deny the use of self-signed certificates. Self-signed certificates can be used for ECC encryption. Windows 7 supports 256-bit, 384-bit, and 531-bit ECC certificates.

You should not shut down and reboot the computer. This would force application of new Group Policy settings, but it does not change the existing files.

Question 5

You have a computer running Microsoft Windows 7. Users access the computer using an account that is a member of the Users group.

SueS attempts to execute an application, but she receives access denied errors.

You need to enable SueS to execute the application.

What should you do?

• Select Run this program as an administrator on the Compatibility tab of the program.
• Add SueS to the Administrators group. Select Run this program as an administrator on the Compatibility tab of the program.
• Set the Compatibility mode to Windows XP on the Compatibility tab of the program.
• Create a shim and install it in the compatibility database.

Answer 5

Add SueS to the Administrators group. Select Run this program as an administrator on the Compatibility tab of the program.

You should add SueS to the Administrators group and select Run this program as an administrator on the Compatibility tab of the program. Windows 7 imposes stricter application security than earlier Windows operating systems. If an application needs administrator permission, you will need to enable the Run this program as an administrator option on the Compatibility tab of the program. However, a program can only run as an administrator if the user who is executing it is a member of the Administrators group. Therefore, you will need to add SueS to the Administrators group.

You should not only select Run this program as an administrator on the Compatibility tab of the program. You also need to add SueS to the Administrators group to permit permission elevation.

You should not set the Compatibility mode to Windows XP on the Compatibility tab of the program. The Compatibility mode allows you to configure an environment that emulates an older version of Windows when executing an application. However, it does not circumvent security restrictions.

You should not create a shim and install it in the compatibility database. You can create a shim and install it in the compatibility database to act as a layer of abstraction between an incompatible program feature and Windows 7. For example, if the program did not really require administrative permission, but checked for it, you could create a shim for the function that checks permission that always returns true. However, in this case, the application actually requires administrative permission, so you cannot correct the problem with a shim. You cannot use a shim to circumvent Windows 7 User Account Control (UAC).

Question 6

A user complains of system problems after a printer device driver is updated on a computer running Microsoft Windows 7. The user did not notice any problems with the original printer driver. You have the user restart the computer, but the problem continues.

You need to correct the problem as quickly as possible. The user needs access to the printer.

What should you do?

• Disable the device through the Device Manager.
• Open the device properties and roll back the device driver.
• Manually reinstall the original device driver.
• Restart the computer and choose the Last Known Good Configuration.

Answer 6

Open the device properties and roll back the device driver.

You should open the device properties and roll back the device driver. This will force the computer to revert to the previous version of the device driver. Because the user did not notice any problems with the original device driver, this should correct the problem and leave the printer available to the user.

You should not disable the device through the Device Manager. This will leave the printer unavailable. You may be prompted to restart the computer after disabling a device driver.

You should not manually reinstall the original device driver. If the original device driver shipped with Windows 7, you might not have the file available for manual installation. Also, this option is more time-consuming than rolling back the driver.

You should not restart the computer and choose the Last Known Good Configuration. This would not make any difference in this situation. Because the computer was able to successfully restart with the new device driver, the last known good configuration has been updated to include that device driver.

Question 7

Your network is configured as a central office and two remote branch offices. Each office is configured as two subnetworks. You want to implement Hosted Cache mode BranchCache to reduce communication over remote links.

You need to determine the minimum number of Hosted Cache servers required to implement BranchCache throughout the network. You need to deploy only required servers.

What should you do?

• Deploy one Hosted Cache server.
• Deploy two Hosted Cache servers.
• Deploy four Hosted Cache servers.
• Deploy five Hosted Cache servers.

Answer 7

Deploy two Hosted Cache servers.

You should deploy two Hosted Cache servers, one for each remote office. The content server (or servers) will be deployed in the central office. Each branch office requires its own Hosted Cache server. The Hosted Cache server can provide content for all of the subnets configured in the remote office.

You should not deploy one Hosted Cache server. You must have at least one in each remote office.

You should not deploy four or five Hosted Cache servers. There is no need to deploy multiple Hosted Cache servers in each of the remote offices. There is also no need to deploy one in the central office.

Question 8

You set up a computer running Microsoft Windows 7 and custom applications. You plan to use the computer for testing applications.

You need to be able to restore back to the custom installation quickly if problems occur. You need to be able to control the recovery through the Windows Recovery Environment (RE) using Windows RE manual tools.

First, you need to create the recovery image.

What should you do?

• Run ImageX from a command prompt.
• Use Windows Backup.
• Open the Windows RE menu during startup.
• Launch Windows RE from the installation DVD.

Answer 8

Use Windows Backup.

You should create a full backup using Windows Backup. You need to create the backup on a disk partition other than the system’s startup partition. For example, you can create the backup on an external hard disk or in a network location.

You should not run ImageX from a command prompt. ImageX is used to create a Windows installation image (WIM) file. In this scenario, you need a backup file rather than an image file.

You should not launch Windows RE. You use Windows Backup, not Windows RE, to create the copy. When you need to restore the computer, you would then launch Windows RE (from the hard disk or installation DVD) and run a complete PC restore from the manual tools menu.

Question 9

You have a computer running Microsoft Windows Vista Ultimate.

You are planning to upgrade the computer to Windows 7.

Which edition or editions of Windows 7 support a direct upgrade from Windows Vista Ultimate?

• Professional and Ultimate
• Enterprise and Ultimate
• Professional, Enterprise, and Ultimate
• Ultimate

Answer 9

Ultimate

You can only directly upgrade from Windows Vista Ultimate to Windows 7 Ultimate. Supported upgrade paths do not affect the availability of upgrade pricing. You can purchase Windows 7 for an upgrade price even if your current edition of Windows Vista does not support an upgrade to the edition of Windows 7 you purchase. However, you would need to migrate settings and perform a Custom installation instead of performing an upgrade.

You cannot directly upgrade to Windows 7 Professional. Only Windows Vista Business can be directly upgraded to Windows 7 Professional.

You cannot directly upgrade to Windows 7 Enterprise. Only Windows Vista Business and Windows Vista Enterprise can be directly upgraded to Windows 7 Enterprise.

Question 10

You are configuring a computer running Microsoft Windows 7 for use as a public terminal.

The computer is configured to log on automatically as a local standard user. You want to prevent users from being able to run administrative programs and make changes to the computer.

What should you do?

• Disable User Account Control (UAC).
• Disable Secure Desktop.
• Configure local security policies for standard users to automatically deny elevation requests.
• Configure User Account Control (UAC) prompts to elevate without prompting.

Answer 10

Configure local security policies for standard users to automatically deny elevation requests.

You should configure local security policies for standard users to automatically deny elevation requests. This policy is used to prevent user privilege escalation when a standard user attempts to run an administrator application, effectively preventing standard users from running administrator applications. An administrator application is one that requires administrator privileges to make changes to a computer.

You should not disable UAC. You can disable UAC by setting the UAC Control Panel slider to Never notify. Users or applications would be able to make changes to the computer without any notification displaying.

The UAC Control Panel slider supports four settings:

* Always notify on every system change (High) - Secure desktop notification is displayed if changes are attempted by a user or application.

* Notify me only when programs try to make changes to my computer (Medium) - User changes, such as changing Windows settings, do not generate notifications. Attempts made by applications by computers do generate a Secure Desktop notification.

* Notify me only when programs try to make changes to my computer, without using the Secure Desktop (Low) - This is the same as the medium setting, except prompts appear on the normal desktop instead of using Secure Desktop.

* Never notify (Off) - UAC is disabled.

You should not disable Secure Desktop. This causes notifications to display on the normal desktop instead of secure desktop, but users can still choose to make modifications.

You should not configure UAC prompts to elevate without prompting. This is a local security policy setting and applies only when a user is logged on as a local administrator. The setting causes administrator applications and setup programs to automatically run under the administrator security context, without being blocked or displaying any warning notification, when the user is logged on as a local administrator.

Question 11

You are defining application restriction policies for computers running Microsoft Windows 7.

You create application execution rules through AppLocker. You need to determine how these rules will impact standard users. You need to have minimal impact on users’ access to applications while testing your application rules.

What should you do?

• Configure rule enforcement mode as Not configured.
• Create and apply default application rules.
• Create publisher rules for each of the applications tested.
• Configure rule enforcement mode as Audit only.

Answer 11

Configure rule enforcement mode as Audit only.

You need to configure rule enforcement mode as Audit only. This lets you determine what the impact of the rules will be without directly affecting users’ access to applications. After you have determined if the rules work as expected, you can change the rule enforcement mode to Enforce rules.

You should not configure rule enforcement mode as Not configured. This is the default rule enforcement mode. This setting does not audit the impact of the rules on users. Also, if any linked Group Policy object (GPO) already exists, it will apply instead of the AppLocker rules.

You should not create and apply default application rules. Default rules enable all users to run the programs in the default Program Files folder and in the Windows folder. They are not used for testing custom rules.

You should not create publisher rules for each of the applications tested. A publisher rule is used to enable rules to apply to an application after an upgrade rather than having to create a new rule each time you upgrade an application.

Question 12

Your environment includes several Windows 7 computers that have WS-Management protocol enabled. Your technician computer is also running Windows 7.

You need to execute a PowerShell command on all the computers from your technician computer.

What should you do?

• Run Enter-PSSession.
• Run Invoke-Command.
• Run Enable-PSRemoting.
• Run Invoke-Expression.

Answer 12

Run Invoke-Command.

You should run Invoke-Command. The Invoke-Command PowerShell cmdlet allows you to list the computers on which to run a specific command. The command is then executed on the computers in a “fan-out” configuration. Invoke-Command requires that WS-Management protocol be enabled. You enable WS-Management by running the Enable-PSRemoting cmdlet.

You should not run Enter-PSSession. The Enter-PSSession cmdlet is used to initiate an interactive PowerShell session with one computer. During an interactive session, you can execute multiple commands.

You should not run Enable-PSRemoting. You use Enable-PSRemoting to enable WS-Management on a computer. The computers already have WS-Management enabled.

You should not run Invoke-Expression. The Invoke-Expression cmdlet can only be used to execute commands on a local computer.

Question 13

You create a weekly system image backup of a Microsoft Windows 7 computer and store the backup on a DVD.

The computer boots, but Windows 7 will not start.

You need to restore the system image.

What should you do?

• Boot from the DVD that contains the system image backup.
• Boot from a DVD that contains Windows Preinstallation Environment (PE)
• Press the F8 key as the computer restarts and select Repair your system.
• Start the computer by using Recovery Console.

Answer 13

Press the F8 key as the computer restarts and select Repair your system.

You should press the F8 key as the computer restarts and select Repair your system. Pressing the F8 key during startup causes the Advanced Boot Menu to be displayed. You can select Repair your system to display the System Recovery options menu. One choice on this menu is to restore the computer using the system image backup. All changes made since the backup will be lost unless they can be recovered from other backups. Another option is to boot from the installation DVD or a system repair disc.

You should not boot from the DVD that contains the system image backup. The system image backup is not bootable. If you want to create a bootable DVD that can be used for recovery, you need to create a system repair disc.

You should not boot from a DVD that contains Windows PE. Windows PE is used when installing Windows 7 from an installation image, not when recovering to a system image backup.

You should not start the computer by using Recovery Console. Recovery Console was used in Windows XP to allow you to run certain commands. It has been replaced by the System Recovery options, which provide more robust tools for troubleshooting and resolving a problem.

Question 14

You have a Microsoft Windows 7 computer.

You need to prevent the Recycle Bin from being displayed on the desktop.

What should you do?

• Right-click the Recycle Bin icon and choose Properties.
• Right-click the Desktop and choose Personalize.
• Right-click the Desktop and display View options.
• Right-click the Desktop and choose Gadgets.

Answer 14

Right-click the Desktop and choose Personalize.

You should right-click the Desktop and choose Personalize to open Personalization in the Control Panel. From the Personalization window, you can select Change desktop icons to display a dialog box that lets you check and uncheck default desktop icons, such as Recycle Bin.

You should not right-click the Recycle Bin icon and choose Properties. The Recycle Bin Properties dialog box allows you to configure the amount of disk space the Recycle Bin can use and whether a confirmation dialog box should be displayed when a user empties the Recycle Bin.

You should not right-click the Desktop and display View options. The View menu allows you to change how the desktop icons are arranged and the icon size. You cannot remove individual icons by using the View menu.

You should not right-click the Desktop and choose Gadgets. Gadgets are mini-programs, such as Weather and Calendar, that you can display on the Desktop. In Windows Vista, gadgets could only appear on the Sidebar. The Recycle Bin is not a gadget.

Question 15

You are configuring your network to support both IPv4 and IPv6. You are currently documenting assigned addresses.

A computer running Windows 7 has the following address:

FE80::2AA:FF:FE3F:2A1C

How is this address used?

• To communicate between subnets on the same network
• To provide a globally unique unicast address
• To provide loopback communications for testing
• To communicate with other hosts on the same subnet

Answer 15

To communicate with other hosts on the same subnet

The address is used to communicate with other hosts on the same subnet. This is an example of a link-local address, which is used like an Automatic Private IP Addressing (APIPA) IPv4 address and is used for local communication only. You can recognize the address as a link local address by the FE80 prefix. The remaining address values are taken from the computer’s Media Access Control (MAC) address.

The address is not used to communicate between subnets on the same network. This would require a site-local address, which would have a prefix of FEC0.

The address is not used to provide a globally unique unicast address. This would be an address in a format similar to the following:

2001:DB8:2A3C:F282:2AA:FF:FE3F:2A1C

The value 2001:DB8:2A3C is a global routing address for the site. F282 represents a subnet on that site. The remaining address value, 2AA:FF:FE3F:2A1C, identifies a unique host on that subnet, based on the MAC address.

The address is not used to provide loopback communications for testing. An address of ::1 is used for IPv6 loopback testing.

Question 16

Your Microsoft Windows 7 computer is a domain member that has a wireless network adapter.

Your wireless router is configured to use Temporal Key Integrity Protocol (TKIP) encryption. It is not configured to use a pre-shared key.

You need to configure the computer’s wireless connection to use the strongest possible security.

Which security type should you use?

• WPA2-Personal
• WPA2-Enterprise
• 802.1x
• WPA-Personal

Answer 16

WPA2-Enterprise

You should use WPA2-Enterprise. The Wi-Fi Protected Access (WPA2) Enterprise security type supports either TKIP or Advanced Encryption Standard (AES) for an encryption protocol. When you use WPA2, you have the choice of using either an 802.1x server or a pre-shared key for authentication. In this scenario, you know that the access point does not have a pre-shared key. Therefore, the network must have an 802.1x server. WPA-Enterprise is another security type that supports 802.1x authentication and both TKIP and AES encryption. WPA2 is more secure than WPA, but it is not supported by older wireless access points.

You should not use WPA2-Personal or WPA-Personal. These security types require authentication using a pre-shared key.

You should not use 802.1x as the security type. The 802.1x security type only supports Wired Equivalent Privacy (WEP) encryption. It can use Microsoft Protected Extensible Authentication Protocol (PEAP) or certificate authentication, so it does not require a pre-shared key.

Question 17

You upgrade a computer running Microsoft Windows XP to Windows 7. You use Windows Easy Transfer to transfer files and settings to the new installation.

You need to make the applications that were running on the computer before you installed Windows 7 available to the computer’s user.

What should you do?

• Run User State Migration Tool (USMT).
• Reinstall the user applications.
• Reboot the computer.
• Run the BCDedit command.

Answer 17

Reinstall the user applications.

You should reinstall the user applications. Windows 7 does not support a direct upgrade path from Windows XP. After installing Windows 7, you must reinstall any applications that you still want to have available.

You should not run USMT. USMT is used to migrate user profiles, application settings, operating system settings, and so forth to a computer after a clean installation. In this situation, it does not migrate user applications.

You should not reboot this computer. This does not do anything to make the applications available.

You should not run the BCDedit command. BCDedit lets you manage the boot options in a multiple-boot installation and has nothing to do with migrating application support.

Question 18

A Microsoft Windows 7 computer is configured to use IPv6. The computer receives its IP configuration from a Dynamic Host Configuration Protocol (DHCP) server.

The router normally used to reach a branch office fails. You need to configure the computer to use a different route.

Which utility should you use?

• Ipconfig
• Netsh
• Pathping
• Tracert

Answer 18

Netsh

You should use Netsh. The Netsh interface ipv6 command can be used to view and modify the IPv6 routing table.

You should not use Ipconfig. The Ipconfig utility can be used to view IPv4 and IPv6 configuration settings, to release and renew IPv4 or IPv6 addresses, and to flush the Domain Name System (DNS) cache. It cannot be used to modify the routing table.

You should not use Pathping. The Pathping utility is used to test connectivity. It returns the addresses of each router along the path to a destination.

You should not use Tracert. The Tracert utility is used to test connectivity. It returns information about the time it takes to traverse each hop to a destination, as well as the IP address of each router along the path.

Question 19

You have a Windows 7 computer in a homegroup. There is also one Windows Vista computer on the network. The Windows 7 computer contains files that should be accessible for Read access by all other users in the homegroup. The files are located in the FamilyInfo folder in your My Documents folder.

You need to enable other users in the homegroup to access the folder.

What should you do?

• Select the FamilyInfo folder and choose Share with | Homegroup (Read).
• Move the FamilyInfo folder to the Public Documents library.
• In Advanced Sharing, grant Everyone Read access.
• In Advanced Sharing, grant Homegroup Read access.

Answer 19

Select the FamilyInfo folder and choose Share with | Homegroup (Read).

You should select the FamilyInfo folder and choose Share with | Homegroup (Read). When a computer belongs to a homegroup, users can access files in any Public folder by default. You can allow users who log on to other computers in the homegroup to access other files by using the Share with command. To allow users Read-only access, select Share with | Homegroup (Read).

You should not move the FamilyInfo folder to the Public Documents library. The Public Documents library allows Read/Write access by default.

You should not grant Everyone Read access in Advanced Sharing. Advancing Sharing is used to configure file share permissions for resources shared through traditional file sharing methods. When Everyone is granted Read access, any authenticated user can access the files, not just members of the homegroup.

You should not grant Homegroup Read access in Advanced Sharing. Homegroup is not accessible through Advanced Sharing. To grant permission to a homegroup, you need to use the Share with menu item.

Question 20

You are managing several computers running Microsoft Windows 7. Several users have removable USB hard disks to provide additional storage.

You need to ensure that data on removable hard disks is encrypted. The data on the hard disks should be readable by computers running Windows XP or Windows Vista, as well as Windows 7.

What should you do?

• Format the removable disks as NTFS and require BitLocker on the disks through Group Policy.
• Format the removable disks as NTFS and require Encrypting File System (EFS) on the disks through Group Policy.
• Format the removable disks as FAT32 and require BitLocker on the disks through Group Policy.
• Format the removable disks as FAT32 and require Encrypting File System (EFS) on the disks through Group Policy.

Answer 20

Format the removable disks as FAT32 and require BitLocker on the disks through Group Policy.

You should format the removable disks as FAT32 and require BitLocker on the disks through Group Policy. You can require the use of BitLocker on removable disks, referred to as BitLocker To Go in this use, through Group Policy. To make the data accessible to older versions of Windows, you must format the disk as FAT or FAT32 and must include the BitLocker To Go Reader on the hard disk.

You should not format the removable disks as NTFS. When you apply BitLocker To Go to removable hard disks formatted as NTFS, it cannot be read by older versions of Windows.

You cannot require EFS encryption through Group Policy.

Question 21

Client computers running Microsoft Windows 7 are configured to support BranchCache in Hosted Cache mode. BranchCache is configured through linked Group Policy objects (GPOs).

You need to convert the clients to support BranchCache in Distributed Cache mode. You run the following on each of the client computers:

netsh branchcache set service mode=DISTRIBUTED

You need to finish configuring Distributed Cache mode support.

What should you do?

• Configure each client’s firewall to enable WS-Discovery protocol.
• Manually start the BranchCache service on each computer.
• Enable the BranchCache for remote files feature.
• Unlink the GPOs configuring clients for hosted mode.

Answer 21

Unlink the GPOs configuring clients for hosted mode.

You should unlink the GPOs configuring clients for hosted mode. Configuration settings applied through linked GPOs take precedence over configuration changes made when you run netsh.

You should not configure each client’s firewall to enable WS-Discovery protocol. Windows Firewall is configured automatically when you run netsh.

You should not manually start the BranchCache service on each computer. There is no need to do this manually.

You should not enable the BranchCache for remote files feature. This feature is available only on server computers configured as file servers and is only necessary on files servers also supporting BranchCache.

Question 22

A computer is running Microsoft Windows Vista Home Premium.

You need to install Windows 7 Professional on the computer. You must preserve user configuration settings and applications. You must perform the installation using the least amount of effort.

What should you do first?

• Start the computer in Windows Vista. Insert the installation DVD and choose Upgrade.
• Start the computer from the DVD. Choose Custom.
• Start the computer in Windows Vista. Insert the installation DVD and run Migsetup.exe.
• Start the computer from the DVD. Choose Upgrade.

Answer 22

Start the computer in Windows Vista. Insert the installation DVD and run Migsetup.exe.

You should start the computer in Windows Vista, insert the installation DVD, and run Migsetup.exe. You cannot directly upgrade a computer running Windows Vista Home Premium to Windows 7 Professional by performing an upgrade installation. You must perform a custom installation. However, because you need to preserve settings, you will need to first migrate them using Easy Transfer (Migsetup.exe). You will need to store the files on an external hard drive, such as a Universal Serial Bus (USB) flash drive, or you will need to use an Easy Transfer Cable.

You should not start the computer in Windows Vista, insert the installation DVD, and choose Upgrade. You would complete these steps if this upgrade path were supported. You can only directly upgrade to either Windows 7 Home Premium or Windows 7 Ultimate from Windows Vista Home Premium edition by performing an upgrade installation.

You should not start the computer from the DVD and choose Custom. You need to migrate the settings before you perform the installation.

You should not start the computer from the DVD and choose Upgrade. You can only directly upgrade to either Windows 7 Home Premium or Windows 7 Ultimate from Windows Vista Home Premium by performing an upgrade installation.

Question 23

You upgrade several computers to Microsoft Windows 7. All of the computers are part of the same Active Directory domain.

You must support an application with a known compatibility problem after upgrading the computers. You need to create and deploy a custom compatibility mode to correct the problem. You need to keep the effort needed to correct the problem to a minimum.

What should you do first?

• Run Sdbinst on each of the upgraded computers.
• Run the Standard User Analyzer (SUA) wizard on each of the upgraded computers.
• Launch the Create a Custom Compatibility Mode Wizard.
• Create a new compatibility database.

Answer 23

Create a new compatibility database.

You should create a new compatibility database. Before you can create and distribute a custom compatibility mode, you must first create a custom compatibility database as a destination. You then distribute the fixes contained in the compatibility mode as part of the custom database.

A compatibility mode is a set of compatibility fixes. You can create a compatibility mode by copying an existing compatibility mode and then modifying it or by creating a new mode and adding individual fixes.

You should not run Sdbinst on each of the upgraded computers. The Sdbinst command is used to distribute the custom compatibility database after it is completed.

You should not run the SUA wizard on each of the upgraded computers. The SUA wizard is used to detect User Account Control (UAC)-related compatibility issues. The scenario states that you are working with a known compatibility issue.

You should not launch the Create a Custom Compatibility Mode Wizard. You must create the custom compatibility database first. You will then select the compatibility database before launching the Create a Custom Compatibility Mode Wizard.

Question 24

You are configuring a computer to boot from a virtual hard disk (VHD). The VHD must be installed using an image located on a network share.

You create a VHD and configure it with a primary partition.

What should you do next?

• Start the computer by using Windows PE.
• Detach the VHD.
• Run ImageX with the /apply option.
• Run Bcdboot.

Answer 24

Run ImageX with the /apply option.

You should run ImageX with the /apply option. After you configure the partitions, you need to apply the image. You can apply the image by running ImageX with the /apply option.

You do not need to start the computer using Windows Preinstallation Environment (PE). Windows PE is used when applying an image to a physical hard disk. You can apply an image to a virtual hard disk when you are booted to Windows 7.

You should not detach the VHD. The VHD needs to be attached to apply the image.

You should not run Bcdboot. You will run Bcdboot on the target computer after you apply the image on the VHD, copy the VHD to the target computer, and attach the VHD. The Bcdboot command copies the boot files in the VHD to the system partition on the target computer.

Question 25

You upgrade a computer from Microsoft Windows Vista to Windows 7.

You try to run one of the applications and it terminates unexpectedly.

You need to resolve the problem.

What should you try first?

• Set the Compatibility mode to Windows Vista.
• Uninstall and reinstall the application.
• Set the Run this program as an administrator option.
• Set the Disable visual themes option.

Answer 25

Set the Compatibility mode to Windows Vista.

You should set the Compatibility mode to Windows Vista. The Compatibility mode option on the Compatibility tab of an application’s properties dialog box allows you to configure an application to run in an environment that emulates an earlier version of Windows. In this case, because you know the program operated under Windows Vista, you should try to set the Compatibility mode to Windows Vista.

You should not uninstall and reinstall the application as the first thing to try. Upgrading Windows preserves application settings. You should not need to reinstall the application.

You should not set the Run this program as an administrator option. The Run this program as an administrator option is used when you need to support an application that requires administrative permissions. You would also need to add users who need to run the application to the Administrators group.

You should not set the Disable visual themes option. You would set this compatibility option if you were experiencing problems with the title bar or menu bar of an application.

Question 26

You are deploying Microsoft Windows 7 on your network. Computers running Windows 7 will initially run the same applications as other clients already deployed on your network.

You need to ensure that existing Software Restriction Policies continue to be applied to computers running Windows 7 as you define and deploy AppLocker rules. Software Restriction Policies should continue to apply to any client running Windows Vista that you upgrade to Windows 7, along with new AppLocker rules. You plan to manage AppLocker rules through Group Policy objects (GPOs). You need to keep the administrative effort necessary to a minimum.

What should you do?

• Define AppLocker rules in the same GPO as existing Software Restriction Policies.
• Define AppLocker rules in a new GPO, separate from Software Restriction Policies.
• Unlink any GPOs containing Software Restriction Policies before defining AppLocker rules, and then relink when finished.
• Replace the Software Restriction Policies with AppLocker rules.

Answer 26

Define AppLocker rules in a new GPO, separate from Software Restriction Policies.

You should define AppLocker rules in a new GPO, separate from Software Restriction Policies. You can have both AppLocker rules and Software Restriction Policies, but if you define the AppLocker rules in the same GPO, only the AppLocker rules will apply. Software Restriction Policies must be maintained in a separate GPO.

In most network environments, you will likely want to define both Software Restriction Policies and AppLocker rules. AppLocker rules provide more detailed control over applications, but currently apply to Windows Server 2008 and Windows 7 only. Older versions of Windows require Software Restriction Policies.

You should not define AppLocker rules in the same GPO as existing Software Restriction Policies. If you do this, only AppLocker rules will apply, even if there is no conflict with the Software Restriction Policies.

You should not unlink any GPOs containing Software Restriction Policies before defining AppLocker rules, and then relink when finished. This is not necessary and will not change the final result.

You should not replace the Software Restriction Policies with AppLocker rules. While this is possible, it would be more work than necessary to meet your application restriction management requirements.

Question 27

Your company has a large number of computers running Microsoft Windows 7.

When troubleshooting a problem on any of the computers, you want to be able to easily view a log of application errors, hangs, and service control events that have occurred in the past 24 hours.

What should you do?

• Use Event Viewer to create a filter on the System log and save the filter to a custom view.
• In Event Viewer, choose View | Show Analytic and Debug Logs.
• Use Event Viewer to create and export a custom view.
• In System Information, choose Windows Error Reporting.

Answer 27

Use Event Viewer to create and export a custom view.

You should use Event Viewer to create and export a custom view. You can create a custom view that contains events from one or more event logs. These events can be filtered by source, user, date, and event type. You can export a custom view and import it into another computer.

You should not use Event Viewer to create a filter on the System log and save the filter to a custom view. The System log does not contain Application Hang or Application Error events.

You should not launch Event Viewer and choose View | Show Analytic and Debug Logs. The Analytic and Debug logs provide extremely detailed event information for advanced troubleshooting and application debugging.

You should not choose Windows Error Reporting in System Information. Although application hangs and errors are displayed in this report, service control events are not. Also, you cannot limit the information shown to only the past 24 hours.

Question 28

You try to start a Windows 7 computer and receive an error that a system file is damaged. You cannot access the Advanced Boot Options.

You need to recover from the failure.

What should you try first?

• Start the computer by using the installation DVD. Select Repair your computer. Select Startup Repair.
• Start the computer by using a system repair disc. Select System Restore.
• Start the computer by using a system repair disc. Select System Image Recovery.
• Start the computer by using the installation DVD. Perform a custom installation.

Answer 28

Start the computer by using the installation DVD. Select Repair your computer. Select Startup Repair.

You should start the computer by using the installation DVD, select Repair your computer, and select Startup Repair. The Startup Repair tool scans your system and locates missing or damaged operating system files. It can automatically correct problems caused by missing or damaged system files. You can access the Startup Repair tool from the System Recovery options menu, which is available by pressing the F8 key during startup and choosing Repair your computer, starting from the installation DVD and choosing Repair your computer, or starting from a system repair disc.

You should not start the computer by using a system repair disc and select System Restore. System Restore allows you to restore the operating system to a restore point. A restore point is created when a driver or application is installed. You can also create restore points manually. In this case, you do not know when the problem occurred or if a restore point was created before the change that caused the problem. Therefore, you should first try Startup Repair. If Startup Repair does not resolve the problem, the next step is to try System Restore.

You should not start the computer by using a system repair disc and selecting System Image Recovery. This option allows you to restore the system using a system image backup. All changes made since the backup will be lost, so this option should be used only if Startup Repair and System Restore fail to correct the problem.

You should not start the computer by using the installation DVD and performing a custom installation. A custom installation is a clean installation. All system configuration settings and applications will be lost.

Question 29

You are using a manual network migration to migrate a computer from Microsoft Windows XP to Windows 7.

The computer is currently configured for Internet Connection Sharing (ICS). You need to ensure that the computer can be used to share its Internet connection to the network after migration. You need to keep the procedures necessary to accomplish this to a minimum.

What should you do?

• Use Windows Easy Transfer to transfer computer settings.
• Use User State Migration Tool (USMT) to run a default transfer.
• Use User State Migration Tool (USMT) with a custom Config.xml file.
• Use User State Migration Tool (USMT) and manually configure ICS after migration.

Answer 29

Use User State Migration Tool (USMT) and manually configure ICS after migration.

You need to use USMT and manually configure ICS after migration. The USMT ScanState and LoadState commands do not migrate ICS configuration settings from Windows XP to Windows 7 because of the potential security risk. ICS is supported, but it must be configured manually after migration.

You should not use Windows Easy Transfer to transfer computer settings. A manual network migration refers to using ScanState to transfer settings to a network server and LoadState to retrieve the settings from the server. Windows Easy Transfer is not used in this scenario, and even if it were used, it would not migrate ICS settings.

You should not use USMT to run a default transfer as your only action. You will still need to manually configure ICS.

You should not use USMT with a custom Config.xml file. A custom Config.xml file is used to identify components that you do not want to migrate.

Question 30

You are configuring a Microsoft Windows 7 computer for a user who telecommutes. The user needs to be able to access the corporate network through a DirectAccess server.

The wireless network adapter driver settings are shown in the exhibit.

What change must you make to support a DirectAccess connection?

• Enable Internet Protocol Version 6 (TCp/IPv6).
• Enable QoS Packet Scheduler.
• Disable Virtual Machine Network Services.
• Disable File and Printer Sharing for Microsoft Networks.

Answer 30

Enable Internet Protocol Version 6 (TCp/IPv6).

You should enable IPv6. DirectAccess relies on IPv6. With a DirectAccess connection, packets are tunneled through an Internet connection and secured using IP Security (IPSec).

You do not need to enable the Quality of Service (QoS) Packet Scheduler. The QoS Packet Scheduler provides prioritized delivery for packets that require guaranteed delivery time. DirectAccess does not depend on QoS.

You do not need to disable the Virtual Machine Network Service. The Virtual Machine Network Service is used to establish network communication with a Virtual PC. It is not related to DirectAccess.

You do not need to disable File and Printer Sharing for Microsoft Networks. There are no limitations on sharing files or printers when connected to a DirectAccess server.

Question 31

You have a computer running Microsoft Windows 7.

You want to perform a weekly backup that stores the latest configuration settings, files, and installed applications. The screen to configure the backup is shown in the exhibit.

Which option or options should you select?

• Program Files
• Local Disk (C:)
• Program Files and ProgramData.
• Include a system image of drives: System Reserved, (C:).

Answer 31

Include a system image of drives: System Reserved, (C:).

You should select Include a system image of drives: System Reserved, (C:). The only option that allows you to back up program files is to create a system image. The drawback to creating a system image is that you cannot selectively restore files. Therefore, you might want to supplement a system image backup with periodic full backups of data files.

You should not select Program Files. Even if the Program Files folder is selected, executable files within the Program Files folder or subfolders are ignored during backup.

You should not select Local Disk (C:). Selecting this option would cause all data files on volume C or any subfolder of volume C to be backed up. However, executable files will not be backed up.

You should not select Program Files and ProgramData. Even if the Program Files folder is selected, executable files within the Program Files folder or subfolders are ignored during backup.

Question 32

You use a computer that was migrated from Microsoft Windows XP to Windows 7. A full backup of the computer was created by using Ntbackup before migration.

You need to recover data files that were backed up using Ntbackup. You need to recover the files as quickly as possible. You have copied the backup file to the local hard disk.

What should you do first?

• Launch Windows Backup and Restore.
• Install Windows Removable Storage Management (RSM).
• Install the Ntbackup utility.
• Launch System Recovery.

Answer 32

Install Windows Removable Storage Management (RSM).

You need to install RSM first. You must use Ntbackup to restore the files, but you must first install RSM before the computer will support Ntbackup.

You should not launch Windows Backup and Restore. Windows Backup and Restore cannot be used to restore from a backup made with Ntbackup.

You should not install the Ntbackup utility as your first action. You will need Ntbackup, but you need to install RSM before you install Ntbackup.

You should not launch System Recovery. System Recovery cannot be used to restore from a backup made with Ntbackup.

Question 33

You are preparing to deploy Microsoft Windows 7 to a small number of computers. You plan to use a network share as your installation source.

You plan to use a custom unattended answer file to configure most of the installation settings. You need to be able to select the destination volume when you apply the image to the destination computer. You will use bootable Windows PE media to boot the destination computers.

What should you do?

• Create and apply an image using ImageX.
• Create an image using ImageX and apply the image using Windows Setup.
• Use the Windows 7 installation DVD distribution image and apply the image using ImageX.
• Use the Windows 7 installation DVD distribution image and apply the image using Windows Setup.

Answer 33

Create an image using ImageX and apply the image using Windows Setup

You should create an image using ImageX and apply the image using Windows Setup. You can boot the destination in Windows PE and then run Setup. By using Setup to apply the image, you have the option of selecting the destination volume.

You should not create and apply an image using ImageX. This would require you to install to the volume from which the image was created.

You should not use the DVD image for distribution through a network share. A DVD image is not designed for distribution in this manner.

Question 34

You manage computers in a Microsoft Windows Active Directory domain.

You are setting up your network to support device driver installation on client computers running Microsoft Windows 7. You have configured client computers to search a shared network folder for device drivers in that folder. You configure a device setup class for the driver in the Allow limited users to install drivers for these device classes policy.

When new hardware is distributed to the users, they complain that they still cannot install the device drivers. You need to enable the users to install the appropriate drivers. You need to minimize the potential impact on network and local computer security.

What should you do?

• Add the users to the Domain Admins group.
• Add each user to the computer’s local Administrators group.
• Provide users with a password to let them execute a command as an administrator.
• Sign the driver package with a certificate present in the computer’s Trusted Publishers certificate store.

Answer 34

Sign the driver package with a certificate present in the computer’s Trusted Publishers certificate store.

You should sign the driver package with a certificate present in the computer’s Trusted Publishers certificate store. For a user to be able to install a driver from a network share, the computer must be configured to search that share for the driver, you must configure a device setup class for the driver in the Allow limited users to install drivers for these device classes policy, and you must sign the driver with a trusted certificate.

You should not add the users to the Domain Admins group or the local Administrators group. Either action would grant the users more permissions than necessary and could result in a security risk.

You should not provide users with a password to let them execute a command as an administrator. This would not enable them to automatically install the device driver. It would also let them run utilities in an administrator context, which is a security risk.

Question 35

You have a computer running Microsoft Windows 7 Professional.

You need to browse an Internet Web site without storing any data locally.

What should you do?

• Turn on SmartScreen Filter.
• Turn on InPrivate Filtering.
• Turn on Work Offline.
• Turn on InPrivate Browsing.

Answer 35

Turn on InPrivate Browsing.

You should turn on InPrivate Browsing. When InPrivate Browsing is enabled, no information about your activity browsing the Internet is stored on the local computer. This includes cookies, history, and temporary Internet files.

You should not turn on SmartScreen Filter. The SmartScreen Filter sends information about the Web site you are visiting to Microsoft. Microsoft then checks the site against its database to determine if it is a phishing site. A phishing site is one that looks like a legitimate site to trick users into providing their authentication credentials. For example, a phishing site might impersonate an online banking site to obtain a username, password, or account number.

You should not turn on InPrivate Filtering. InPrivate Filtering allows you to block information about your browsing patterns from being sent to certain providers.

You should not turn on Work Offline. When Work Offline is enabled, updated content is not downloaded from the Internet. Only cached content can be viewed.

Question 36

You install Microsoft Windows 7 on a computer that you want to use as a reference computer for creating Windows image (WIM) files.

You need to remove any computer-specific information from the installation before creating an image.

What should you do?

• Run OCSetup.
• Run DSIM.
• Run Sysprep.
• Run ImageX.

Answer 36

Run Sysprep.

You should run Sysprep. Specifically, you need to run Sysprep /generalize to remove unique computer information so that the image can be used for installation on one or more different computers.

You should not run OCSetup. The OCSetup command is used to add system components to an online Windows image. It does not generalize the image for distribution.

You should not run Deployment Image Servicing and Management (DISM). DISM is used to service offline Windows images, such as to add drivers to an image. It is not used to prepare a computer for imaging.

You should not run ImageX. The ImageX command is used to create and manage images, but it requires that you first prepare the computer using Sysprep.

Question 37

A computer is running Microsoft Windows 7 Ultimate. The computer has one internal hard disk configured as a simple volume.

The computer stores confidential files on the internal hard disk. The files are protected with NTFS permissions. You need to ensure that the files cannot be read if the hard disk is removed and installed in a different computer.

What should you do?

• Create a FAT32 partition and enable BitLocker.
• Encrypt the files using EFS.
• Enable BitLocker To Go.
• Create an NTFS partition and enable BitLocker.

Answer 37

Create an NTFS partition and enable BitLocker.

You should enable BitLocker. BitLocker is used to secure data on a drive so that it cannot be accessed if the drive is removed and inserted in a different computer, unless the necessary password is provided. You should also create an NTFS partition. BitLocker requires the computer to have a separate system partition that is formatted as NTFS and unencrypted. The partition must be at least 200 MB. If you do not create the partition, BitLocker will create it when you enable it.

You should not create a FAT32 partition. The system partition must be an NTFS partition, not a FAT32 partition.

You should not enable BitLocker To Go. BitLocker To Go is used to secure removable drives, such as a Universal Serial Bus (USB) flash drive.

Encrypting the files with Encrypting File System (EFS) will not meet the requirements. EFS is per-user encryption enforced by Windows, so if the user can access the operating system drive, that user can potentially compromise the encrypted files.

Question 38

A user’s computer is running Microsoft Windows 7. System Protection is enabled.

The user accidentally deletes a file named ProjectFile.doc from the Projects folder in her Documents library. The Recycle Bin has already been emptied.

You need to recover the file for the user.

What should you do?

• Open the Previous Versions tab of the Documents library.
• Open the Previous Versions tab of the Projects folder.
• Open Recovery in the Control Panel and select Restore your files.
• Open Recovery in the Control Panel and select Open System Restore.

Answer 38

Open the Previous Versions tab of the Projects folder.

You should open the Previous Versions tab of the Projects folder. When System Protection is on, shadow copies of files are created each time a restore point is saved. If a file is deleted, the previous version of the file is listed on the Previous Versions tab of the folder that contained the file. You can copy or restore the file from this tab.

You should not open the Previous Versions tab of the Documents library. To recover a file, you need to open Previous Versions on the folder that contained the file, not the library.

You should not open Recovery in the Control Panel and select Restore your files. You use this option to restore files from backup, not to restore a deleted file that was saved in a restore point.

You should not open Recovery in the Control Panel and select Open System Restore. You use this option to restore the operating system settings to a restore point, not to restore a data file.

Question 39

A user who has a computer running Microsoft Windows 7 needs assistance setting up Parental Controls.

You want to see the steps she is performing and the result of each step.

What should you do?

• Log onto her computer through Remote Desktop and view the Parental Controls log in Event Viewer.
• Ask her to save the Operational Log for Parental Controls and e-mail it to you.
• Ask her to repeat the steps using the Problem Steps Recorder and e-mail the output.
• Log onto her computer through Remote Desktop and view the Application log in Event Viewer.

Answer 39

Ask her to repeat the steps using the Problem Steps Recorder and e-mail the output

You should ask her to repeat the steps using the Problem Steps Recorder and e-mail the output. The Problem Steps Recorder takes a screen shot of each step a user takes when performing a task. The user can add comments to the steps, save the output, and e-mail a compressed version of the saved output to a technician.

You should not log onto her computer through Remote Desktop and view the Parental Controls log in Event Viewer. The Parental Controls Operational log stores setting changes related to Parental Controls, but it does not record each step a user takes.

You should not ask her to save the Operational Log for Parental Controls and e-mail it to you. The Parental Controls Operational log stores setting changes related to Parental Controls, but it does not record each step a user takes.

You should not log onto her computer through Remote Desktop and view the Application log in Event Viewer. Applications can write messages to the Application log. It is not used to troubleshoot problems related to a user’s inability to configure Parental Controls.

Question 40

You are configuring your home network. The network will include:

* Desktop computer used at home only with a shared Internet connection
* Two mobile computers used at home and at public WiFi sites
* One mobile computer that you use at home and work

All of the computers will run Microsoft Windows 7. You need to minimize the administration and management necessary to share resources between home computers, with the exception of the computer that is also used at work.

Your computer is part of an Active Directory domain at work. You want to be able to access shared resources at home, but you do not want to have any resources shared automatically from your computer.

What should you do?

• Configure your home network as an Active Directory domain and give all users permission to share resources from their computers.
• Configure your home network manually as a peer-to-peer network and give all users permission to share resources from their computers.
• Configure your home network as a HomeGroup and choose to share resources automatically.
• Configure your home network as a HomeGroup and choose to not share resources automatically.

Answer 40

Configure your home network as a HomeGroup and choose to share resources automatically.

You should configure your home network as a HomeGroup and choose to share resources automatically. Resources, such as music, printers, videos, and so forth will be shared as libraries. You can choose the resource categories to be shared automatically when you set up the network. Because your computer is configured as a domain member at work, it will be able to access resources as part of the HomeGroup, but it will not be able to share resources to other computers.

You should not configure your home network as an Active Directory domain and give all users permission to share resources from their computers. This would require you to set up a computer as an Active Directory domain controller and would carry extensive management and administrative overhead. It would also force you to change domain membership between work and home.

You should not configure your home network manually as a peer-to-peer network and give all users permission to share resources from their computers. Resource sharing and network management would require significant more effort than setting up a HomeGroup.

You should not configure your home network as a HomeGroup and choose to not share resources automatically. This would require you to manually share resources from each of the member computers.

Question 41

A domain member computer running Microsoft Windows XP is shared by multiple users. All users store documents in their My Documents folder.

You are planning to install Windows 7 on the computer. You need to ensure that application settings, user profile settings, and user documents for all users who have logged on in the last 90 days are migrated. Settings and documents for users who have not logged on in the last 90 days should not be migrated. The setting store is located at \fs1\migration.

What command should you use?

• Scanstate /i:migapp.xml /i:migdocs.xml \fs1\migration /ue:90
• Scanstate /i:migapp.xml /i:miguser.xml \fs1\migration /uel:90
• Scanstate /config:migapp.xml /config:migdocs.xml \fs1\migration /uel:90
• Scanstate /config:miguser.xml \fs1\migration /ue:90

Answer 41

Scanstate /i:migapp.xml /i:miguser.xml \fs1\migration /uel:90

You should use the following command:

Scanstate /i:migapp.xml /i:miguser.xml \fs1\migration /uel:90

The ScanState command is used to migrate user settings to a store. The /i option allows you to specify an Extensible Markup Language (XML) script that contains specifications for finding files to migrate. Migapp.xml is a default script that migrates application settings. MigUser.xml is a default script that migrates user profile data, including user settings and documents stored in a user’s My Documents folder. The /uel option allows you to filter the users whose settings are migrated. By including an integer after /uel, you limit the users migrated to those who have logged in within that number of days.

You should not use the following command:

Scanstate /i:migapp.xml /i:migdocs.xml \fs1\migration /ue:90

MigDocs.xml includes rules that locate documents on the computer that are not stored in My Documents and are not located by the rules in MigUsers.xml. The /ue option allows you to exclude a user by specifying a username or a domain name and a wildcard character.

You should not use the following command:

Scanstate /config:migapp.xml /config:migdocs.xml \fs1\migration /uel:90

The /config option allows you to specify a custom XML file generated by running Scanstate /genConfig. Also, the MigUsers.xml script needs to be included if you want to migrate user settings and documents.

You should not use the following command:

Scanstate /config:miguser.xml \fs1\migration /ue:90

The /config option allows you to specify a custom XML file generated by running Scanstate /genConfig. Also, the MigApp.xml script needs to be included if you want to migrate application settings.

Question 42

You recently created a Microsoft Windows 7 image (WIM) file for deployment. The image is currently offline and staged for deployment.

You need to add an application to the image. The application is distributed as a Windows Installer (MSI) file.

What should you do?

• Use Deployment Image Servicing and Management (DISM) to service the image offline.
• Use Deployment Image Servicing and Management (DISM) to service the image online
• Use Windows Optional Component Setup (OCSetup) to service the image offline.
• Use Windows Optional Component Setup (OCSetup) to service the image online.

Answer 42

Use Windows Optional Component Setup (OCSetup) to service the image online.

You should use OCSetup to service the image online. You need to boot the image into audit mode. You must also prepare an unattended installation file for the application that specifies the path to the installation files. OCSetup calls the Windows Installer to run the actual installation.

Audit mode lets you make changes to a Windows installation without requiring you to activate the installation or finalize the computer for end-user use. After making necessary changes to the image, you can then recapture the image and use it as a source for deploying Windows 7.

You should not use DISM to service the image offline or online. DISM is not used to install applications that are distributed using an MSI file. When installing a Component-Based Servicing (CBS) package online, you will use OCSetup to initiate the installation, but OCSetup will internally invoke DISM to run the actual installation.

You should not use OCSetup to service the image offline. The image must be online when installing a Windows Installer application.

Question 43

You have a computer running Windows 7.

You access a company Web site when you are traveling. The Web site is configured to use Integrated authentication.

You do not want to be prompted for credentials when you access the Web site.

What should you do?

• Use User Accounts to change your password to match the password specified on the Web site.
• Use Windows CardSpace to add a card that contains your credentials.
• Use Internet Options to configure InPrivate Filtering settings.
• Use Credential Manager to add a Windows credential to the vault.

Answer 43

Use Credential Manager to add a Windows credential to the vault.

You should use Credential Manager to add a Windows credential to the vault. The vault stores credentials for Web sites, file servers, and other resources you access. You can add Windows credentials, certificates, and generic credentials to the vault. Because Integrated authentication uses Windows credentials, you should add a Windows credential to the vault.

You should not use User Accounts to change your password to match the password specified on the Web site. Although the browser first sends the log on credentials for authentication when Integrated Security is used, both username and password must match. You should not create a separate user account that matches the credentials of the Web sites you need to access. Instead, you should use Credential Manager to store the authentication information securely.

You should not use Windows CardSpace to add a card that contains your credentials. Windows CardSpace allows you to store personal information that can be sent to Web sites. It is not used to manage authentication credentials.

You should not use Internet Options to configure InPrivate Filtering settings. InPrivate Filtering settings allow you to identify the Web sites you will allow to receive data about the Web sites you visit.

Question 44

You have a computer running Microsoft Windows XP Professional. The computer has several applications that store custom settings.

You need to install Windows 7 on the computer.

What should you do?

• Perform an upgrade install of Windows 7
• Run ScanState
• Perform a custom install of Windows 7
• Run LoadState
• Run ScanState
• Perform a custom install of Windows 7
• Run LoadState
• Install the applications
• Run ScanState
• Perform a custom install of Windows 7
• Install the applications
• Run LoadState

Answer 44

Run ScanState
Perform a custom install of Windows 7
Install the applications
Run LoadState

You should do the following:

* Run ScanState
* Perform a custom install of Windows 7
* Install the applications
* Perform LoadState

You must perform a custom (clean) installation when migrating from Windows XP to Windows 7. To preserve application and user settings, you need to first run ScanState and save the settings to an external drive or a network share. Next, you need to install Windows 7 and the applications. Finally, you need to run LoadState to configure the computer with the saved settings. ScanState and LoadState are User State Migration Tool (USMT) commands. USMT migrates settings and data files, but not applications. Because the applications have custom settings, they must be installed before you restore the settings.

You cannot perform an upgrade install of Windows 7 from Windows XP.

Question 45

You have installed Microsoft Windows 7 on a reference computer. The computer is partitioned as shown in the exhibit. Partitions C and D are primary partitions.

You need to capture images for only the required volumes.

What should you do next?

• Use ImageX to capture partitions C and D.
• Use ImageX to capture partition C only.
• Use Diskpart to assign a drive letter to volume 1.
• Use Diskpart to format volume 3 as NTFS

Answer 45

Use ImageX to capture partitions C and D.

You should use ImageX to capture partitions C and D. Both C and D are primary partitions. You must capture all primary partitions except the System Reserved partition and (optionally) the System partition. You capture partitions using ImageX with the /capture option.

You should not use ImageX to capture partition C only. You must also capture partition D. You must capture all primary partitions except the System Reserved partition and (optionally) the System partition.

You should not use Diskpart to assign a drive letter to volume 1. Volume 1 is the System Reserved partition created by default during an installation of Windows 7. You should not create an image of the System Reserved partition.

You should not use Diskpart to format volume 3 as NTFS. You can create an image of either NTFS or FAT32 partitions.

Question 46

You recently upgraded a computer to Windows 7. As part of the process, you migrated the applications that were already running on the computer.

You need to determine if problems with an existing application are caused by potential compatibility issues due to the User Account Control (UAC) feature. You need to collect detailed information for analysis.

What should you do?

• Run the Setup Analysis Tool (SAT).
• Run the User State Migration Tool (USMT).
• Run the Standard User Analyzer (SUA) tool.
• Run Windows AppLocker.

Answer 46

Run the Standard User Analyzer (SUA) tool

You should run the SUA tool. The SUA tool lets you monitor specific applications for problems relating to the UAC feature. The SUA tool collects detailed data for analysis to help you fix any detected problems. There is also a SUA Wizard that steps you through potential fixes for UAC problems, but it does not perform detailed analysis.

You should not run the SAT. The SAT is used to automate application installation and monitor the activities of the application’s installer.

You should not run USMT. USMT would be used to migrate user profile and application setting information. It is not used for troubleshooting compatibility problems.

You should not run Windows AppLocker. AppLocker is used to create and manage rules to control user access to applications and files. AppLocker replaces the Software Restriction Policies feature in earlier versions of Windows.

Question 47

You are responsible for managing several computers running Microsoft Windows 7. Your network is configured as a wide area network (WAN) with multiple routed subnets.

You need to facilitate remote support for computers running Windows 7. Your support solution should minimize the changes necessary on target computers.

What should you do?

• Use Remote Server Administration Tools (RSAT).
• Use PowerShell scripts.
• Use Remote Desktop Services Manager.
• Use Remote Desktop Gateway (RD Gateway).

Answer 47

Use PowerShell scripts.

You should use PowerShell scripts to manage remote computers running Windows 7. You can use PowerShell Windows Management Interface (WMI) scripts to perform most management tasks that might be automated.

Before you can use PowerShell to manage a remote computer, PowerShell must be installed on the computer. Because PowerShell is installed by default with Windows 7, you do not need to make changes to the target computer.

You should not use RSAT. RSAT can be used to remotely manage a computer running Windows 2008 Server and, in many circumstances, Windows 2003 server from a computer running Windows 7. RSAT cannot be used to manage a computer running Windows 7.

You should not use RD Gateway. RD Gateway enables Remote Desktop clients to access resources on remote servers and run applications remotely. RD Gateway is used to provide remote clients with a connection to RD Session Host resources and applications.

You should not use Remote Desktop Services Manager. Remote Desktop Services replaces the Terminal Services support provided with earlier Windows releases. Remote Desktop Services Manager lets you view users, sessions, and processes on a Remote Desktop Session Host (RD Session Host) server. You can manage client connections to the RD Session Host, but you cannot directly manage client computers.

Question 48

You are planning to install Microsoft Windows 7 on a new computer using the distribution media. You want the installation to complete without displaying a user interface unless an error occurs. You want to limit the components that are installed.

What should you do?

• Use the Windows System Image Manager (SIM) to create a file named Unattend.txt. Save the file to a network share.
• Use ImageX to create a file named Sysprep.inf. Save the file to the root of drive C.
• Use the Windows System Image Manager (SIM) to create a file named Autounattend.xml. Save the file to a Universal Serial Bus (USB) flash drive.
• Use Package Manager to create a file named Winbom.ini. Save the file to a network share.

Answer 48

Use the Windows System Image Manager (SIM) to create a file named Autounattend.xml. Save the file to a Universal Serial Bus (USB) flash drive.

You should use the Windows SIM to create a file named Autounattend.xml and save the file to a USB flash drive. The Windows SIM utility is part of the Windows Automated Installation Kit (AIK). It allows you to create answer files that can be used to limit the components installed and the features enabled during an automated installation. The answer file is an Extensible Markup Language (XML) file that is normally named Autounattend.xml. You can store the file on a USB flash drive (UFD) or in another location. If you use a different filename or store the file in a location not included in the implicit search path, you will need to specify the path to the file when you run Setup using the following command:

setup.exe /unattend:filename

You should not use the Windows System Image Manager (SIM) to create a file named Unattend.txt and save the file to a network share. Older versions of Windows used an answer file named Unattend.txt. Windows 7 uses an XML file.

You should not use ImageX to create a file named Sysprep.inf and save the file to the root of drive C. ImageX is used to create an image, not to create an answer file. The Sysprep.inf file was used when creating a Windows XP installation image. It has been replaced by the Unattend.xml file in Windows 7. Also, Sysprep.inf was used with the Sysprep tool, not with Setup.exe.

You should not create a file named Winbom.ini and save the file to a network share. The Winbom.ini file was another answer file used during Windows XP Setup.

Question 49

You have a computer running Microsoft Windows 7.

You need to ensure that only device drivers that have been approved by an administrator can be installed on the computer.

What should you do? (Each correct answer presents part of the solution. Choose two.)

• In Local Security Policy, enable the Only elevate permission for executables that are signed and validated policy.
• In System Properties, select Never install driver software from Windows Update.
• Run Dism on the computer.
• Run Pnputil on the computer.
• In Local Security Policy, enable the Only elevate UIAccess applications that are installed in secure locations policy.

Answer 49

• Run Pnputil on the computer.
• In System Properties, select Never install driver software from Windows Update.

You should run Pnputil on the computer. Windows 7 allows you to stage device drivers to a driver store on a computer. You use the Pnputil command to add a driver to a staged location.

You should also enable Never install driver software from Windows Update in System Properties. By default, Windows searches the driver store, any paths specified in the DevicePath registry key, and Windows Update. If you prevent Windows from using Windows update, only device drivers in the store or in a path listed in the DevicePath registry key will be searched. The search order can be modified through the Specify search order for device driver source locations Group Policy setting.

You should not enable the Only elevate permission for executables that are signed and validated policy. This policy affects whether an unsigned executable can execute with elevated permission. It does not affect which device drivers can be installed.

You should not run Deployment Image Servicing and Management (Dism) on the computer. Dism is a command-line utility that is used to mount and modify installation images and create Windows PE images.

You should not enable the Only elevate UIAccess applications that are installed in secure locations policy. This setting determines whether applications that request User Interface Accessibility access permissions can run if they are installed in a location that is not considered secure. Secure locations are:

\Program Files\Windows\System32\Program Files (x86)

Question 50

You recently backed up system state information for a computer running Microsoft Windows 7. You backed up system state information to the local computer.

You need to restore system state information from that backup.

What should you do?

• Use the System Restore application.
• Use the Windows Backup tool.
• Use the Wbadmin command.
• Use Windows Recovery Environment (RE).

Answer 50

Use the Wbadmin command.

You should use the Wbadmin command. You must use the Wbadmin command to restore system state information for Windows 7. To restore the system state, you would run the following from a command prompt run with administrator privileges:

wbadmin start systemstaterecovery

You should not use the System Restore application. System Restore lets you restore a computer to an established restore point or to a complete PC backup that was created earlier.

You should not use the Windows Backup tool. You cannot use the Backup tool to back up or restore system state information. You must use Wbadmin to back up or restore system state.

You should not use Windows RE to restore system state. Windows RE includes system recovery options, including recovering from a complete backup or a Windows system image, but it does not support system state recovery.

Question 51

You maintain client computers on your network. Scheduled client backups are configured to be stored on network file servers.

You need to periodically back up selected files from a computer running Microsoft Windows 7 to a DVD for offsite storage. You need to minimize the effort needed to accomplish this.

What should you do? (Each correct answer presents a complete solution. Choose two.)

• Use the Backup tool to back up to a network location and copy the backup file to DVD.
• Use Windows Recovery Environment (RE) to back up the files to DVD.
• Use Ntbackup to back up to a network location and copy the backup file to DVD.
• Use Backup to back up directly to DVD.
• Use Wbadmin to back up directly to DVD.

Answer 51

• Use Wbadmin to back up directly to DVD.
• Use Backup to back up directly to DVD.

In Windows 7, you can use Wbadmin or the Backup tool to back up directly to DVD as your backup destination. The disk can then be removed and stored in an offsite location.

You should not use the Backup tool to back up to a network location and copy the backup file to DVD. This would work, but it requires more steps than necessary to accomplish the backup.

You should not use Windows RE to back up the files to DVD. Windows RE provides several options for recovering a system, but not for producing a backup.

You should not use Ntbackup to back up to a network location and copy the backup file to DVD. Windows 7 does not include Ntbackup. There is a version of Ntbackup available for download that will run on Windows 7, but it can only be used to restore files from a backup created using an earlier Windows version of the Ntbackup command.

Question 52

You have a computer running Microsoft Windows 7. The computer is used by 20 different users.

One application does not operate correctly. It operates correctly on a computer running Windows XP.

You need to ensure that all users can run the application. Your solutions should require the least amount of effort.

What should you do?

• On the application’s Compatibility tab, select Windows XP as the Compatibility mode.
• On the application’s Compatibility tab, click Change settings for all users. Select Windows XP as the Compatibility mode.
• Modify the program’s settings in Programs and Features.
• Modify the Application Compatibility settings in local Group Policy.

Answer 52

On the application’s Compatibility tab, click Change settings for all users. Select Windows XP as the Compatibility mode.

You should open the application’s Compatibility tab, click Change settings for all users, and select Windows XP as the Compatibility mode. You can configure application-specific compatibility settings through the Compatibility tab. The settings affect the user who is logged on. To access settings for all users, you need to click Change settings for all users. Because the application ran fine under Windows XP, the first setting you should try is to set the Compatibility mode to Windows XP.

You should not select Windows XP as the Compatibility mode on the application’s Compatibility tab. Doing so would affect the compatibility settings only for the user who is currently logged on.

You should not modify the program’s settings in Programs and Features. You can use Programs and Features to change installation options and uninstall a program. You cannot configure compatibility settings there.

You should not modify the Application Compatibility settings in local Group Policy. The Application Compatibility settings in local Group Policy allow you to enable or disable application compatibility features, such as the Program Compatibility Assistant. It does not allow you to configure compatibility settings for a specific application.

Question 53

Your network is configured as an Active Directory domain. Encrypting File System (EFS) is configured to use self-signed certificates for encryption.

You need to give members of the DataSet group access to an encrypted file on a domain member computer running Microsoft Windows 7. Access should be limited to that file only. You want to minimize the administrative effort necessary to accomplish this.

What should you do?

• Run the cipher command with the /r option to export the recovery certificate and private key.
• Modify Group Policy to identify DataSet members as recovery agents.
• Add the DataSet group through the file’s Advanced properties.
• Add each user individually through the file’s Advanced properties.

Answer 53

Add each user individually through the file’s Advanced properties.

You should add each user individually through the file’s Advanced properties. This will grant these specific users access to the file. Access must be granted on a user-by-user basis when limiting access to a single file.

You should not run the cipher command with the /r option to export the recovery certificate and private key. This would not be necessary in this scenario. You would do this if you were creating a new recovery agent. A recovery agent enables you to recover all of a user’s encrypted files.

You should not modify Group Policy to identify DataSet members as recovery agents. This would provide access to all encrypted files and cannot be limited to a single file.

You should not add the DataSet group through the file’s Advanced properties. Users must be added individually.

Question 54

A user has a Microsoft Windows 7 computer.

The user reports slow performance when accessing data on a Universal Serial Bus (USB) hard disk drive. The data access performance has not always been poor, but has gotten worse over time. The drive is formatted as NTFS.

You need to optimize performance.

What should you tell the user to do?

• Defragment the volume.
• Convert the volume to FAT32.
• Convert the volume to a dynamic disk.
• Update the USB controller driver.

Answer 54

Defragment the volume.

You should tell the user to defragment the volume. Like an internal hard disk volume, a USB hard disk drive can become fragmented over time. You can defragment the volume by displaying the volume’s properties, selecting the Tools tab, and clicking Defragment now.

You cannot convert the volume to FAT32. You cannot convert from NTFS to FAT32. You must reformat, which will result in losing data. Also, NTFS provides better performance than FAT32.

You cannot convert the volume to a dynamic disk. You can only convert an internal hard disk to a dynamic disk. Also, the advantage to using a dynamic disk is the ability to create spanned and striped disks, not to provide better performance.

You should not update the USB controller driver. The problem is not related to the USB controller driver. If it were, the problem would not have gradually gotten worse. When disk access performance gradually worsens, the problem is most likely caused by fragmentation.

Question 55

You are configuring Internet Explorer on Microsoft Windows 7. Internet Explorer is configured as your default Web browser.

A recently configured add-on is causing Internet Explorer to crash every time you launch it from the Start menu. You need to disable support for that add-on. You need to minimize other changes made to the computer’s configuration.

What should you do first?

• Launch Add/Remove programs from the Control Panel.
• Right-click Internet Explorer in the Start menu and click Properties.
• Run Internet Explorer (No Add-ons) from All Programs > Accessories > System Tools.
• Revert to a system recovery point from before installation of the add-on.

Answer 55

Run Internet Explorer (No Add-ons) from All Programs > Accessories > System Tools

You should run Internet Explorer (No Add-ons) from All Programs > Accessories > System Tools. You need to disable the add-on that is causing the problem. To do this, you need to run the Manage Add-on utility. Unlike earlier Internet Explorer versions, Internet Explorer version 8, which ships with Windows 7, lets you manage add-ons after launching Internet Explorer without add-ons. You can disable the add-on causing the problem and then start Internet Explorer normally. You can also run iexplore -extoff from a command line to disable add-ons.

You should not launch Add/Remove programs from the Control Panel. This does not necessarily give you access to the add-on you need to disable.

You should not right-click Internet Explorer in the Start menu and click Properties. This lets you access the properties of the shortcut, but it does not let you manage add-ons.

You should not revert to a system recovery point from before installation of the add-on. This could result in other changes to the computer.

Question 56

Your company has 50 salespeople who have portable computers. Thirty of them are running Windows 7 and 20 are running Windows Vista. The firewall between the Internet and your company’s network does not allow Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) traffic.

You need to enable the salespeople to connect to servers on the corporate network while they are away from the office.

What should you do?

• Configure a Routing and Remote Access server to use Secure Sockets Tunneling Protocol (SSTP).
• Configure a Routing and Remote Access server to use Network Access Protection (NAP).
• Configure a DirectAccess server in an end-to-edge configuration.
• Configure a DirectAccess server in an end-to-end configuration.

Answer 56

Configure a Routing and Remote Access server to use Secure Sockets Tunneling Protocol (SSTP).

You should configure a Routing and Remote Access server to use SSTP. SSTP is a virtual private network (VPN) protocol supported by Windows Server 2008, Windows Vista, and Windows 7. It uses port 443, so it can pass through firewalls that do not support other VPN protocols.

You should not configure a Routing and Remote Access server to use NAP. NAP is a system health verification and quarantine service, not a VPN protocol. It can be used for VPN connections and other connections to ensure that clients have a supported configuration, including Windows updates and antivirus software.

You should not configure a DirectAccess server in an end-to-edge configuration. Windows Vista computers cannot connect using DirectAccess. An end-to-edge configuration can be used to allow Windows 7 clients to access both Windows Server 2008 and Windows Server 2003 servers on the intranet.

You should not configure a DirectAccess server in an end-to-end configuration. Windows Vista computers cannot connect using DirectAccess. An end-to-end configuration is the most secure because data is encrypted from the client to the server. However, Windows Server 2003 servers cannot be accessed in an end-to-end configuration.

Question 57

You are configuring application restrictions for computers running Windows 7.

You need enable users to run only applications signed with digital signatures from the application manufacturers.

What should you do first?

• Use AppLocker to create a new executable rule for each signed application.
• Use AppLocker to create default executable rules for all users.
• Use AppLocker to create a new executable rule for all signed applications.
• Use AppLocker to create a publisher rule for each signed application.

Answer 57

Use AppLocker to create default executable rules for all users.

You should use AppLocker to create default executable rules for all users. You must create a default rules set before creating the rules to limit users to running signed applications only. Default rules enable all users to run the programs in the default Program Files folder and in the Windows folder.

You should not use AppLocker to create a new executable rule for each signed application. This is not necessary. After creating default rules, you would create a new executable rule for all signed applications.

You should not use AppLocker to create a publisher rule for each signed application. A publisher rule is used to enable rules to apply to an application after an upgrade rather than having to create a new rule each time you upgrade an application.

Question 58

You manage a computer running Windows 7. It connects to your company’s intranet by using DirectAccess.

You need to ensure that the computer automatically downloads only approved updates. Users must still be able to manually install updates from the Microsoft Web site.

What should you do?

• Enable the Give me recommended updates the same way I receive important updates option in Windows Update.
• Enable the Turn on recommended updates via Automatic Update policy in Group Policy.
• Enable the Specify intranet Microsoft Update Service location policy in Group Policy.
• Disable the Allow all users to install updates on this computer option in Windows Update.

Answer 58

Enable the Specify intranet Microsoft Update Service location policy in Group Policy.

You should enable the Specify intranet Microsoft Update Service location policy in Group Policy. This policy allows you to identify a Windows Software Update Service (WSUS) computer to use for downloading Windows updates. Updates on a WSUS computer can be selectively approved. You cannot identify a WSUS server through Windows Update.

You should not enable the Give me recommended updates the same way I receive important updates option in Windows Update. Enabling this option causes recommended updates to be downloaded using the same settings as for important or critical updates.

You should not enable the Turn on recommended updates via Automatic Update policy in Group Policy. Enabling this policy causes recommended updates to be downloaded using the same settings as for important or critical updates.

You should not disable the Allow all users to install updates on this computer option in Windows Update. This setting prevents users from manually installing updates, but it does not affect automatic updates.

Question 59

You are planning to install Microsoft Windows 7 on computers at several different branch offices. You need to be able to install by booting from a Universal Serial Bus (USB) flash drive.

What should you do first?

• Use ImageX to create an image and copy the image to the USB flash drive.
• Use Windows System Image Manager (SIM) to create an image and copy the image to the USB flash drive.
• Use diskpart to create an active primary partition on the USB flash drive and format it as NTFS.
• Use diskpart to create an active primary partition on the USB flash drive and format it as FAT32.

Answer 59

Use diskpart to create an active primary partition on the USB flash drive and format it as FAT32.

You should use diskpart to create an active primary partition on the USB flash drive and format it as FAT32. You need to first prepare the USB drive. To do so, you run diskpart, clean the disk, and then create an active primary partition. You should format the partition as a FAT32 partition. After the partition is prepared, you can copy the installation files from the DVD to the USB flash drive.

You should not use ImageX to create an image and copy the image to the USB flash drive. Images are created using ImageX. However, you must boot using Windows Preinstallation Environment (Windows PE) to apply an image.

You should not use Windows SIM to create an image. Windows SIM is used to create an answer file, not an image.

You should not use diskpart to create an active primary partition on the USB flash drive and format it as NTFS. You must format the partition as FAT32.

Question 60

Your company has a corporate office and three branch offices. All client computers at the branch offices run Microsoft Windows 7.

Flash presentations used for training are located on a server running Windows Server 2008 at the corporate office.

You decide to use BranchCache in Distributed Cache mode to reduce traffic over the Wide Area Network (WAN).

You need to configure the Windows Firewall settings on the Windows 7 computers.

What should you do?

• Allow incoming WS-Discovery and outgoing Hypertext Transfer Protocol (HTTP) traffic.
• Allow incoming Hypertext Transfer Protocol (HTTP) and Server Message Block (SMB) traffic.
• Allow incoming Hypertext Transfer Protocol (HTTP) and WS-Discovery traffic.
• Allow incoming Hypertext Transfer Protocol (HTTP) traffic only.

Answer 60

Allow incoming Hypertext Transfer Protocol (HTTP) and WS-Discovery traffic.

You should allow incoming HTTP and WS-Discovery traffic. BranchCache uses HTTP to transmit data in both Distributed Cache and Hosted Cache mode. In Distributed Cache mode, content can be cached on any client on which BranchCache is enabled. A client uses the WS-Discovery protocol to locate cached content. With Hosted Cache mode, clients are configured with the address of the host, so there is no need to use the WS-Discovery protocol.

You should not allow incoming WS-Discovery and outgoing HTTP traffic. Clients must accept incoming HTTP traffic if they are to receive data.

You should not allow incoming HTTP and SMB traffic. Although BranchCache can be used to cache file share data transmitted over SMB, the data is sent to and retrieved from the cache server using HTTP.

You should not allow incoming HTTP traffic only. If you were using Hosted Cache mode, you would only need to allow incoming HTTP traffic. However, you need to allow WS-Discovery traffic in Distributed Cache mode.

Question 61

You are planning to deploy Microsoft Windows 7 to 500 new computers.

You need to select the most efficient deployment option.

What should you do?

• Use Windows System Image Manager (SIM) to create an image.
• Use Package Manager to create a package.
• Use Microsoft Deployment Toolkit (MDT) to create a deployment point.
• Use Windows Automated Installation Kit (AIK) to create a deployment point.

Answer 61

Use Microsoft Deployment Toolkit (MDT) to create a deployment point.

You should use MDT to create a deployment point. MDT is most suitable for high-volume installations. Clients access the deployment point using Windows Preinstallation Environment (PE), which you can create on removable media or share using Windows Deployment Service (WDS). You can install all necessary customizations in the deployment point.

You cannot use Windows SIM to create an image. Windows SIM is used to create an unattended installation file. Windows SIM is part of the Windows AIK, which is more suitable for creating images to support medium-sized deployments.

You should not use Package Manager to create a package. A package is a feature that can be referenced by an unattended installation file. It is not a full deployment of Windows 7.

You cannot use Windows AIK to create a deployment point. AIK is used to create unattended installation files and images for medium-sized deployments.

Question 62

You are using a public computer that is running Microsoft Windows 7.

You need to visit several locations on the Internet. You need to ensure that the computer you are using does not record your browsing history.

What should you do?

• Enable InPrivate filtering.
• Enable SmartScreen filter.
• Enable InPrivate browsing.
• Enable Phishing filter.

Answer 62

Enable InPrivate browsing.

You should enable InPrivate browsing. You can do this by choosing InPrivate browsing when you open a new browser window or tab. This prevents the computer from maintaining your browsing history. No record of made of addresses and links visited, form data, or passwords used. Any new cookies are treated as session cookies and are not stored. Temporary Internet files are deleted when the private browsing window is closed.

You should not enable InPrivate filtering. InPrivate filtering does not prevent recording of browser history information. Instead, it warns you about third-party content that can view your browsing history and lets you block this access.

You should not enable SmartScreen filter for this purpose, though you will typically want to have the SmartScreen filter enabled. The SmartScreen filter helps block malware and indentify potentially hazardous Web sites.

You should not enable Phishing filter. Phishing filter was replaced by the SmartScreen filter in Windows 7 and Internet Explorer 8.

Question 63

You created a Microsoft Windows 7 image file to support the complete retail edition family. The image is currently configured to install Windows 7 Ultimate by default. You are using Windows Deployment Services (WDS) to distribute the image to the destination computers.

You need to install Windows 7 Professional on two target computers from the custom image. You need to accomplish this with minimal effort. The reference computer originally used to create the image is available.

What should you do?

• Use Deployment Image Servicing and Management (DISM) to modify the image.
• Boot the image on the reference computer and use Windows Optional Component Setup (OCSetup) to modify the image.
• Create a new image from the reference computer.
• Use Windows System Image Manager (SIM) to create a custom unattended installation file.

Answer 63

Create a new image from the reference computer.

You should create a new image from the reference computer. When you create an image, it will contain the editions supported by that edition family, in this case, the retail family. The editions available in the retail and consumer families are:

* Windows 7 Starter
* Windows 7 Home Premium
* Windows 7 Professional
* Windows 7 Ultimate

You can modify an image to have it install a higher edition by default, such as increasing from Windows 7 Home Premium to Windows 7 Professional, but you cannot modify an image to support a lower edition if it is already set to install a higher edition.

You should not use DISM to modify the image. You can use DISM to raise the edition installed by the image, but not lower it. Because the image is set to Windows 7 Ultimate, you cannot drop the edition back to Windows 7 Professional.

You should not boot the image on the reference computer and use OCSetup to modify the image. OCSetup can be used to modify an online image, but not to change the default edition installed by the image.

You should not use Windows SIM to create a custom unattended installation file. This does not give you a way to install a lower Windows 7 edition.

Question 64

You have a Microsoft Windows 7 computer.

Users sometimes need to be able to access resources on the computer across the network.

You need to ensure that only users who have a user account and password on the computer can access resources.

What should you do?

• Create a homegroup.
• Disable Simple file sharing.
• Turn off Network Discovery.
• Turn on password protected file sharing.

Answer 64

Turn on password protected file sharing.

You should turn on password protected file sharing. When password protected file sharing is enabled, a user can only access shared resources on a computer if that user has a user account and password on that computer. You enable password protected file sharing through Advanced sharing settings in the Network and Sharing Center.

You should not create a homegroup. When you create a homegroup, you can share files that can be accessed only by other computers that are joined to the homegroup.

You cannot disable Simple file sharing. Simple file sharing was a Windows XP file sharing method and is not supported by Windows 7.

You should not turn off Network Discovery. Network Discovery allows your computer to locate and be located by other computers on the network.

Question 65

You are preparing to deploy Microsoft Windows 7 from the network. Thirty computers have a 32-bit processor, 20 have an x64 processor, and 10 have an Itanium processor.

You need to deploy Windows 7 using the least number of .wim files.

What should you do?

• Create a .wim file that has both a 32-bit image and an x64 image. Create a separate .wim file that has an Itanium image.
• Create a separate .wim file for each processor.
• Create a .wim file that has a 32-bit image. Create a separate .wim file that has an x64 and an Itanium image.
• Create one .wim file that has an image for each processor.

Answer 65

Create a .wim file that has both a 32-bit image and an x64 image. Create a separate .wim file that has an Itanium image.

You should create a Windows image (.wim) file that has both a 32-bit image and an x64 image and create a separate .wim file that has an Itanium image. You can store a 32-bit image and an x64 image in the same .wim file. To do so, you first create the 32-bit image and then use the /append option of ImageX to append the x64 image. However, you must have a separate .wim file to deploy the Itanium processor installation.

You do not need to create a separate .wim file for each processor. You can store the 32-bit image and the x64 image in the same file.

You should not create a .wim file that has a 32-bit image and create a separate .wim file that has an x64 and an Itanium image. You cannot store an x64 image and an Itanium image in the same file.

You should not create one .wim file that has an image for each processor. The Itanium image must be stored in a separate .wim file.

Question 66

You manage a domain. All client computers in the domain are running Microsoft Windows 7.

You need to allow certain client computers to accept File Transfer Protocol (FTP) requests, but only when they are connected to the domain. All FTP communication must be encrypted.

You need to enable FTP to meet requirements.

What tool should you use?

• IP Security Policy Microsoft Management Console (MMC)
• Netsh firewall
• Windows Firewall with Advanced Security
• Default Programs

Answer 66

Windows Firewall with Advanced Security

You should use Windows Firewall with Advanced Security. Windows Firewall with Advanced Security allows you to create rules that limit traffic by protocol or port. It also allows you to configure security requirements for the connection, including requiring authentication and encryption. Windows Firewall with Advanced Security combines firewall rule definition and IP Security (IPSec) rule definition into one integrated tool.

You should not use the IP Security Policy MMC. This tool can be used to configure more limited rules than Windows Firewall with Advanced Security. It does not allow you to segregate the rule so that it is only applied to the domain network location.

You should not use Netsh firewall. You can configure a limited set of firewall configuration settings by using Netsh firewall. However, you could not configure the necessary rule by using Netsh advfirewall.

You should not use Default Programs. Default Programs allows you to select the program that should be used for specific types of activities, such as browsing or e-mail. It is not used to configure security restrictions on network traffic.

Question 67

You have a computer running Microsoft Windows 7.

The computer has a plug-and-play wireless network adapter. The adapter is not functioning correctly.

You want to reinstall the device driver.

What should you do?

• Use Device Manager to uninstall the driver. Restart the computer.
• Use Device Manager to disable the driver. Restart the computer.
• Run Pnputil -d. Restart the computer.
• Use the Add Hardware Wizard to reinstall the driver

Answer 67

Use Device Manager to uninstall the driver. Restart the computer

You should use Device Manager to uninstall the driver and then restart the computer. When you uninstall the device driver, Windows 7 will automatically detect the plug-and-play device when it is restarted. It will locate the most appropriate driver for the device and install it. Normally, uninstalling a device will cause the computer to restart. However, if the computer does not automatically restart after uninstalling the device, you can also force plug-and-play to locate the device by using the Scan for hardware changes command.

You should not disable the device. When you disable a device, the device driver remains installed. When you restart the computer, Windows 7 will see the device as disabled and will not try to load its device driver.

You should not run Pnputil -d and restart the computer. The Pnputil command is used to manage the driver store. The driver store contains staged device driver files. The -d option removes the staged files from the store, but it does not affect installed device driver files.

You should not use the Add Hardware Wizard to reinstall the driver. You use the Add Hardware Wizard to install drivers for legacy (non-plug-and-play) devices.

Question 68

You have a Microsoft Windows 7 computer that is used by several users.

Users encrypt confidential files by using Encrypting File System (EFS).

You need to ensure that all files can be decrypted if the system fails or a user’s key is damaged.

What should you do first?

• Log on as Administrator and run the Add Recovery Agent wizard.
• Log on as Administrator and run cipher /AddUser.
• Log on as each user and run the Add Recovery Agent wizard.
• Log on as Administrator and run cipher /r.

Answer 68

Log on as Administrator and run cipher /r.

You should first log on as Administrator and run cipher /r. Running the cipher command with the /r option creates a Recovery Agent certificate. You can then install the certificate by using the Add Recovery Agent wizard. To launch the Add Recovery Agent wizard, open Local Security Policy, expand Public Key Policies, right-click Encrypting File System, and choose Add Data Recovery Agent.

You should not log on as Administrator and run the Add Recovery Agent wizard as the first step. You must first create a Recovery Agent certificate.

You should not log on as Administrator and run cipher /AddUser. You use the /AddUser option of the cipher command to associate an additional user certificate with a file.

You should not log on as each user and run the Add Recovery Agent wizard. You must run the Add Recovery Agent wizard as an administrator. Although you can configure multiple recovery agents, any recovery agent can recover the encrypted files for all users.

Question 69

Your company has an Active Directory domain. The company’s network is shown in the exhibit.

A number of users have portable computers running Microsoft Windows 7. These users need to be able to connect to a selected set of servers on the corporate intranet from any location that has an Internet connection. Users need to be able to access Internet resources without going through the intranet. You add a server named RA-Srv running Windows Server 2008 R2 to the perimeter network.

You need to configure the client computers to meet requirements.

What should you do? (Each correct answer presents part of the solution. Choose two.)

• Run the DirectAccess Setup Wizard on RA-Srv. Add IntranetUsers to the DirectAccess Client Setup list.
• Add the laptop computers to a security group named IntranetUsers.
• Create a Group Policy object (GPO) that enables the Client (Respond only) IP Security (IPSec) policy.
• Configure a Virtual Private Network (VPN) connection on each computer.
• Enable a Virtual Private Network (VPN) endpoint on RA-Srv.

Answer 69

• Add the laptop computers to a security group named IntranetUsers.
• Run the DirectAccess Setup Wizard on RA-Srv. Add IntranetUsers to the DirectAccess Client Setup list.

You should do the following:

* Add the laptop computers to a security group named IntranetUsers.
* Run the DirectAccess Setup Wizard on RA-Srv. Add IntranetUsers to the DirectAccess Client Setup list.

DirectAccess allows client computers running Windows 7 or Windows Server 2008 R2 to connect to intranet resources. Connections to Internet resources can be made directly instead of passing through the intranet. A DirectAccess server must be a domain member running Windows Server 2008 R2 and must be located on the perimeter network. It must have two network adapters: a public network adapter and a private network adapter. Both network adapters must be configured for IPv6. The public network adapter must be assigned two publicly-accessible consecutive IPv4 addresses. You configure clients by adding them to a security group and adding that security group to the client list using the DirectAccess Setup Wizard. The necessary GPO containing the client settings is created by the wizard.

You should not create a GPO that enables the Client (Respond only) IPSec policy. Configuring clients to use IPSec is not sufficient to enable them as DirectAccess clients. Other policies must be set so that they can find a network location server and connect to the intranet automatically.

You should not configure a VPN connection on each computer or enable a VPN endpoint on RA-Srv. A VPN connection is used to connect to a VPN endpoint. When a user who is connected to a VPN endpoint attempts to connect to an Internet resource, the request is routed through the intranet.

Question 70

Your company has a corporate office and a branch office. The network is configured as an Active Directory domain. One of the servers at the corporate office is configured as an Enterprise Certification Authority (CA). All client computers are domain members running Microsoft Windows 7.

You install BranchCache on a server named BC-Srv in the branch office and enable BranchCache in Hosted Cache mode using Group Policy.

You need to configure the necessary certificates.

What should you do? (Each correct answer presents part of the solution. Choose two.)

• Run netsh http add sslcert on BC-Srv.
• Run netsh http add sslcert on each client computer.
• Request a server certificate from the CA and import it to BC-Srv.
• Import a certificate into the Windows Vault on each client computer.
• Import the root certificate into Trusted Root Certification Authorities on each client computer.

Answer 70

• Request a server certificate from the CA and import it to BC-Srv.
• Run netsh http add sslcert on BC-Srv.

You should request a server certificate from the CA and import it to BC-Srv. When using BranchCache in Hosted Cache mode, you need to install a server certificate that is trusted by the clients. Because the CA is an Enterprise CA and the clients are domain members, the CA is trusted.

You should also run netsh http add sslcert on BC-Srv. This command links the certificate to the BranchCache service. You will need to specify the IP address and port the service will listen on, the application identifier for the service, and the thumbprint of the certificate.

You should not run netsh http add sslcert on each client computer. The certificate should be imported and linked on the server, not on each client.

You should not import a certificate into the Windows Vault on each client computer. Windows Vault is used to store authentication credentials for a Windows 7 user. It is not used to store BranchCache certificates.

You should not import the root certificate into Trusted Root Certification Authorities on each client computer. Because the CA is an Enterprise CA, the root certificate is already trusted by the computer.

Question 71

You have a computer running Microsoft Windows 7.

Users report poor performance when executing a specific program with a Windows Experience Index of 3. You run the Performance tool. A portion of the results are shown in the exhibit.

You need to recommend the change that will have the most positive impact on the user’s experience.

What should you recommend?

• Add more RAM.
• Upgrade to the 64-bit version of Windows 7.
• Upgrade the graphics adapter.
• Upgrade to Windows 7 Enterprise edition

Answer 71

Upgrade the graphics adapter.

You should upgrade the graphics adapter. The performance tool analyzes each component and identifies a Windows Experience Index subscore. It then creates a base score based on the lowest subscore. The base score indicates the Windows Experience Index at which applications will run efficiently. Upgrading hardware that already has a higher Windows Experience Index than the base score will not affect the way applications run. In this case, the graphics adapter has the lowest subscore, so the best upgrade would be to replace the graphics adapter with a more efficient one.

You should not add more RAM. The 1 GB of RAM is sufficient for running Windows 7. The system would be faster with more RAM, but the RAM is not the biggest bottleneck in this case.

You should not upgrade to the 64-bit version of Windows 7. Although the computer has a 64-bit processor, it does not have enough RAM to support an upgrade to the 64-bit version of Windows 7. The 64-bit version requires 2 GB of RAM.

You should not upgrade to Windows 7 Enterprise. Windows 7 Enterprise includes additional features suitable for use in an Active Directory domain environment. There is no performance difference between Windows 7 Ultimate and Windows 7 Enterprise.

Question 72

You are planning to deploy Microsoft Windows 7 to 150 computers running Windows XP by using Windows Deployment Service (WDS). All computers are domain members. Fifty of the computers require a network adapter driver that is not included with Windows 7.

You need to install Windows 7 on the computers using the least amount of effort.

What should you do?

• Export the Preinstallation Environment (PE) image, add the network adapter driver, and copy the PE image to a USB flash drive.
• Export the Preinstallation Environment (PE) image, add the network adapter driver, and import the PE image.
• Add the network adapter driver to the Boot.wim file on the deployment server.
• Create an Unattend.xml file and create a Group Policy Startup script that launches Setup using the Unattend.xml file.

Answer 72

Add the network adapter driver to the Boot.wim file on the deployment server.

You should add the network adapter driver to the Boot.wim file on the deployment server. The Boot.wim file defines the Windows PE environment used to boot the computer. When the computer starts up, Pre-eXecution Environment (PXE) will locate the deployment server and obtain the Boot.wim file. If more than one Boot.wim file appropriate to the computer exists, the user will be prompted with a menu to select one. WDS allows you to add driver packages to the Boot.wim file that are necessary for booting the computer and connecting to the network share. In this case, you need a network adapter driver, but you can also add mass storage controllers to the Boot.wim file.

You should not export the PE image, add the network adapter driver, and copy the PE image to a USB flash drive. While you could boot the computer from a USB flash drive, doing so requires more effort than using PXE-boot to access the install image from the WDS server.

You should not export the PE image, add the network adapter driver, and import the PE image. Although you can use the Windows Automated Installation Kit (WAIK) to perform this task, doing so requires more effort than simply modifying the Boot.wim file using WDS.

You should not create an Unattend.xml file and create a Group Policy Startup script that launches Setup using the Unattend.xml file. You cannot launch Windows 7 Setup from Group Policy. You must start the computer using a PE image to perform a clean installation

Question 73

Your company’s network is configured as a workgroup. You have a Microsoft Windows 7 computer that is configured with the networks shown in the exhibit. Your network has a wireless adapter named Belkin_N_Wireless_BF327F.

The user can connect to the Internet but cannot access other computers on the local network.

You need to resolve the problem while maintaining the best possible security.

What should you do?

• Enable Network Discovery for Public networks.
• Enable File sharing for Public networks.
• Change the network location to Work.
• Change the address of the Domain Name System (DNS) server.

Answer 73

Change the network location to Work.

You should change the network location to Work. By default, a Public network does not permit a user to connect to computers on the local network. It only allows limited access, such as browsing Web pages.

You should not enable Network Discovery for Public networks. When Network Discovery is enabled, a computer can locate and be located by other computers on the local network. Network Discovery is enabled by default for Work and Home networks, but not for Public networks. If you enable Network Discovery for Public networks, you will be able to access other computers on the network, but this setting will affect all Public networks. Therefore, if you connect to a network at a Wi-Fi hotspot, other computers connected to that hotspot will be able to see the computer.

You should not enable File sharing for Public networks. When file sharing is enabled, you can share files with other computers on the network. However, this setting would apply to all public networks, so it would negatively affect the computer’s security.

You should not change the address of the DNS server. The problem is not caused by incorrect DNS settings. The problem is caused by the fact that the network location is set to Public. DNS is used to resolve host names to IP addresses. If you had the wrong DNS setting, you would be unable to access resources on the Internet.

Question 74

You have installed Microsoft Windows 7 on 100 computers that are domain members. Your company uses Remote Assistance to allow technicians to troubleshoot problems on users’ computers.

A user initiates a remote assistance request. When the technician attempts to perform an operation, an elevation of permission dialog is displayed for the user, but not for the technician.

You need to enable technicians to provide administrative credentials without disclosing them to the user. Your solution should provide the best possible security.

What should you do?

• In Group Policy, enable the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop policy.
• In Group Policy, disable the User Account Control: Switch to the secure desktop when prompting for elevation policy.
• Instruct users to select the Allow IT Expert to respond to User Account Control prompts option when creating the invitation.
• On each computer, change the User Account Control Settings to Never Notify.

Answer 74

In Group Policy, enable the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop policy.

You should enable the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop policy. Remote assistance is an example of a User Interface Accessibility (UIAccess) application. When this policy is enabled, the elevation prompt is displayed on the interactive desktop, and is therefore accessible to the remote technician.

You should not disable the User Account Control: Switch to the secure desktop when prompting for elevation policy. When this policy is disabled, UAC will not switch to the secure desktop for any elevation prompt. This option is less secure than only allowing UIAccess applications to display an elevation prompt on the interactive desktop.

You should not instruct users to select the Allow IT Expert to respond to User Account Control prompts option when creating the invitation. If users select this option without enabling the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop policy, remote technicians will not see or be able to respond to the elevation prompt.

You should not change the User Account Control Settings to Never Notify on each computer. When UAC is set to this level, users logged on as an Administrator can perform actions without being prompted for elevation. Actions that require administrator permissions will not succeed when performed by a standard user.

Question 75

You deployed Microsoft Windows 7 on several mobile computers in your organization.

Working groups within your organization use USB flash drives for temporary storage of sensitive data. You need to configure Group Policy so that data is automatically encrypted on the USB flash drives. Other members of the working group should be able to read from and write to the data on the flash drives, but only when they are logged on as part of your organization’s Active Directory domain.

Your solution should put minimal requirements on domain users to use and maintain secure data. The solution must be as secure as possible.

What should you do? (Each correct answer presents part of the solution. Choose two.)

• Require BitLocker To Go on the mobile computers.
• Configure access to encrypted data based on password.
• Configure access to encrypted data based on domain user credentials.
• Require BitLocker on the mobile computers.
• Configure access to encrypted data based on SmartCard and personal identification number (PIN)

Answer 75

• Require BitLocker To Go on the mobile computers.
• Configure access to encrypted data based on domain user credentials.

You should require BitLocker To Go on the mobile computers and configure access to encrypted data based on domain user credentials. BitLocker To Go is used to encrypt the contents of removable media, such as removable drives and USB flash drives. By basing access on domain user credentials, you can limit access to when users are logged on to the domain. Because users will be authenticated by user account, user requirements are kept to a minimum.

You should not require BitLocker on the mobile computers. BitLocker is used to encrypt internal hard disk drives. Specific features vary depending on whether or not the computer includes Trusted Platform Module (TPM) version 1.2 hardware.

You should not configure access to encrypted data based on password. This is not as secure as basing access on user credentials. If a user knows the password, he or she can access the data whether or not he or she is logged onto the domain. Also, passwords can be relatively easily compromised, completely circumventing the protection placed on the data.

You should not configure access to encrypted data based on SmartCard and PIN. This is secure, but it is less convenient to users than basing access on user authentication credentials.

Question 76

You have a Microsoft Windows 7 computer that is used for video processing.

The computer has three basic disks. The operating system is installed on one basic disk.

You need to optimize disk access for performing the video processing.

What should you do first?

• Create a striped volume using the two non-system disks.
• Create a spanned volume using the two non-system disks.
• Convert the two non-system disks to dynamic disks.
• Create a mirrored volume using the two non-system disks.

Answer 76

Convert the two non-system disks to dynamic disks.

You should first convert the two non-system disks to dynamic disks. A basic disk can only support primary partitions, extended partitions, and logical disks. In this case, you want to create a striped volume across the two non-system disks to provide the best performance. A striped volume offers excellent performance because data can be read and written to two disks simultaneously. It does not offer fault tolerance. However, this scenario does not require fault tolerance.

You cannot create a striped volume using the two non-system disks first. You must first convert the disks to dynamic disks.

You should not create a spanned volume using the two non-system disks. A spanned volume increases disk space on a logical volume by extending a volume onto a second physical disk. However, data is written and read sequentially, so it provides no performance boost. Also, a spanned volume can only be created on dynamic disks.

You should not create a mirrored volume using the two non-system disks. A mirrored volume provides fault tolerance by storing a copy of the same data on two disks. A mirrored volume can only be created on dynamic disks.

Question 77

You are planning to deploy Microsoft Windows 7 by using a network-based image. The computers in the London office must be joined to the London domain during installation. The computers in the New York office must be joined to the NewYork domain during installation.

You are creating an answer file. You need to select the configuration pass at which you will apply the domain configuration settings.

Which configuration pass should you select?

• oobeSystem
• windowsPE
• specialize
• offlineServicing

Answer 77

specialize

You should apply the settings during the specialize configuration pass. The specialize configuration pass is used to apply machine-specific settings, such as network settings, domain membership, or configuring a default home page.

You should not apply the settings during the oobeSystem configuration pass. The oobeSystem configuration pass occurs the first time a user logs in, before the Windows Welcome screen displays. This is the configuration pass in which the Windows Welcome screen displays. You should use this configuration pass to configure user environment settings.

You should not apply the settings during the windowsPE configuration pass. A setting applied during the windowsPE configuration pass configures the environment used to run Setup. For example, you would partition the hard disk during the windowsPE configuration pass.

You should not apply the settings during the offlineServicing configuration pass. The offlineServicing configuration pass is used to apply packages to an offline image. A package might include updates, language packs, or drivers.

Question 78

You are planning to deploy the 64-bit version of Microsoft Windows 7 Ultimate to 20 computers. The computers have the following configuration:

* x64 processor
* 1 GB of RAM
* 200-GB hard disk
* DirectX 9 graphics device with WDDM 1.0

Applications that will be installed after the operating system installation require 100 GB of disk space. You need to ensure that users have at least 50 GB of disk space available for data files.

You need to identify the necessary hardware upgrades to the computers to meet the minimum system requirements.

What component or components must be upgraded?

• RAM and hard disk
• RAM
• Hard disk and graphics card
• Hard disk

Answer 78

RAM

You need to upgrade the RAM. The 64-bit version of Windows 7 requires a 64-bit processor, 2 GB of RAM, 20 GB of hard disk space, and a DirectX 9 graphics device with WDDM 1.0 or higher. The computers only have 1 GB of RAM, so the RAM must be upgraded.

You do not need to upgrade the hard disk space. The operating system will use 20 GB of disk space. Therefore, the total disk space used by operating system and applications is 120 GB, leaving 80 GB for the paging file and data files.

You do not need to upgrade the graphics card. The graphics card meets the minimum requirement.

Question 79

You manage a small network. All network clients run either Microsoft Windows 7 or Windows Vista.

You need to know what applications are installed on each of the network clients. You need to gather this information as quickly as possible and with minimal effort.

What should you do?

• Use AppLocker
• Use the Add or Remove Programs utility.
• Use enhanced auditing.
• Use the Application Compatibility Toolkit (ACT).

Answer 79

Use the Application Compatibility Toolkit (ACT).

You should use the ACT. The primary purpose of the ACT is to determine if installed applications are compatible and, if not, how to make them compatible. However, the ACT includes the ability to collect information about installed applications without having to do the analysis for compatibility. This gives you a quick way to generate an application inventory.

You should not use AppLocker. AppLocker lets you control the applications installed on client computers and limit clients to approved applications. It does not include a way to create an application inventory for client computers.

You should not use the Add or Remove Programs utility. This Control Panel utility can be used to display a list of applications that have been installed on each of the clients, but this must be done separately on each client, and the inventory list must be compiled manually.

You should not use enhanced auditing. Enhanced auditing can be used to track various types of user and system activity, but it does not provide a way to track installed software as a central inventory database.

Question 80

After installing an application on a Microsoft Windows 7 computer, you notice that the computer takes a long time to start up.

You want to prevent the application from loading automatically when the computer starts. Users must still be able to start the application manually.

Which utility should you use to resolve the problem?

• Services
• Default Programs
• System Configuration
• Programs and Features

Answer 80

System Configuration

You should use System Configuration. The Startup tab of the System Configuration tool (msconfig.exe) allows you to select the programs that load during startup.

You should not use Services. The Services utility allows you to manage which Windows services start automatically, manually, or are disabled. The problem is caused by an application, not a Windows service.

You should not use Default Programs. The Default Programs Control Panel allows you to configure which browser, e-mail program, and instant messaging program are used by default.

You should not use Programs and Features. The Programs and Features Control Panel allows you to uninstall programs and change the program features that are installed. It does not allow you to configure whether a program is loaded at startup.

Question 81

You deploy four new computers in a remote office that already supports 15 client computers running Microsoft Windows XP and Windows Vista.

The existing computers are set up with static IP addresses in the 192.168.10.x network.

The new computers are running Windows 7 Professional. The computers running Windows 7 can communicate with each other only. The new computers have IPv4 addresses ranging between 169.254.254.20 and 169.254.254.200 and do not have a default gateway configured.

You need to configure the computers to communicate both with other computers in the office and with the rest of the network. This needs to be completed as quickly as possible.

What should you do?

• Configure the computers running Windows 7 to receive IPv4 address information automatically.
• Specify the nearest gateway as the default gateway for each of the computers running Windows 7.
• Update the computers running Windows XP to Windows Vista or Windows 7.
• Configure TCP/IP on the new Windows 7 computers.

Answer 81

Configure TCP/IP on the new Windows 7 computers.

You should manually configure TCP/IP on the new Windows 7 computers. The scenario states that the other computers in the office have static IP addresses. There is also no mention of a DHCP server. Also, the new Windows 7 computers have addresses in the Automatic Private IP Addressing (APIPA) range, which includes 169.254.0.0 through 169.254.255.255, and have no default gateway assigned. When an address is assigned by APIPA, only an address and subnet mask are assigned. Default gateway values are not generated. A Windows 7 computer is assigned an address in the APIPA range when it is configured to receive its IP address automatically and it cannot contact the DHCP server. Therefore, you can conclude that the computers need to have their IP configuration set manually.

You should not configure the computers running Windows 7 to receive IPv4 address information automatically. The most likely problem is that the computers are already configured to receive an address automatically. Because the remote office is configured with static IP addresses, you can assume that there is no DHCP server. The new Windows 7 computers are automatically generating addresses through APIPA. The computer’s IPv4 addresses are part of the APIPA range, which includes 169.254.0.0 through 169.254.255.255. When an address is assigned by APIPA, only an address and subnet mask are assigned. Default gateway values are not generated.

You should not specify the nearest gateway as the default gateway for each of the computers running Windows 7. Lack of a default gateway would not prevent the new Windows 7 computers from communicating with other local computers. A default gateway is used to communicate with other subnets, but clients with APIPA addresses would not be able to communicate through the gateway.

You should not update the computers running Windows XP to Windows Vista or Windows 7. The new Windows 7 computers are attempting to contact the DHCP server for IP addresses. Computers running Windows XP do not prevent computers running Windows 7 in the same subnet from receiving DHCP address leases.

Question 82

You are configuring a small peer-to-peer network to support file and resource sharing on a per-user basis through HomeGroup. All of the computers on the network run Microsoft Windows 7.

You need to configure authentication to provide access on a per-user basis. You need to minimize the effort required and the changes to the network necessary to accomplish this.

What should you do?

• Create an online identification (ID) for each valid user.
• Configure the default location as a public location on each computer.
• Require the computers to use Kerberos authentication.
• Reconfigure the network as an Active Directory domain.

Answer 82

Create an online identification (ID) for each valid user.

You should create an online ID for each valid user. The online ID is linked to a Windows user and is used to authenticate access to shared resources. This process relies on the Public Key Cryptography Based User-to-User (PKU2U) protocol. This protocol is specifically designed to support the use of online IDs for authentication.

You should not configure the default location as a public location on each computer. To set up HomeGroup with online IDs, you need to configure the computers for a home location.

You should not require the computers to use Kerberos authentication. Kerberos is used as the default authentication in Active Directory domains to provide mutual authentication.

You should not reconfigure the network as an Active Directory domain. This is not necessary to meet the scenario requirements and would require excessive reconfiguration and ongoing management.

Question 83

You manage a computer running Microsoft Windows 7. The computer fails to complete the boot process after you install a new hard disk device driver.

You need to get the computer booting as quickly as possible. You need to minimize the data lost in the process.

What should you do?

• Boot in Windows Recovery Environment (RE) to run a system restore.
• Boot using the Last Known Good Configuration.
• Boot from the installation DVD and reinstall Windows 7 as a repair installation.
• Boot in Windows Recovery Environment (RE) and disable the hard disk driver.

Answer 83

Boot using the Last Known Good Configuration.

You should boot using the Last Known Good Configuration. Because the computer has been unable to restart since installing the new driver, using the Last Known Good Configuration will revert to the original device driver. This should enable you to boot the computer successfully.

You should not boot in Windows RE to run a system restore. This would take longer than trying the Last Known Good Configuration and would not necessarily work. Depending on how the computer is configured, a restore point might not have been created when you installed the device driver.

You should not boot from the installation DVD and reinstall Windows 7 as a repair installation. While this will likely correct the problem, it will take much longer than using the Last Known Good Configuration.

You should not boot in Windows RE and disable the hard disk driver. Some critical drivers cannot be disabled. If you can disable the hard disk driver, the computer will not be able to restart.

Question 84

You install Microsoft Windows 7 in a dual-boot configuration on a computer that is already running Windows Vista.

The computer is configured to automatically boot to Windows 7. You need to configure the computer to automatically boot to Windows Vista the next time it starts up. The computer should then boot to Windows 7 again on subsequent boots. You want to keep the effort necessary to do this to a minimum.

What should you do?

• Run the BCDedit command.
• Run the Bootcfg.exe command.
• Edit the Boot.ini file.
• Use Windows System Image Manager (SIM)

Answer 84

Run the BCDedit command.

You should run the BCDedit command. The BCDedit command lets you edit Boot Configuration Data (BCD) files. The BCDedit /bootsequence command makes a one-time change to the boot order. On the next boot, the boot menu reverts to its original setting. You can use the BCDedit /displayorder option to permanently change the boot order to boot to a different operating system by default.

You should not run the Bootcfg.exe command. This command is similar to BCDedit, but it was used with earlier Windows versions and does not support the same functionality as BCDedit.

You should not edit the Boot.ini file. This is how you could change the boot order on earlier Windows versions, but any changes made are permanent until you reedit the file.

You should not use Windows SIM. Windows SIM is not used to manage Windows installations. It is used to manage installation images and catalogs.

Question 85

A Microsoft Windows 7 computer has a one hard disk configured as two simple volumes, a single 32-bit processor, 1.5 GB of RAM, and a Universal Serial Bus (USB) controller. The user has a USB flash drive.

The user reports poor performance when performing some tasks. You analyze the computer and discover a large amount of paging activity.

You need to optimize performance.

What should you do?

• Move the paging file to the USB flash drive.
• Enable ReadyBoost on the hard disk.
• Move the paging file to a different hard disk volume than the operating system
• Enable ReadyBoost on a USB flash drive.

Answer 85

Enable ReadyBoost on a USB flash drive

You should enable ReadyBoost on a USB flash drive. ReadyBoost allows you to allocate space on a USB flash drive or flash memory card to use as RAM. Using ReadyBoost can speed performance because less paging will be required to the paging file.

You cannot move the paging file to the USB flash drive. You cannot place a paging file on removable storage.

You cannot enable ReadyBoost on the hard disk. You can only enable ReadyBoost on a USB flash drive or flash memory card.

You should not move the paging file to a different hard disk volume than the operating system. Moving the paging file to a different volume on the same physical disk will not affect performance. Moving a paging file to a different physical disk than the one where the operating system is installed will improve performance.

Question 86

You manage several computers running Microsoft Windows 7. Your network is configured as multiple routed subnets.

You need to automate management procedures for remote computers running Windows 7. You have created and distributed PowerShell scripts. The scripts are included as part of a domain Group Policy object (GPO) linked to all domain computers at the domain level.

You need to control when PowerShell scripts execute as logon scripts. The PowerShell scripts should run before other scripts. You should be able to disable the scripts if necessary. You need to minimize the effort necessary to accomplish this.

What should you do?

• Configure the domain Group Policy that is currently linked to domain computers to run PowerShell scripts first.
• Create a local policy that includes the scripts as logon scripts.
• Modify the current linked policy to ensure that PowerShell scripts are listed first.
• Create a new GPO to control execution and link it to the appropriate Organizational Units (OUs) within the domain.

Answer 86

Configure the domain Group Policy that is currently linked to domain computers to run PowerShell scripts first.

You should configure the domain Group Policy that is currently linked to domain computers to run PowerShell scripts first. You can control this through the Run Windows PowerShell scripts first at user logon, logoff setting, which can be set through either user or computer policies. When this setting is enabled, PowerShell scripts execute before other (non-PowerShell) scripts.

The default setting for this policy (Not configured) causes non-PowerShell scripts to run first. Because of this, you must configure the policy and set it to Enabled.

You should not create a local policy that includes the scripts as logon scripts. Local policies must be managed on a per-computer basis and would require significantly more effort to maintain.

You should not modify the current linked policy to ensure that PowerShell scripts are listed first. The relative order of execution between PowerShell and non-PowerShell scripts is not controlled through the order in which they are listed.

You should not create a new GPO to control execution and link it to the appropriate Organizational Units (OUs) within the domain. There is no need to do this because the existing GPO, linked at the domain level, can be used.

Question 87

All client computers in your company are managed computers running Microsoft Windows 7.

Your company uses a proprietary application that is updated several times a year.

You need to ensure that users can run only that application.

What should you do?

• Create an Executable rule that allows access based on the Publisher condition.
• Create an Executable rule that allows access based on the Hash condition.
• Create an Executable rule that allows access based on the Path condition.
• Create an Executable rule that denies access based on the Path condition.

Answer 87

Create an Executable rule that allows access based on the Publisher condition.

You should create an Executable rule that allows access based on the Publisher condition. An AppLocker Executable rule is used to limit the users who can launch .EXE and.COM files. When Executable rules are enforced, all applications except those that match an Allow rule are prevented from running. An Allow rule based on the Publisher condition allows only applications signed by that publisher to be launched. You can use a wildcard character (*) to create a rule that allows all signed applications to run.

You should not create an Executable rule that allows access based on the Hash condition. The Hash condition compares the hash of a file being launched to make sure no bits have changed. While a Hash condition is very secure, it is not very maintainable because the rule would need to be updated each time a new version of the application is deployed.

You should not create an Executable rule that allows access based on the Path condition. The Path condition checks the path of the program being launched. You can easily circumvent a Path rule by installing unauthorized applications into an authorized path.

You should not create an Executable rule that denies access based on the Path condition. By default, access is denied to all applications that do not match an Allow rule

Question 88

A computer is running Microsoft Windows 7.

You need to identify any device drivers that do not have a valid digital signature.

What should you do?

• Run the SignTool utility.
• Run the Sigverif command.
• Use Credential Manager.
• Use Device Manager.

Answer 88

Run the Sigverif command

You should run the Sigverif command. The Sigverif command launches the File Signature Verification tool. The File Signature Verification tool scans the system and identifies any system files and drivers that do not have a valid digital signature. The File Signature Verification tool is included with Windows 7 and can be launched from a command prompt. It creates a log file with a default name of Sigverif.log that lists each file scanned, its version, modification date, whether it is signed, the name of the catalog if there is one, and the file’s signer.

You should not run the SignTool utility. The SignTool utility can be used to sign a file or to verify the signature of a specific file. It does not scan the computer for system files and drivers and verify their signatures. The SignTool utility is available by installing the Windows Driver Kit.

You should not use Credential Manager. You use Credential Manager to manage Windows authentication credentials, user certificates, and other authentication credentials, such as your Windows Live sign-on credentials.

You should not use Device Manager. You use Device Manager to troubleshoot device configuration problems, such as drivers that are not loaded correctly or device conflicts. There is no option to scan for unsigned device drivers

Question 89

You are configuring Internet Explorer support for computers running Microsoft Windows 7. The computers are part of an Active Directory domain.

You want to prevent users from disabling detection of unsafe sites and potential malware. You want to minimize the impact on users’ ability to manage other Internet Explorer configuration settings.

What policy do you need to enable?

• Turn off InPrivate Filtering
• Turn off InPrivate Browsing
• Disable the Security Page
• Turn off Managing SmartScreen Filter

Answer 89

Turn off Managing SmartScreen Filter

You need to enable the Turn off Managing SmartScreen Filter policy. This will prevent users from making changes to the SmartScreen filter policy configured for their computers. The SmartScreen filter is similar to the Phishing filter introduced with Internet Explorer 7, but it contains several improvements, including improved anti-malware support.

You should not enable the Turn off InPrivate Filtering policy or the Turn off InPrivate Browsing policy. These policies are used to control InPrivate settings. InPrivate browsing and InPrivate filtering prevent retention of browsing history for the current session.

You should not enable the Disable the Security Page policy. This would prevent the user from making any changes to Internet Explorer security configuration settings.

Question 90

You are configuring networking for a Windows 7 wireless client.

You want the Windows 7 computer to connect to a wireless access point (WAP) that does not broadcast its service set identifier (SSID). You need to minimize the possibility of compromising network security.

What should you do?

• Configure the network properties to connect automatically to the WAP when in range.
• Configure the network properties to connect automatically to the WAP when in range and connect even if the network is not broadcasting.
• Manually connect to the network listed as Unnamed Network and enter the SSID when prompted.
• Modify the WAP to have it broadcast its SSID.

Answer 90

Manually connect to the network listed as Unnamed Network and enter the SSID when prompted.

You should manually connect to the network listed as Unnamed Network and enter the SSID when prompted. This solution ensures that the WAP is sent probe packages only when the client connects, minimizing the possibility of compromising the SSID.

Configuring a WAP to not broadcast its SSID is not a reliable security measure. Even though the WAP is not regularly broadcasting its SSID, it will send its SSID as the response to a probe by a wireless client. Wireless clients configured for automatic connection will probe the WAP every 60 seconds, increasing the possibility that the SSID could be detected.

You should not configure the network properties to connect automatically to the WAP when in range. This setting is used to automatically connect to wireless networks that broadcast their SSIDs.

You should not configure the network properties to connect automatically to the WAP when in range and connect even if the network is not broadcasting. This will cause the WAP’s SSID to be listed as an available network and will cause the WAP to be probed regularly, potentially exposing it to unauthorized users.

You should not modify the WAP to have it broadcast its SSID. This would make the WAP readily visible to any client in range. Even though not broadcasting the SSID is not a reliable security measure, broadcasting the SSID is even less secure. This is because broadcasting the SSID announces the existence of the WAP whether or not any valid clients are attempting to connect to the WAP.

Question 91

You have 10 computers running Microsoft Windows Vista Business, 10 computers running Windows XP Professional, and 10 computers running Windows Vista Enterprise.

You plan to standardize all computers to run Windows 7 Enterprise.

Which computers can be directly upgraded?

• The Windows Vista Business and Windows Vista Enterprise computers
• The Windows Vista Enterprise computers only
• The Windows XP Professional and Windows Vista Enterprise computers
• All computers

Answer 91

The Windows Vista Business and Windows Vista Enterprise computers

You can directly upgrade Windows Vista Business and Windows Vista Enterprise computers to Windows 7 Enterprise edition.

You cannot upgrade Windows XP Professional computers to Windows 7. You must perform a migration. You can migrate settings using either Easy Transfer or the User Settings Migration Tool (USMT). You must select a Custom installation.

Supported upgrade paths do not affect the availability of upgrade pricing. You can purchase Windows 7 for an upgrade price even if your current edition of Windows Vista does not support an upgrade to the edition of Windows 7 you purchase. However, you would need to migrate settings and perform a Custom installation instead of performing an upgrade.

Question 92

You are planning to deploy Microsoft Windows 7 to 100 computers by using a network-based image. The computers have a network adapter that requires a driver that is not included with Windows 7.

You need to enable the computers to apply the image.

What should you do?

• Boot each computer to the existing operating system.
• Create a Windows PE image that includes the network adapter driver and Windows System Image Manager (SIM).
• Create a Windows PE image that includes the network adapter driver and ImageX.
• Create a system repair disc that includes the network adapter driver.

Answer 92

Create a Windows PE image that includes the network adapter driver and ImageX.

You should create a Windows Preinstallation Environment (PE) image that includes the network adapter driver and ImageX. System images are applied by booting to Windows PE and running ImageX with the /apply option. Because the network adapter driver is not included in Windows 7, you need to ensure that it is installed on the Windows PE image.

You should not boot each computer to the existing operating system. You can only apply an image if the computer is booted to Windows PE.

You should not create a Windows PE image that includes the network adapter driver and Windows SIM. Windows SIM is used to create answer files, not to apply images.

You should not create a system repair disc that includes the network adapter driver. A system repair disc is used to boot a computer to the Windows Recovery Environment (RE) and can be used to recover a failed system. It cannot be used to apply an installation image.

Question 93

You are using a single Class C address to configure a remote office.

You need to configure the remote office to support five subnets with up of 12 users per subnet. You are planning on the number of users per subnet to eventually double. You need to identify the correct IPv4 subnet mask.

Which subnet mask should you use?

• 255.255.255.192
• 255.255.255.224
• 255.255.255.240
• 255.255.255.248

Answer 93

255.255.255.224

You should use 255.255.255.224 as the subnet mask. This provides for three network address bits, which supports up to eight subnets. This subnet mask supports up to 30 hosts per subnet, enough to meet current and future requirements.

You should not use 255.255.255.192. This configuration supports four subnets, so it does not meet the requirements.

You should not use 255.255.255.240. This subnet mask supports up to 16 subnets, but only 14 hosts per subnet. It meets current needs, but not future requirements.

You should not use 255.255.255.248. This subnet mask supports no more than six hosts per subnet.

Question 94

You are determining disk requirements for a computer running Microsoft Windows 7.

You need to configure the computer to support native boot of Windows 7 from a virtual hard disk (VHD). You need to keep local hard disk file size to a minimum. You also need to optimize disk performance.

What should you do?

• Compress the VHD file using NTFS compression.
• Create the VHD as a dynamic VHD file on a local hard disk.
• Create the VHD as a fixed VHD file on a local hard disk.
• Create the VHD as a differencing VHD on a remote share

Answer 94

Create the VHD as a fixed VHD file on a local hard disk.

You should create the VHD as a fixed VHD file on a local hard disk. The three supported VHD file types are fixed, dynamic, and differencing. A fixed-type VHD is recommended for production environment use. Creating the VHD as a fixed VHD file on a local hard disk lets you ensure that the VHD file is created at a fixed size. A fixed-type VHD provides the best disk performance. For best performance, the volume hosting the VHD should also have sufficient space to host the paging file.

You should not compress the VHD file by using NTFS compression. A compressed VHD file does not support native boot.

You should not create the VHD as a dynamic VHD file on a local hard disk. The VHD is expanded to its maximum file size during startup. A dynamic VHD does not make the best use of disk space or provide disk performance as good as a fixed-type VHD.

You should not create the VHD as a differencing VHD on a remote share. A VHD on a remote share or a USB flash drive does not support native boot.

Question 95

You are planning to deploy Microsoft Windows 7 by using an image located on a network share. You install Windows 7 on a reference computer and make the necessary configuration changes. You generalize the system.

You need to capture the image.

What should you do?

• Boot the reference computer from a Windows PE image and run ImageX.
• Boot the reference computer from a Windows PE image and run Windows System Image Manager (SIM).
• Boot the reference computer from the Windows 7 installation DVD and run ImageX.
• Boot the reference computer from the Windows 7 installation DVD and run Windows System Image Manager (SIM).

Answer 95

Boot the reference computer from a Windows PE image and run ImageX.

You should boot the reference computer from a Windows Preinstallation Environment (PE) image and run ImageX. The ImageX utility allows you to capture, mount, and apply images. Before you can capture an image, you need to create a Windows PE image that includes ImageX and then boot the reference computer from that image.

You should not boot the reference computer from a Windows PE image and run Windows SIM. Windows SIM is used to create answer files, not to capture images. You cannot execute Windows SIM from a Windows PE environment.

You should not boot the reference computer from the Windows 7 installation DVD and run ImageX. You must boot the computer to a Windows PE environment that includes the ImageX tool. Your only options when booting from the Windows 7 installation DVD are to install Windows 7 or repair a Windows 7 installation.

You should not boot the reference computer from the Windows 7 installation DVD and run Windows SIM. Windows SIM is used to create answer files, not to capture images. Also, you cannot launch Windows SIM by booting from the Windows 7 installation DVD. Your only options when booting from the Windows 7 installation DVD are to install Windows 7 or repair a Windows 7 installation.

Question 96

You copy a Microsoft Windows 7 native-boot virtual hard disk (VHD) to a BIOS-based computer with an existing Windows 7 installation. You run Windows PE DiskPart to attach the VHD.

You need to add the Windows 7 VHD to your existing boot menu.

What should you do?

• Restart the computer.
• Run BCDedit.
• Run BCDboot.
• Run ImageX.

Answer 96

Run BCDedit.

You need to run BCDedit. BCDedit lets you modify an existing Boot Configuration Data (BCD) store to include the VHD in the boot menu. Windows 7 can boot directly from the VHD.

You should not restart the computer as your only action. The computer will restart using the current default boot option and will not modify the boot menu.

You should not run BCDboot. You would use BCDboot if the computer were running an earlier Windows version to update the boot environment and support booting from a VHD. Because you already have an instance of Windows 7 installed on the computer, there is no need to run BCDboot.

You should not run ImageX. You would use ImageX to create a bootable image and prepare a VHD, not to make the VHD available for startup.

Question 97

Your network is configured as a single Active Directory domain. You share a printer to the network from a computer running Microsoft Windows 7. You remove the default share permissions.

You want members of the DataProc group to be able to print to the shared printer. Group members should be able to manage their own documents, but not other users’ documents. You need to minimize the effort needed to meet these requirements. The solution must support Windows 7, Windows Vista, and Windows XP.

What should you do?

• Create a new printer filter.
• Add the DataProc group to the Printer Operators group.
• Assign the DataProc group the shared Print permission.
• Deploy the printer and assign permissions through Group Policy.

Answer 97

Assign the DataProc group the shared Print permission.

You should assign the DataProc group the shared Print permission. This enables members of the DataProc group to submit documents for printing and for each user to manage his or her own documents. Users cannot manage other users’ documents. By default, the Everyone group is assigned the print permission when you share a printer. Because you removed the default share permissions, you must explicitly assign the Print permission to the DataProc group.

You should not create a new printer filter. A printer filter is used to control what printers are displayed, not to control printer permissions.

You should not add the DataProc group to the Printer Operators group. Members of the Printer Operators group can manage their own print jobs as well as other users’ print jobs.

You should not deploy the printer and assign permissions through Group Policy. Client computers not running Windows 7 are not supported by default when you deploy printers through Group Policy. For other clients, you would need to have the PushPrinterConnections.exe tool run from a startup script on the client

Question 98

You have a computer running Microsoft Windows 7 Professional. You create the AppLocker rules shown in the exhibit.

Members of the Temps group are still able to launch applications stored in the CompanyData folder.

You need to ensure that members of Temps are restricted from launching applications stored in CompanyData.

What should you do?

• Create a Script rule that denies Temps access to applications in C:\CompanyData.
• Upgrade the computer to Windows 7 Ultimate.
• In AppLocker properties, configure executable rules and select Enforce.
• Delete the default rules

Answer 98

Upgrade the computer to Windows 7 Ultimate.

You should upgrade the computer to Windows 7 Ultimate. Although you can create AppLocker rules on a computer running Windows 7 Professional, you cannot enforce them. You must upgrade to either Windows 7 Ultimate or Windows 7 Enterprise to enforce AppLocker rules.

You should not create a Script rule that denies Temps access to applications in C:\CompanyData. A script rule is used to allow or limit access to a specific script. A script rule does not affect executable files.

You should not configure executable rules and select Enforce in AppLocker Properties. You cannot enforce AppLocker rules on a computer running Windows 7 Professional.

You should not delete the default rules. The default rules allow Everyone access to programs in the Program Files folder and the Windows folder and allow Administrators access to all programs.

Question 99

You are configuring a router as the default gateway for the subnet with the network address 192.168.123.128/26.

You need to select a valid address for the default gateway.

Which address should you use?

• 192.168.123.001
• 192.168.123.128
• 192.168.123.154
• 192.168.123.192

Answer 99

192.168.123.154

You should use 192.168.123.154. This is part of the subnet defined as 192.168.123.128/26. This is equivalent to a network address of 192.168.123.128 with a subnet address of 255.255.255.192. The default gateway must have a valid address in the subnet’s address range. The valid range, in this case, is 192.168.123.129 - 192.168.123.190.

You should not use 192.168.123.001. This host address is part of a different subnet, the 192.168.123.0/26 subnet.

You should not use 192.168.123.128 or 192.168.123.192. These are both network addresses in this configuration and cannot be assigned as host addresses.

Question 100

You are planning to deploy Microsoft Windows 7 on a small number of computers. You do not want to run a full install on the computers.

You set up a technician computer and create a virtual hard disk (VHD). You need to apply a Windows 7 image to the VHD before copying the VHD to a network share for distribution.

What should you do?

• Use BCDboot.
• Use Deployment Image Servicing and Management (DISM).
• Use ImageX.
• Use Copy.

Answer 100

Use ImageX.

You should use ImageX to apply the image to the VHD. After creating the VHD, you would prepare a reference computer, use ImageX to capture the image, and then use ImageX to copy that image to the VHD. You would then dismount the VHD and use Copy to copy it to a network share or USB drive for distribution.

You should not use BCDboot to prepare the native-boot VHD image. You would need BCDboot if you applied the VHD to a computer that did not already support a Windows 7 boot environment to enable the computer to boot from the VHD.

You should not use DISM. DISM is used to service a Windows image, not to distribute the image or apply it to a VHD.

You should not use the Copy command to apply the image to the VHD. After applying the image, you would use the Copy command to distribute the image.

Question 101

You are configuring Windows Server Update Services (WSUS) 3.0 for your network. Remote offices connect to main office through low bandwidth links. Client computers running Microsoft Windows 7 are deployed in the remote offices. Computers in the remote offices are configured to connect directly to the Internet.

You need to centrally control which updates are applied to remote computers. You need to minimize the traffic related to WSUS over the remote links. The effort necessary to maintain the solution should be kept to a minimum.

What should you do?

• Deploy a central WSUS server in the main office and have remote computers download a list of updates to be installed, but not the updates, from the main office. Have remote computers directly download the updates.
• Deploy a central WSUS server in the main office and downstream servers in the remote offices in replica mode.
• Deploy downstream WSUS servers in the remote offices and have them retrieve a list of updates to be installed, but not the updates, from an upstream server in the main office. Have remote computers directly download the updates.
• Deploy a central WSUS server in the main office and downstream servers in the remote offices in autonomous mode.

Answer 101

Deploy downstream WSUS servers in the remote offices and have them retrieve a list of updates to be installed, but not the updates, from an upstream server in the main office. Have remote computers directly download the updates.

You should deploy downstream WSUS servers in the remote offices and have them retrieve a list of updates to be installed, but not the updates, from an upstream server in the main office. You should have remote computers directly download the updates. This gives you central control over which updates are applied, but because only the list of updates is downloaded to the remote servers, the traffic generated is kept to a minimum. Downloading the updates does not impact traffic over the remote links because remote computers connect directly to the Internet.

You should not deploy a central WSUS server in the main office and have remote computers download a list of the updates to be installed, but not the updates, from the main office and then have remote computers directly download the updates. Because each computer retrieves the list of updates individually from the WSUS server in the main office, traffic over the link is not minimized.

You should not deploy a central WSUS server in the main office and downstream servers in the remote offices in replica mode. In this configuration, updates, approval status, and computer groups are downloaded to the downstream server, so traffic over the remote link is not minimized.

You should not deploy a central WSUS server in the main office and downstream servers in the remote offices in autonomous mode. In this configuration, downstream servers are managed separately, so updates are not centrally managed. This configuration also has the greatest bandwidth requirements.

Question 102

At your organization, technician computers run Microsoft Windows 7 Ultimate. Technicians need to be able to test software against a standard system configuration. You create a virtual hard disk (VHD) and configure it.

You need to allow technicians to boot the computer by using the VHD.

What should you do first?

• Use Hyper-V to create a virtual machine.
• Use Diskpart to attach the VHD.
• Execute Bcdedit.
• Modify the Boot.ini file.

Answer 102

Use Diskpart to attach the VHD.

You should use Diskpart to attach the VHD. You must attach the VHD as a hard disk before you can boot from it. You can use either Diskpart or Disk Management to attach the VHD. After attaching the VHD, you can use Bcdedit to add the VHD to the boot menu and, if applicable, set it as the default boot option.

You should not use Hyper-V to create a virtual machine. A virtual machine runs inside a session of Windows. You cannot boot a computer from a virtual machine.

You should not execute Bcdedit first. You must attach the VHD and then run Bcdedit to add it to the boot menu.

You should not modify the Boot.ini file. In older versions of Windows, you created a boot menu by editing the Boot.ini file. The default partitioning scheme of Windows 7 creates a hidden partition that is used to boot the system. You can change the boot menu by using Bcdedit.

Question 103

Your organization’s first line of support for client computers is a remote support desk.

Support personnel need a way to remotely create a system restore point before troubleshooting computers running Microsoft Windows 7.

What should they use?

• Windows Recovery Environment (RE)
• Wbadmin
• PowerShell scripting
• Remote Server Administration Tools (RSAT)

Answer 103

PowerShell scripting

Support personnel should use PowerShell scripting to remotely create and restore from system restore points. PowerShell 2.0 on Windows 7 lets you use the WS-Management (WS-MAN) protocol to run cmdlets to perform these actions on remote computers.

They should not use Windows RE. Windows RE is run locally, not remotely. Also, you can use Windows RE to restore from a system restore point, but not create a restore point.

They should not use Wbadmin. Wbadmin is the Windows backup and restore command line utility and is not used to create restore points.

They should not use RSAT. RSAT is used with PowerShell for remote group policy management.

Question 104

Your company has a large number of computers running Microsoft Windows 7. Your technician computer is also running Windows 7.

You want to view all the critical system events for all computers on the network from your technician computer.

You need to configure the technician computer.

What should you do? (Each correct answer presents part of the solution. Choose two.)

• Launch a command prompt with elevated permission and run winrm quickconfig
• Add the computer accounts for the source computers to the Administrators group.
• Create an event subscription.
• Launch a command prompt with elevated permission and run wecutil qc
• Launch a command prompt with elevated permission and run winrm configSDDL

Answer 104

• Launch a command prompt with elevated permission and run wecutil qc
• Create an event subscription.

You should launch a command prompt with elevated permission and run wecutil qc. The Windows Event Collector Utility (wecutil) configures a computer to perform WS-Management data collection when run with the qc option.

You should also create an event subscription on the collector computer. You can create an event subscription using Event Viewer or by using the cs option of wecutil.

You do not need to launch a command prompt with elevated permission and run winrm quickconfig on the technician computer. The Windows Remote Management Command Line Tool (winrm) allows you to configure a computer to accept WS-Management requests. These requests are sent by the collector to the source computers by default. You would only need to run winrm quickconfig on the collector computer if you needed to optimize collection by minimizing either bandwidth or latency.

You should not add the computer accounts for the source computers to the Administrators group on the technician computer. Instead, you need to add the computer account for the technician computer to the Administrators group on each source computer.

Question 105

You have a portable computer running Microsoft Windows 7.

You need to use a different printer when you are at the office than when you are at home.

You need to configure Windows 7.

What should you do?

• Access Devices and Printers. Select a printer and choose Manage Default Printers.
• Access Network and Sharing Center. Select Change advanced sharing settings.
• Access Default Programs. Select Set program access and computer defaults.
• Access the Hardware tab of System Properties. Select Device Installation Settings.

Answer 105

Access Devices and Printers. Select a printer and choose Manage Default Printers.

You should access Devices and Printers, select a printer, and choose Manage Default Printers. The Manage Default Printers dialog box allows you to associate a printer with a network location.

You should not access Network and Sharing Center and select Change advanced sharing settings. The Change advanced sharing settings option allows you to change the security settings for Home, Work, and Public networks. For example, you can enable or disable Network Discovery and configure file sharing options.

You should not access Default Programs and select Set program access and computer defaults. This option is used to identify the programs used for certain activities, such as Web browsing and e-mail.

You should not access the Hardware tab of System Properties and select Device Installation Settings. This option is used to configure whether device drivers can be downloaded from Windows Update.

Question 106

You use an image on a network share to deploy Microsoft Windows 7 computers at the corporate office. The installation image uses an unattended installation file to install a custom application.

You are planning to deploy Windows 7 to branch office computers by using the same image on a DVD.

What should you do next?

• Create a configuration set.
• Create a package.
• Append the distribution share to the image.
• Dismount the image.

Answer 106

Create a configuration set.

You should create a configuration set. A configuration set is a subset of a distribution share that is suitable for installations from removable media. It contains the binaries that are referenced in the Unattend.xml file.

You should not create a package. A package is used to deploy operating system updates and language packs.

You should not append the distribution share to the image. The /append option of ImageX is used to append multiple images to a .wim file, not to append files in a distribution share.

You should not dismount the image. You mount an image to make changes to it and dismount it after changes have been made.

Question 107

You are configuring remote connectivity for a mobile client running Microsoft Windows 7.

You need to configure mobile clients so that a virtual private network (VPN) tunnel is reestablished automatically for the client when moving from a wired to a wireless connection. You must select the appropriate tunneling protocol for this purpose. You should minimize the effort necessary to configure the network to support reconnection.

What should you do?

• Use Secure Socket Tunneling Protocol (SSTP).
• Use IP Security (IPSec) Tunnel Mode with Internet Key Exchange version 2 (IKEv2).
• Use Point-to-Point Tunneling Protocol (PPTP).
• Use Layer Two Tunneling Protocol/IP Security (L2TP/IPSec).

Answer 107

Use IP Security (IPSec) Tunnel Mode with Internet Key Exchange version 2 (IKEv2).

You should use IKEv2. The ability to automatically reestablish a VPN tunnel, known as VPN reconnect, is a feature of Windows 7 and Windows Server 2008. IKEv2 is the only tunneling protocol that supports VPN reconnect.

When using IKEv2 and VPN reconnect, a client is automatically reconnected when switching between wired and wireless connections, moving between different wireless access points, or temporarily losing Internet connection. Typically, if a VPN connection is lost, even temporarily, it must be manually reestablished.

You should not use SSTP, PPTP, or L2TP/IPSec. These are all valid tunneling protocols and supported by Windows 7, but none of these protocols support VPN Reconnect.

Question 108

A Microsoft Windows 7 computer is configured to obtain IPv6 settings from a Dynamic Host Configuration Protocol (DHCP) server.

You need to view the IPv6 configuration of the computer from a remote system.

Which utility should you use?

• Ipconfig
• Netstat
• Net view
• Netsh

Answer 108

Netsh

You should use Netsh. The Netsh utility allows you to view and configure IPv6 settings on a local computer or a remote computer. To view the addresses on a local computer, you would run the following:

netsh interface ipv6 show addresses

To view the addresses on a remote computer, run netsh with the -r option and specify the name of the computer.

You should not use Ipconfig. You can use IPconfig to display the IPv6 configuration of the local computer, but not of the remote computer.

You should not use Netstat. The Netstat utility is used to list the listening ports on a computer.

You should not use Net view. The Net view command is used to list the computers on the network.

Question 109

You are configuring device driver settings for a non-plug-and-play device on a computer running Microsoft Windows 7.

The device is not critical to system operations, but it is needed to support device detection any time Windows 7 is running. The driver should start after drivers that are critical to system operations. You need to configure the device startup type.

What should you do?

• Configure the startup type as Automatic.
• Configure the startup type as Boot.
• Configure the startup type as Demand.
• Configure the startup type as System.

Answer 109

Configure the startup type as Automatic.

You should configure the startup type as Automatic. This setting is used for device drivers that should start after drivers critical to basic system operation. This setting enables the driver to support detection.

You configure the Startup type through Device Manager. Before you can manage non-plug-and-play devices, you must select Show hidden devices from the Device Manager View menu. You can then choose to view and manage non-plug-and-play devices.

You should not configure the startup type as Boot. The Boot startup type is used for the first device drivers to start during system startup and should be used only for drivers critical to basic system operations.

You should not configure the startup type as Demand. Demand is used to identify drivers that are started on an as-needed basis. This setting does not support device detection.

You should not configure the startup type as System. Like Boot devices, this is used for devices that are essential for system operation. System startup type devices start after devices configured as Boot startup type devices.

Question 110

You are configuring computers running Microsoft Windows 7 for smart card domain logon. You have already purchased Personal Identity Verification (PIV) standard compliant smart cards for this purpose.

You need to configure the computers to support the smart cards. You need to keep the effort necessary to accomplish this to a minimum. The computers do not have access to the Internet.

What should you do?

• Insert the smart card in the computers’ smart card readers and manually install the device driver.
• Insert the smart card in the computers’ smart card readers.
• Insert the smart card in the computers’ smart card readers and manually install support middleware.
• Insert the smart card in the computers’ smart card readers, download the appropriate driver from Windows Update from a computer with Internet access, and install the driver.

Answer 110

Insert the smart card in the computers’ smart card readers.

You should insert the smart card in the computers’ smart card readers. This is all that is necessary for a PIV-compliant smart card on a computer running Windows 7. Even if the vendor-specific driver is not available, the correct minidriver for a smart card is retrieved automatically and will support smart card logon.

You should not manually install the device driver after inserting the smart card in the computers’ smart card readers. Smart card logon does not require a vendor-specific driver. In many cases, the appropriate driver is published through Windows Update rather than shipped with the smart card. If the computers could connect to the Internet, you would likely let the computers download a manufacturer-specific driver. This is not possible in this case because the computers cannot connect to the Internet.

You should not manually install support middleware after inserting the smart card in the computers’ smart card readers. When used with Windows 7, additional middleware is not required in this scenario.

You should not download the appropriate driver from Windows Update from a computer with Internet access and install the driver. This requires more effort than necessary because the Windows 7 minidriver supports this type of smart card logon.

Question 111

Your network is configured as an Active Directory domain. Domain clients run either Microsoft Windows Vista or Windows 7. All network clients are currently configured to go into Standby after 30 minutes of inactivity. Users are not prompted for authentication when coming out of Standby mode.

You need to configure client computers to require a password when a computer wakes. You need to keep the effort necessary to accomplish this to a minimum.

What should you do?

• Create and link a domain Group Policy for power management to have the computers enter Hibernation instead of Standby.
• Create a Local Policy for startup to execute Powercfg.exe on each computer.
• Configure Local Policy for power management to require a password when a computer resumes from Standby.
• Configure Local Policy for power management to have the computers enter Hibernation instead of Standby.
• Create and link a domain Group Policy for power management to require a password when a computer resumes from Standby.

Answer 111

Create and link a domain Group Policy for power management to require a password when a computer resumes from Standby.

You should create and link a domain Group Policy for power management to require a password when a computer resumes from Standby. This will cause the client computers for a password when waking. This policy will apply to computers running Windows 7, Windows Vista, and Windows XP.

You should not create and link a domain Group Policy or configure Local Policy for power management to have the computers enter Hibernation instead of Standby. This does nothing to cause a computer to prompt for a password when waking.

You should not create Local Policy for startup to execute Powercfg.exe on each computer. Powercfg.exe can be used to configure power management, but this solution would require more effort than necessary.

You should not configure Local Policy for power management to require a password when a computer resumes from Standby. This would properly configure the clients, but it would require more effort than using Group Policy.

Question 112

You are configuring wireless access for Windows 7 clients.

You want to use user names and passwords for authentication. You need to ensure that a secure channel is used between the client and the authenticating authority. You plan to use a Network Policy Server (NPS) for authentication. You need to keep the network changes to a minimum.

What should you do?

• Use Extensible Authentication Protocol (EAP)-Transport Layer Security (TLS).
• Use Extensible Authentication Protocol (EAP)-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).
• Use Protected Extensible Authentication Protocol (PEAP)-Transport Layer Security (TLS).
• Use Protected Extensible Authentication Protocol (PEAP)-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

Answer 112

Use Protected Extensible Authentication Protocol (PEAP)-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

You should use PEAP-MS-CHAP-v2. MS-CHAP-v2 provides authentication based on user name and password. PEAP provides a secure TLS-encrypted channel between the client and the authenticating server.

You should not use EAP-TLS or PEAP-TLS. These authentication methods are based on the use of client certificates or smart cards, rather than user name and password.

You should not use EAP-MS-CHAP-v2. EAP does not provide an encrypted channel between the client and authenticating server.

Question 113

You are configuring network support for computers running Windows 7. The network will be configured as multiple routed subnets.

You need to configure support for IPv6. You need to provide IPv6 host name resolution throughout the network. You want to minimize the effort necessary to deploy and maintain the solution.

What should you do?

• Deploy a Domain Name System (DNS) server on each subnet.
• Use Link-local Multicast Name Resolution (LLMNR).
• Deploy separate Domain Name System (DNS) servers for IPv4 and IPv6.
• Deploy a single Domain Name System (DNS) server.

Answer 113

Deploy a single Domain Name System (DNS) server.

You should deploy a single DNS server. A DNS server can provide host name resolution for both IPv6 and IPv4 addresses. You can use a single DNS server to provide host name support throughout the network if network clients are configured as DNS clients configured with the DNS server’s address.

You should not deploy a DNS server on each subnet. Typically, there is no reason to configure and deploy a DNS server on each subnet. One DNS server can typically support all hosts at a single site.

You should not use LLMNR for name resolution. LLMNR supports name resolution on the local subnet only.

You should not deploy separate DNS servers for IPv4 and IPv6. There is no need for separate servers, so this would require more effort than necessary. A single DNS server can be used to support both IPv4 and IPv6 addresses.

Question 114

You are preparing several computers for delivery to different remote offices in your organization. After the computers are delivered, a technician will perform a clean installation of Microsoft Windows 7.

You need to specify corporate defaults for Windows welcome screens and apply appropriate regional settings for the United States and Canada. The custom welcome is needed in both English and French. You need to keep the deployment procedure as simple as possible.

What should you do?

• Create a single Oobe.xml file and a single Unattend.xml file.
• Create separate Oobe.xml files and separate Unattend.xml files for English and French.
• Create a single Oobe.xml file. Do not create an Unattend.xml file.
• Create separate Oobe.xml files for English and French. Do not create an Unattend.xml file.

Answer 114

Create separate Oobe.xml files for English and French. Do not create an Unattend.xml file.

You need to create separate Oobe.xml files for English and French. You should not create an Unattend.xml file in this scenario because it is not required for the scenario. You can accomplish the scenario requirements using Oobe.xml files only.

The Oobe.xml file is used to customize Windows Welcome, OEM First Run application, and ISP Signup for an installation image. You can support multiple languages through a single image by providing a separate Oobe.xml file for each language. You would place the United States English file in the folder:

\%WINDIR%\system32\oobe\info\244\1033
You would place the French language file with the Canadian settings in the folder:

\%WINDIR%\system32\oobe\info\39\1036
You should not create a single Oobe.xml file. To keep the deployment as simple as possible, you should use a single deployment image. To support multiple languages, you need multiple Oobe.xml files.

You should not create an Unattend.xml file. If you are only customizing Windows Welcome and regional settings, a custom Unattend.xml file is not needed.

Question 115

You are preparing to distribute Microsoft Windows 7 in your organization. You have already created the Windows image (WIM) file that you plan to use and a catalog file for the image.

You need to create an unattended answer file to use with the image that will be used for most of the installations. You want to keep the effort needed to create the file to a minimum. You need to ensure that you only include components that are available in the Windows image.

What should you do?

• Manually create and edit the Unattend.xml file.
• Use Windows System Image Manager (SIM).
• Use Sysprep.
• Use Deployment Image Servicing and Management (DISM).

Answer 115

Use Windows System Image Manager (SIM).

You should use Windows SIM. Windows SIM provides a graphic user interface (GUI) that lets you create unattended installation answer files based on the components available in a Windows image file. This makes it possible to quickly create an answer file based on a specific image.

You should not manually create and edit the Unattend.xml file. While this is possible, it is not recommended because of the amount of editing required and the potential for introducing errors in the file.

You should not use Sysprep. Sysprep is used to prepare a source computer for use to create an image, not for creating an answer file from an existing image.

You should not use DISM. DISM lets you apply an unattended answer file to an image when installing multiple packages to a Windows image. It is not used to create or modify answer files.

Question 116

A user in your company has a portable Microsoft Windows 7 computer. He works in the main office but frequently travels to client sites for sales presentations.

The user reports that when he gives sales presentations on his computer, the display often goes blank while he is speaking.

You attempt to change the Power Option settings, but are unable to do so. The Advanced Settings tab for Power Options is shown in the exhibit.

You need to allow the user’s laptop display to remain active for up to 30 minutes when the laptop is plugged in.

What should you do?

• Select the High Performance power plan.
• Change the Turn Off the Display (Plugged In) policy in Group Policy.
• Plug in the laptop and then change the Plugged in (Minutes) setting.
• Create a custom power plan

Answer 116

Change the Turn Off the Display (Plugged In) policy in Group Policy.

You should change the Turn Off the Display (Plugged In) policy in Group Policy. When power settings are applied through Group Policy, they override settings defined in Power Options and prevent users from changing those settings using Power Options.

You should not select the High Performance power plan. The High Performance power plan’s default value for turning off the display is 15 minutes. Also, the setting in Group Policy will override the setting that is set by the High Performance power plan.

You should not plug in the laptop and then change the Plugged in (Minutes) setting. Plugging in the laptop will not affect the availability of the setting.

You should not create a custom power plan. A custom power plan would allow you to change the setting if it was not being set by Group Policy. However, Group Policy overrides all power plans, including custom power plans.

Question 117

You manage a computer running Microsoft Windows 7. The computer is part of a small local area network (LAN).

You download an updated network adapter device driver from the adapter’s manufacturer and install it on the computer. Your computer is configured to not create a restore point when installing a new device driver.

After you restart the computer, you are not able to connect to the network. You determine that the network adapter device driver did not initialize properly. You need to reconnect to the network as quickly as possible. You need to minimize the changes made to the computer.

What should you do?

• Restart the computer and select the option to start from the last known good configuration.
• Restore the computer from the most recent backup.
• Recover to the most recent system restore point.
• Roll back to the previous driver and restart the computer normally.

Answer 117

Roll back to the previous driver and restart the computer normally.

You should roll back to the previous driver and restart the computer normally. You would use the Device Manager to display driver information and then roll back to the previous driver. When you install a new device driver, Windows retains the previous driver version.

You should not restart the computer and select the option to start from the last known good configuration. Because the computer completed a successful startup after changing the device driver, using the last known good configuration will not change the device driver used and will not modify the computer’s configuration.

You should not restore the computer from the most recent backup. This will revert the computer to the state it was in when the backup was made. This might correct the problem, but it would make more changes than necessary to the computer.

You should not recover to the most recent system restore point. This would rollback any changes back to that point and could make more changes than necessary to the computer unless the restore point was created just before the new driver was installed.

Question 118

You are migrating a computer to Microsoft Windows 7. You log onto the computer as an administrator and run the following:

ScanState \myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml /o

The source operating system includes user profiles for several domain user accounts. You want to migrate the user profile for the user TedS only. TedS is not an administrator. You do not want to migrate any local accounts.

What should you do?

• Log on as TedS at the destination and run the following:

LoadState \myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml /lac /lae

• Log on as TedS at the destination and run the following:

LoadState \myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml

• Log on as an administrator at the destination and run the following:

LoadState \myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml /lac /lae

• Log on as an administrator at the destination and run the following:

LoadState \myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml

Answer 118

Log on as TedS at the destination and run the following:
LoadState \myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml

You should log on as TedS at the destination and run the following command:

LoadState \myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml

When you run LoadState as a user other than an administrator, user profile information for that user only is migrated.

You should not log on as TedS at the destination and run the following command:

LoadState \myserv\migration\tempstore /i:Miguser.xml /i:Migapp.xml /lac /lae

The /lac and /lae options are used for migrating local account profiles.

You should not log on as an administrator before running LoadState. This will cause all user profiles collected by the ScanState command to be migrated. If you include the /lac and /lae options, you will migrate all domain and all local user profiles.

Question 119

You are configuring offline file support over a low-bandwidth link. The client computers run Microsoft Windows 7.

You need to minimize the traffic generated when a client accesses the same documents from a remote server multiple times. You need to ensure that the data is cached locally on the client.

What should you do?

• Implement mobile broadband device support.
• Implement DirectAccess.
• Implement BranchCache.
• Implement transparent caching.

Answer 119

Implement transparent caching.

You should implement transparent caching. With transparent caching, the requested file is cached locally on the client. Subsequent access requests are serviced from the cache, as long as the file has not changed on the source server. The server is contacted to determine if the file has changed before the client accesses the cached copy. Any changes are written to the server, not the cached copy.

You should not implement mobile broadband device support. This is a feature of Windows 7 that provides for a consistent user interface for working with broadband devices from various manufacturers.

You should not implement DirectAccess. DirectAccess allows users to connect to enterprise network resources over the Internet. This makes the user experience when connecting to resources over the Internet nearly the same as when connecting directly to the enterprise network.

You should not implement BranchCache. BranchCache caches a copy of a file locally, but not necessarily on the requesting client. In distributed mode, the file is cached on the first client to access the file and access is provided from that client to other clients on the remote subnet. In host mode, files are cached centrally on a remote server. With either configuration, the cached copy is used only after verifying that the file has not changed on the source server.

Question 120

You are responsible for client computer maintenance for your organization.

You need to upgrade a computer that is currently running Microsoft Windows XP to Windows 7. You need to prepare your Windows XP files and settings for migration to Windows 7.

What should you do first?

• Launch a default installation from the Windows 7 installation DVD.
• Launch a custom installation from the Windows 7 installation DVD.
• Upgrade installed applications to Windows 7 compatible versions.
• Run Migsetup from the Windows 7 installation DVD.

Answer 120

Run Migsetup from the Windows 7 installation DVD.

You should run Migsetup from the Windows 7 installation DVD. You cannot upgrade directly from Windows XP to Windows 7. You can migrate files and settings to Windows 7, but you must first use Migsetup to launch Windows Easy Transfer to transfer the files and settings to removable media or a network storage location. You would then install Windows 7 and run Windows Easy Transfer to migrate the settings. Applications are not migrated, so you will have to reinstall any applications after Windows 7 installation.

You should not launch a default or custom installation from the Windows 7 installation DVD. Neither supports direct upgrade from Windows XP to Windows 7. You must first copy files for migration and then run the installation.

You should not upgrade installed applications to Windows 7 compatible versions. This does not accomplish anything for you because installed applications are not migrated during Windows 7 installation when upgrading from Windows XP.

Question 121

You are upgrading several mobile computers to run Microsoft Windows 7.

You want to use BitLocker to protect the internal hard disk that is configured as the boot drive on each computer. The computers do not include support for Trusted Platform Module (TPM) version 1.2. You want to keep the costs related to preparing the computers to a minimum. You need to have the computers ready for assignment to users as quickly as possible.

What should you do?

• Replace the computer motherboards with TPM 1.2 compliant motherboards.
• Configure the boot drive to use BitLocker To Go.
• Configure BitLocker to use a startup key stored on a USB flash drive.
• Configure BitLocker to use a SmartCard to unlock encrypted drives.
• Force system integrity verification at system boot.

Answer 121

Configure BitLocker to use a startup key stored on a USB flash drive.

You should configure BitLocker to use a startup key stored on a USB flash drive. It is strongly recommended, but not required, that you deploy BitLocker on a computer that supports TPM version 1.2. This provides for a more secure environment, but it is not required. When using BitLocker on a computer that does not support TPM version 1.2 hardware, you must use it with a startup key stored on removable media, such as a USB flash drive.

You should not replace the computer motherboards with TPM 1.2 compliant motherboards. Even if an appropriate motherboard were available, this would be a more expensive and more time-consuming solution.

You should not configure the boot drive to use BitLocker To Go. BitLocker To Go is used to encrypt removable media, not the computer’s boot drive.

You should not configure BitLocker to use a SmartCard to unlock encrypted drives. This is one of the options for unlocking drives encrypted with BitLocker To Go.

You should not force system integrity verification at system boot. This is a check of the boot environment and prevents system startup if the boot environment has changed. Integrity verification requires TPM version 1.2, so it could not be used in this scenario.

Question 122

You are preparing to perform side-by-side migrations. The users’ old computers run Microsoft Office 2000 on Microsoft Windows XP. The new computers run Windows 7 and Office 2007.

You need to migrate user profile settings and custom operating system settings to the new computers. You do not want to migrate Office settings from the source computers. You need keep the effort necessary to complete this to a minimum.

What should you do first?

• Run ScanState on the computer running Windows XP and copy settings to a server.
• Run ScanState on the computer running Windows 7 and copy settings to a server.
• Run ScanState to modify the Config.xml file.
• Manually modify the MigApp.xml file.

Answer 122

Run ScanState on the computer running Windows XP and copy settings to a server.

You need to perform a simple manual migration. The first thing you need to do is run ScanState on the computer running Windows XP and copy settings to a server.

After upgrading the operating system, you would then run LoadState on the computer running Windows 7 and copy settings from the server to finish the user migration. User Settings Migration Tool (USMT), which is what you are using when you run ScanState and LoadState, does not migrate Office application settings for versions earlier than Office 2003.

You should not run ScanState on the computer running Windows 7 and copy settings to a server. ScanState is run on the source operating system.

You should not run ScanState to modify the Config.xml file. You are not running a default migration, so you have no reason to modify the Config.xml file. If you were running a default migration and wanted to identify what not to migrate, you could modify the Config.xml file by running ScanState with the /genconfig option.

You should not manually modify the MigApp.xml file. There is no need to change the file because the settings do not migrate by default.

Question 123

You are configuring Windows Firewall security for a computer running Windows 7. You create a domain-specific profile that allows File Transfer Protocol (FTP) access to the computer.

You need to configure the computer so that connections established over the Internet do not allow FTP. The solution should have minimal impact on Active Directory domain user access.

What should you do?

• Modify the domain profile to block FTP access and enable FTP access by domain user for each authorized user.
• Create a new public profile that blocks FTP access.
• Create a new private profile that blocks FTP access.
• Deploy a domain isolation policy.

Answer 123

Create a new public profile that blocks FTP access.

You should create a new public profile that blocks FTP access. Windows 7 supports multiple active Windows Firewall location-aware configuration profiles. Domain connections fall under the domain profile, and Internet connections are managed by the public profile. The public profile has no impact on domain connections.

You should not create a new private profile that blocks FTP access. A private profile is applied for network connections that you have identified as private connections. Internet connections are always treated as public network connections.

You should not modify the domain profile to block FTP access and enable FTP access by domain user for each authorized user. This would require more work than necessary to configure and would not meet the solution requirements.

You should not deploy a domain isolation policy. A domain isolation policy uses mutual authentication to isolate computers that are domain members from computers that are not domain members. Client computers must support IP Security (IPSec) to connect to the protected computer. If you need to provide access for computers that do not support IPSec, you must create exemption rules for those computers.

Question 124

You are configuring remote desktop support on client computers on your network. Your network is configured as an Active Directory domain. Client computers run either Microsoft Windows 7 or Windows Vista. Remote Desktop Client (RDC) 7.0 is installed on all client computers.

You need to configure the client computers to support desktop composition in remote sessions with all other clients on the network. You created a group policy that enables the Allow desktop composition for remote desktop sessions policy that is linked to the organizational unit (OU) containing all client computers. You need to minimize the configuration changes necessary to enable desktop composition support.

What should you do?

• Install Aero-capable graphics drivers on all clients.
• Configure Remote Desktop Session Host (RDSH) on all clients.
• Shut down and restart all remote desktop clients.
• Upgrade client computers running Windows Vista to Windows 7.

Answer 124

Upgrade client computers running Windows Vista to Windows 7.

You must upgrade client computers running Windows Vista to Windows 7. Desktop composition is not supported for RDC sessions between computers running Windows 7 and Vista, even if both are running RDC 7.0. Desktop composition provides a “like local” experience for remote client sessions using the Aero theme.

You should not install Aero-capable graphics drivers on all clients. Windows 7 includes Aero-capable graphics drivers. This would be necessary if you wanted to support desktop composition on client computers running Windows Server 2008 R2.

You should not configure the RDSH role on all clients. This is necessary on client computers running Windows Server 2008 R2. The RDSH role is supported on computers running Windows Server 2008 R2, but not on computers running Windows 7 or older Windows versions. RDSH enables a computer running Windows Server 2008 R2 to act as a Remote Desktop session host server. This makes it possible for remote desktop client computers to run programs on the server, save files to the server, and use server network resources.

You should not shut down and restart all remote desktop clients. This will do nothing to enable desktop composition support on clients running Windows Vista.

Question 125

You configure Windows Firewall with Advanced Security Group Policy settings for computers running Windows 7. IP Security (IPSec) is required for all connections.

You need to configure an inbound connection exception for a specific group of users for one of the computers. You plan to do this by applying a rule stored on the local computer.

What kind of rule do you need to create?

• Allow
• Windows Service Hardening
• Authenticated bypass
• Connection security

Answer 125

Authenticated bypass

You need to create an authenticated bypass rule. This lets you specify users, by user or group, or computers that can bypass inbound connection rules.

You should not create an allow rule. An allow rule is used to explicitly allow a specific type of incoming or outgoing traffic. Traffic is not filtered by user or computer.

You should not configure Windows Service Hardening. This is used to prevent services running on a computer from establishing connections.

You should not configure a connection security rule. This type of rule is used to control how computers can authenticate under IPSec, not to filter access by user.

Question 126

A user reports that a Microsoft Windows 7 computer opens a third-party File Transfer Protocol (FTP) client when accessing a Uniform Resource Locator (URL) for the FTP protocol.

You need to ensure that FTP links open in Internet Explorer.

Which utility should you use?

• Internet Options Content tab
• Compatibility View Settings
• Default Programs
• Windows Firewall

Answer 126

Default Programs

You should use Default Programs. The Default Programs utility allows you to change the programs that are used by default when opening files with certain extensions or links that use a specific protocol. In this case, you can specify that Internet Explorer should open FTP URLs.

You should not use the Content tab of the Internet Options utility. The Internet Options utility’s Content tab allows you to set parental controls, manage certificates, and configure AutoComplete settings. It does not allow you to associate a program with a protocol.

You should not use Compatibility View Settings. Compatibility View Settings allows you to configure a list of Web sites that should be displayed as if you were using an earlier version of Internet Explorer. Compatibility View is helpful when troubleshooting Web sites that do not display correctly in Internet Explorer 8.

You should not use Windows Firewall. Windows Firewall allows you to allow or block specific types of traffic. It does not allow you to configure which program is used to handle requests for a specific protocol.

Question 127

You are planning to deploy Microsoft Windows 7 by using a network image.

You need to execute a script after Windows 7 has been installed. You need to reference the script in an answer file.

Which configuration pass should you use?

• auditUser
• windowsPE
• oobeSystem
• offlineServicing

Answer 127

oobeSystem

You should configure the script to run during the oobeSystem configuration pass. The oobeSystem configuration pass executes after Windows 7 installs and the system reboots, but before the Windows Welcome screen appears.

You should not configure the script to run during the auditUser configuration pass. The auditUser configuration pass occurs only when you restart the reference computer in audit mode. It does not occur during setup.

You should not configure the script to run during the windowsPE configuration pass. The windowsPE configuration pass occurs before Windows 7 is installed. You should configure tasks such as setting Windows PE environment settings, partitioning the hard drive, installing boot-critical drivers, and identifying the path to the image during the windowsPE configuration pass.

You should not configure the script to run during the offlineServicing configuration pass. The offlineServicing configuration pass is used to apply packages to an offline image. A package might include updates, language packs, or drivers.

Question 128

Your company has a corporate office and a branch office. The network is configured as an Active Directory domain. All client computers are domain members running Microsoft Windows 7.

You install BranchCache on a server named BC-Srv in the branch office.

You discover that files are being cached to the Windows 7 computers in the branch office instead of to BC-Srv. You run netsh on one of the Windows 7 computers and receive the output shown in the exhibit.

You need to ensure that all files are cached on BC-Srv.

What should you do?

• Enable the Configure BranchCache for network files policy in the Group Policy object (GPO).
• Execute the following command on each Windows 7 client: netsh branchcache set service mode=HOSTEDCLIENT location=BC-Srv
• Execute the following command on each Windows 7 client: netsh branchcache set cachesize = 0
• Enable the Set BranchCache Hosted Cache mode policy in the Group Policy object (GPO).

Answer 128

Enable the Set BranchCache Hosted Cache mode policy in the Group Policy object (GPO).

You should enable the Set BranchCache Hosted Cache mode policy in the GPO. BranchCache can be configured to operate in either Hosted Cache mode or Distributed Cache mode. Group Policy currently configures the client computers to operate in Distributed Cache mode. However, the scenario requires that all data be cached to a service, which is the way Hosted Cache mode works. Therefore, you need to modify the GPO by enabling Hosted Cache mode.

You should not enable the Configure BranchCache for network files policy in the GPO. This policy affects the latency that can be supported when using Distributed Cache mode.

You should not execute the following command on each Windows 7 client:

netsh branchcache set service mode=HOSTEDCLIENT location=BC-Srv

While this command can be used to configure a client for Hosted Cache mode, it cannot be used in this scenario because Group Policy settings override a configuration set using netsh.

You should not execute the following command on each Windows 7 client:

netsh branchcache set cachesize = 0

This command is used to set the size of the cache. While setting the cachesize to 0 on the clients will prevent the client from caching data, it will not cause data to be cached on BC-Srv because clients are not configured to use Hosted Cache mode.

Question 129

You have a Microsoft Windows 7 Ultimate computer on a home network. There are two other computers on the network. One is running Windows Vista. The other is running Windows 7 Home Premium.

You need to share photos on the computer running Windows 7 Ultimate. The photos are currently located in the Pictures library. All users need to be able to access the shared files.

What should you do? (Each correct answer presents part of the solution. Choose two.)

• Move the photos to the Public Pictures folder.
• Enable Public folder sharing.
• Create a homegroup.
• Share the photos to the homegroup.
• Share the photos to the Public group.

Answer 129

Enable Public folder sharing.
Move the photos to the Public Pictures folder.

You should enable Public folder sharing. All Windows clients can access files shared using Public folder sharing. To enable Public folder sharing, open the Network and Sharing Center and click Change advanced sharing settings. Under the Home or Work profile, select the Turn on sharing so anyone with network access can read and write files in the Public folders option.

You should also move the photos to the Public Pictures folder. The Pictures library can only be accessed on the local computer by default. To share pictures using Public folder sharing, you need to move them to the Public Pictures folder.

You should not create a homegroup or share the pictures to the homegroup. Only Windows 7 computers can access files shared to a homegroup.

You should not share the pictures to the Public group. There is no group named Public by default. You share files using Public folder sharing by moving them to a Public folder, such as the Public Pictures folder.

Question 130

A user’s computer is running Microsoft Windows 7. System Protection is enabled.

A user reports that she accidentally copied an older version of a file over the current version. The Previous Versions tab for the file is shown in the exhibit.

You need to restore the latest saved previous version of the file.

What should you do?

• Enable shadow copy.
• Modify and save the file.
• Open Recovery in the Control Panel and select Restore your files.
• Open the Previous Versions tab of the Document library

Answer 130

Modify and save the file.

You should modify and save the file. The previous version of a file is only listed if the file has been modified since the last restore point was saved. Therefore, you can force the file to be shown by opening, modifying, and saving the file. After the older version is shown, you can select it and choose Restore. System Restore is only supported on NTFS partitions.

You do not need to enable shadow copy. Shadow copy is the technology used by System Protection to save previous versions of files. When System Protection is enabled, shadow copy is used automatically.

You should not open Recovery in the Control Panel and select Restore your files. You use this option to restore files from backup, not to restore a deleted file that was saved in a restore point.

You should not open the Previous Versions tab of the Document library. You can open Previous Versions for a folder or file, not the Documents library.

Question 131

Your company has an Active Directory domain. The company’s network is shown in the exhibit.

A number of users have portable computers running Microsoft Windows 7. These users need to be able to connect to a selected set of servers on the corporate intranet from any location that has an Internet connection. Technicians need to be able to remotely manage the portable computers when they are connected to the intranet.

You need to configure the network infrastructure to support the requirements.

What should you do?

• Install a DirectAccess server on the corporate network.
• Install a Virtual Private Network (VPN) server on the perimeter network.
• Install a DirectAccess server on the perimeter network.
• Install a Virtual Private Network (VPN) server on the corporate network

Answer 131

Install a DirectAccess server on the perimeter network.

You should install a DirectAccess server on the perimeter network. DirectAccess allows client computers running Windows 7 or Windows Server 2008 to connect to intranet resources. A DirectAccess server must be a domain member and must be located on the perimeter network. It must have two network adapters: a public network adapter and a private network adapter. Both network adapters must be configured for IPv6. The public network adapter must be assigned two publicly-accessible consecutive IPv4 addresses.

You should not install a DirectAccess server on the corporate network. The DirectAccess server must be installed on the perimeter network.

You should not install a VPN server on the perimeter network or the corporate network. A VPN cannot work from some locations because it is blocked by firewalls. Also, remote management is not supported through a VPN connection.

Question 132

You are managing a computer running Microsoft Windows 7. The computer is configured to create a new restore point once a week. The computer is backed up to external media once a week, and the backups are stored offsite.

You accidentally delete a folder from your computer that contains critical data. You need to recover the folder as quickly as possible. You cannot find a copy of the folder in your recycle bin.

What should you do?

• Use System Restore.
• Use Windows Backup and Restore.
• Use Windows Recovery Environment (RE).
• Use Last Known Good Configuration.

Answer 132

Use System Restore.

You should use System Restore, which is accessed through the System Properties dialog box. You can choose to restore the folder and its contents from a shadow copy made as a system restore point. Restore points are stored on the local hard disk, making them easily accessible.

You should not use Windows Backup and Restore. Because the weekly backup is stored offsite, you would have to request that it be brought onsite before you could use it for recovery.

You should not use Windows RE. You can run a system restore from Windows RE, but this would revert the computer back to the earlier version.

You should not use Last Known Good Configuration. This does not restore data on the system, only configuration information after configuration changes have made a system unbootable.

Question 133

You are preparing to deploy Microsoft Windows 7 in your organization. You will deploy Windows 7 initially on four computers to test.

You need to ensure that target computers meet the minimum installation requirements. The computers are configured as follows:

* 1 gigahertz (GHz) 32-bit processor
* 40 gigabytes (GB) disk space
* 500 megabytes (MB) system memory
* DirectX 9 graphics adapter

What should you do?

• Replace the motherboards with 64-bit motherboards.
• Increase available disk space to 100 GB or more.
• Install additional memory to reach 1 GB of memory.
• Replace the graphics adapter with a more recent adapter.
• Use the computers as configured.

Answer 133

Install additional memory to reach 1 GB of memory.

You should install additional memory to reach 1 GB of memory. Current minimum installation requirements for Windows 7 are:

* 1 GHz 32-bit or 64-bit processor
* 1 GB of system memory
* 16 GB of available disk space
* Support for DirectX 9 graphics with 128 MB memory (to enable the Aero theme)

In addition, a DVD drive is also needed if you are installing from the Windows 7 installation DVD. Microsoft recommends a DVD-R/W drive, but you do not need to write to DVD during a typical installation.

There is no reason to replace the motherboard. A 1 GHz 32-bit processor is supported.

There is no need to increase available disk space.

There is no need to replace the graphics adapter.

You should not use the computers as configured. As configured, they do not meet the minimum recommended configuration requirements.

Question 134

You have a Microsoft Windows 7 system that runs a payroll application. The payroll application logs an event to the Application log each time payroll is processed. The payroll application data files are backed up by a third-party application on a schedule that includes full and differential backups.

You need to ensure that the payroll database is backed up immediately each time payroll is processed.

What should you do?

• Use Task Scheduler to schedule a task that executes the wbadmin command with the -vsscopy option.
• Use Task Scheduler to schedule a task that executes the wbadmin command with the -vssfull option.
• Use Task Scheduler to schedule a task that executes the ntbackup command.
• Create a scheduled Backup using Backup and Restore.

Answer 134

Use Task Scheduler to schedule a task that executes the wbadmin command with the -vsscopy option.

You should use Task Scheduler to schedule a task that executes the wbadmin command with the -vsscopy option. You can create a task that executes when an event that logs data to a log occurs. In this case, you will use the event generated by the payroll application as the trigger. Wbadmin is the Windows 7 command-line utility that can be used to start, stop, or view information about a backup. The -vsscopy option causes the files to be copied without clearing the archive bit. Therefore, it will not interfere with other backup programs.

You should not use Task Scheduler to schedule a task that executes the wbadmin command with the -vssfull option. The -vssfull option causes the archive bit to be cleared. Therefore, the file will not be backed up the next time the third-party backup runs unless the file has been modified since the scheduled backup ran.

You should not use Task Scheduler to schedule a task that executes the ntbackup command. The ntbackup command was used in older versions of Windows and is not supported in Windows 7.

You should not create a scheduled Backup using Backup and Restore. Although you can create a backup that runs on a schedule using the Backup and Restore utility, you cannot use this utility to create a backup that runs in response to an event.

Question 135

A computer is running Microsoft Windows Vista. You want to perform a custom installation of Microsoft Windows 7 on the computer and migrate all user settings and documents. You plan to use a store on the network share \fs1\migration.

You need to estimate the amount of disk space required to store the settings.

What command should you use?

• ScanState.exe \fs1\migration /localonly /targetVista
• ScanState.exe \fs1\migration /genConfig:c:\spaceNeeded.xml
• ScanState.exe \fs1\migration /genConfig /targetVista
• ScanState.exe \fs1\migration /p:c:\spaceNeeded.xml

Answer 135

ScanState.exe \fs1\migration /p:c:\spaceNeeded.xml

You should use the following command:

ScanState.exe \fs1\migration /p:c:\spaceNeeded.xml

The ScanState command allows you to migrate settings to a store. When you run it with the /p option, it estimates the amount of disk space necessary to store the files. By specifying a filename after the /p option, you cause the estimation to be performed using User State Migration Tool (USMT) 4.0 algorithms. An Extensible Markup Language (XML) file with a format similar to the following is generated:

The storeSize reports the amount of disk space required at the location where the settings and documents will be stored. The temporarySpace reports the amount of temporary disk space required on the source machine while saving the files and on the target machine when restoring the files. When you use the /p option without a filename, the USMT 3.0 algorithm is used to calculate the space required.

You should not use the following command:

ScanState.exe \fs1\migration /localonly /targetVista

You use the /targetVista option when you are using USMT to migrate settings to a computer running Windows Vista. You use the /localonly option to migrate only settings and files that are located on the internal hard disk volumes, not on external drives or network shares. This command would create a store instead of just estimating the space required. However, the store would be optimized for Windows Vista.

You should not use the following commands:

ScanState.exe \fs1\migration /genConfig:c:\spaceNeeded.xml

Or

ScanState.exe \fs1\migration /genConfig:c:\spaceNeeded.xml /targetVista

The /genConfig option is used to generate a configuration file without creating a store. These commands would not estimate the space required because you did not include the /p option.

Question 136

A portable computer is running Microsoft Windows 7.

When the user is connected to the work network, that user should be notified if Windows Firewall attempts to block a program. When the user is connected to a public network, no notification should occur and the request should be blocked.

You need to configure the computer.

What utility should you use?

• Network and Sharing Center Advanced Options
• Internet Options Security tab
• Windows Firewall
• Notification Area Icons

Answer 136

Windows Firewall

You should use the Windows Firewall utility to configure the computer. Windows Firewall allows you to configure whether notifications are displayed when an attempt to access the computer is blocked by Windows Firewall. Public networks and home/work networks are configured separately. As an alternative, you can configure these settings through Group Policy or by running netsh firewall or netsh advfirewall.

You should not use Network and Sharing Center Advanced Options. This utility allows you to enable or disable network discovery and configure file sharing options for public and home/work networks.

You should not use the Security tab of the Internet Options utility. The Security tab of Internet Options allows you to set a security level for Web sites in different zones. For example, you can set a different security level for accessing an Internet Web site than for accessing one on the local network.

You should not use Notification Area Icons. This utility is used to determine whether a notification icon should be displayed in the notification area to show the status of various operations, such as a network connection, power, or Windows Update. Windows Firewall notifications cannot be configured through this utility.

Question 137

Your company has 25 computers running Microsoft Windows 7 and 20 computers running Windows Vista. Your technician computer runs Windows 7.

You need to be able to troubleshoot all client computers interactively by running PowerShell cmdlets.

What should you do?

• Run Enable-PSRemoting on the technician computer.
• Create an inbound Windows Firewall rule on all client computers to allow Remote Desktop.
• Run Enable-PSRemoting on the Windows 7 and Windows Vista computers.
• Create an outbound Windows Firewall rule on the technician computer to allow Remote Desktop

Answer 137

Run Enable-PSRemoting on the Windows 7 and Windows Vista computers.

You should run Enable-PSRemoting on the Windows 7 and Windows Vista computers. The Enable-PSRemoting cmdlet enables the computer to listen for WS-Management protocol messages. WS-Management protocol messages are sent when executing cmdlets in a remote PowerShell session. Both Windows 7 and Windows Vista can support remote PowerShell sessions.

You should not run Enable-PSRemoting on the technician computer. You do not need to run Enable-PSRemoting on the sending computer, only on the receiving computer.

You should not create Windows Firewall rules to enable Remote Desktop. You do not need to run Remote Desktop to remotely troubleshoot the computers. You can use PowerShell commands remotely over the WS-Management protocol.

Question 138

A Microsoft Windows 7 computer has three volumes. Volume C is formatted as NTFS and contains the operating system, applications, and data files. Volume D is formatted as FAT32. Volume E is a DVD-R drive.

You need to create the necessary backup files to allow the system to be restored to a known state using either the Recovery Control Panel utility or the System Repair option in the boot menu.

What should you do?

• Create a system image on volume D.
• Create a system repair disc on volume E.
• Create a system image on volume E
• Create a system repair disc on volume D.

Answer 138

Create a system image on volume E.

You should create a system image on volume E. A system image is an exact image of your computer at the time it is taken. It includes applications and data files. You can recover a computer to a system image using the Recovery Control Panel utility if the operating system can be booted. If the operating system cannot be booted, you can recover to a system image by choosing Repair your computer from Advanced Boot Options or by booting from the installation DVD or a system repair disc and choosing Repair your computer. You can only create a system image on an NTFS partition, one or more DVD discs, or a network location. If you schedule a system image backup, you can only use an NTFS partition or a network location.

You cannot create a system image on volume D because volume D is formatted as FAT32.

You should not create a system repair disc on volume E. A system repair disc is used to boot the computer. It contains boot files and system tools you can use to repair a damaged system that will not boot to Windows.

You cannot create a system repair disc on volume D. You can only create a system repair disc on a CD or DVD drive. In this case, you should not create a system repair disc at all.

Question 139

You have a computer running Microsoft Windows 7.

You install several driver updates and an application and restart the computer. The system boots, but then you notice that some devices are no longer functioning.

You need to resolve the problem.

What should you try first?

• Boot to the Last Known Good Configuration.
• Use Recovery in Control Panel to recover to the last restore point.
• Boot using the Windows installation DVD and select Repair your computer. Select Startup Repair.
• Use Recovery in Control Panel to recover a system image.

Answer 139

Use Recovery in Control Panel to recover to the last restore point.

You should use Recovery in Control Panel to recover to the last restore point. System Restore saves information about your system configuration before making a change, such as installing a device driver or application. You can try restoring to various restore points until your system is stable.

You should not boot to the Last Known Good Configuration. The Last Known Good Configuration is stored each time a computer successfully starts. Because you successfully logged on before the computer stopped responding, Last Known Good Configuration does not store a stable configuration.

You should not boot using the Windows installation DVD and select Repair your computer. This option displays the System Recovery options. The Startup Repair option allows you to replace damaged or missing operating system files, not recover from corrupted device drivers or application problems. You can, however, start System Restore from the System Recovery options menu.

You should not use Recovery in Control Panel to recover a system image. This option is a last resort, as it will restore the computer to the last system image you backed up. You will lose all data, programs, and settings that have changed since the last system image backup.

Question 140

A computer is running Microsoft Windows 7 Home Premium.

You need to install Windows 7 Ultimate on the computer. You must preserve user configuration settings and applications. You must perform the installation using the least amount of effort.

What should you do first?

• Start the computer from the DVD. Choose Custom.
• Start the computer in Windows 7. Insert the installation DVD and choose Upgrade.
• Start the computer in Windows 7. Insert the installation DVD and run Migsetup.exe.
• Start the computer in Windows 7. Launch Windows Update.

Answer 140

Start the computer in Windows 7. Insert the installation DVD and choose Upgrade.

You should start the computer in Windows 7, insert the installation DVD, and choose Upgrade. You can upgrade a computer running Windows 7 Home Premium to either Windows 7 Professional or Windows 7 Ultimate. To do so, you start the computer in Windows 7, insert the installation DVD, and when prompted for an installation type, choose Upgrade.

You should not start the computer from the DVD and choose Custom. A Custom installation overwrites existing settings with a clean installation.

You should not start the computer in Windows 7, insert the installation DVD, and run Migsetup.exe. The Migsetup.exe application is Windows Easy Transfer, which allows you to transfer settings from an old installation to a new installation. You would use Windows Easy Transfer if the upgrade path were not supported.

You should not start the computer in Windows 7 and launch Windows Update. Windows Update is used to configure automatic updates for security updates and service packs. It is not used to upgrade to a different edition of Windows 7.

Question 141

You have a Microsoft Windows 7 computer.

You need to ensure that unapproved applications cannot perform tasks that require Administrator permissions even if they are run by a member of Administrators.

What should you do? (Each correct answer presents part of the solution. Choose two.)

• Add the publisher’s certificate for each approved application to the Trusted Publishers certificate store.
• In Group Policy, create an AppLocker Executable rule.
• In User Account Control Settings, select Always notify.
• In Group Policy, enable the User Account Control: Only elevate executables that are signed and validated policy.
• In Group Policy, enable the User Account Control: Only elevate UIAccess applications that are installed in secure locations policy.

Answer 141

• In Group Policy, enable the User Account Control: Only elevate executables that are signed and validated policy.
• Add the publisher’s certificate for each approved application to the Trusted Publishers certificate store.

You should do the following:

* Enable the User Account Control: Only elevate executables that are signed and validated policy in Group Policy.
* Add the publisher’s certificate for each approved application to the Trusted Publishers certificate store.

When the User Account Control: Only elevate executables that are signed and validated policy is enabled, an executable can only be allowed elevated permissions if it has been digitally signed and a publisher’s certificate has been added to the Trusted Publishers certificate store on the computer. When this policy is not enabled, an application can request elevation even if it has not been digitally signed by a certificate belonging to a trusted publisher.

You should not create an AppLocker Executable rule. You can create an AppLocker Executable rule to limit which applications can run, not which applications can request elevated permissions.

You should not modify User Account Control Settings and select Always notify. This was the default UAC setting for Windows Vista. It does not prevent applications that are not signed from requesting and obtaining elevated permissions when run by an administrator.

You should not enable the User Account Control: Only elevate UIAccess applications that are installed in secure locations policy. When this policy is enabled, applications that require User Interface Accessibility programs can only be given elevated permissions if they are installed in a secure location, such as %systemroot% or System32. However, the requirements in this scenario are not limited to UIAccess applications. They need to apply to all applications.

Question 142

A Microsoft Windows 7 image is booted in Out-of-Box Experience (OOBE).

You need to install a Windows update to the booted Windows 7 image.

What should you do?

• Use DPInst to apply the update.
• Boot the image in audit mode and use Windows Optional Component Setup (OCSetup) to apply the update.
• Take the image offline and use Deployment Image Servicing and Management (DISM) to apply the update.
• Boot the image in audit mode and use Windows Update Stand-alone Installer (WUSA) to apply the update.

Answer 142

Boot the image in audit mode and use Windows Update Stand-alone Installer (WUSA) to apply the update.

You should boot the image in audit mode and use WUSA to apply the update. You can apply updates to an online image only, so you must boot the image. However, you do not want to activate the image if it will be used as an installation source, so audit mode is required.

Audit mode lets you make changes to a Windows installation without requiring you to activate the installation or finalize the computer for end-user use. After making necessary changes to the image, you can then recapture the image and use it as a source for deploying Windows 7.

You should not use DPInst to apply the update. DPInst is used to install non-boot-critical hardware device drivers for hardware that is present in the computer. It is not used to apply system updates.

You should not boot the image in audit mode and use OCSetup to apply the update. OCSetup can be used to make changes to an online image, such as installing applications or enabling Windows features, but it is not used to apply updates.

You should not take the image offline and use DISM to apply the update. DISM can be used to install updates packaged as .msu files, but updates can be applied to an online image only.

Question 143

You have a computer running Microsoft Windows 7.

The computer has one 40 GB hard disk. The user creates audio files that use a lot of hard disk space. She stores the files in the Podcasts subfolder in her My Documents folder.

The disk is near capacity.

You need install an additional hard disk.

You need to allow the user to continue storing her audio files in the Podcasts directory.

What should you do?

• Mount the new volume using the path to the Podcasts folder.
• Create a virtual hard disk (VHD) named Podcasts.
• Move the files to a network share.
• Mount the new volume using the path to the Podcasts folder.
• Move the files to the Podcasts folder.
• Move the files to a network share.
• Create a virtual hard disk (VHD) named Podcasts.
• Move the files to the Podcasts VHD.

Answer 143

• Move the files to a network share.
• Mount the new volume using the path to the Podcasts folder.
• Move the files to the Podcasts folder.

You should do the following:

* Move the files to a network share.
* Mount the new volume using the path to the Podcasts folder.
* Move the files to the Podcasts folder.

You can mount a volume to an empty NTFS folder to allow the fact that there is a separate hard disk to be transparent to users. Users can continue to access the folder just as they had before. The NTFS folder can be on a basic disk or a dynamic disk.

You should not just mount the new volume using the path to the Podcasts folder. You need to move the files first because the folder must be empty.

You should not create a VHD named Podcasts. A VHD is a block of disk space on a volume that is assigned a separate drive letter and name. You can host a VHD in a virtual machine or you can configure a Windows 7 computer to boot from a VHD.

You should not do the following:

* Move the files to a network share.
* Create a virtual hard disk (VHD) named Podcasts.
* Move the files to the Podcasts VHD.

A VHD is a block of disk space on a volume that is assigned a separate drive letter and name. You can host a VHD in a virtual machine or you can configure a Windows 7 computer to boot from a VHD.

Question 144

You are a network administrator for your organization. You are migrating five computers from Microsoft Windows XP to Windows 7. You back up each of the computers by using the Windows backup utility and then run a clean installation. You select the Windows XP system folder as the installation destination.

After installation, you need to restore users’ desktop settings and user profile information to the upgraded computers. You need to keep the administrative effort necessary to accomplish this to a minimum.

What should you do?

• Run LoadState with the /hardlink option.
• Run ScanState and then LoadState, both with the /hardlink option.
• Run Windows Easy Transfer.
• Restore from the backup made before installation

Answer 144

Run ScanState and then LoadState, both with the /hardlink option.

You should run ScanState and then LoadState, both with the /hardlink option. When you install Windows 7 to the Windows XP system folder, a Windows.old directory is created that contains files from the previous operating system. Running ScanState and LoadState with the /hardlink option identifies information that can be migrated and then performs the migration.

You should not run LoadState without first running ScanState. You must run ScanState first to identify the information to be migrated.

You should not run Windows Easy Transfer. Windows Easy Transfer is used to migrate files and settings, but not in this situation. You would need to back up information from the Windows XP installation first.

You should not restore the backup made before installation. This would overwrite critical files and compromise the computer.

Question 145

Your network is configured as a main office and a remote office. Each office is configured as a single subnet. Remote office users connect to the Internet through the main office’s perimeter network.

You deploy a Windows Server Update Services (WSUS) server in the main office. You want to manage all updates from the main office WSUS server. Your network is configured to support a BranchCache Distributed Cache mode environment.

You want to minimize the traffic generated across the remote link between the offices to support Windows updates. You want to keep the network changes necessary to accomplish this and management requirements to a minimum.

What should you do?

• Configure the WSUS server to store update metadata and configure clients to download update files from Microsoft.
• Configure the WSUS server to store update metadata and update files and configure it as a BranchCache content server.
• Configure the WSUS server to store update metadata and update files and configure a second WSUS server in the remote office in autonomous mode.
• Configure the WSUS server to store update metadata and configure a second WSUS server in the remote office in replica mode.

Answer 145

Configure the WSUS server to store update metadata and update files and configure it as a BranchCache content server.

You should configure the WSUS server to store update metadata and update files and configure it as a BranchCache content server. This lets you manage updates from a central location. Update information is downloaded to the remote office once and shared from that location to other computers needing the update, so traffic is kept to a minimum. Updates are cached on client computers, so there are no additional hardware requirements.

You should not configure the WSUS server to store update metadata and configure clients to download update files from Microsoft. This does not minimize traffic requirements because each client will be downloading update files individually.

You should not configure the WSUS server to store update metadata and update files and configure a second WSUS server in the remote office in autonomous mode. This requires you to manage updates separately on the two WSUS servers, so management requirements are not minimized. This also does not minimize hardware requirements because an additional server is required.

You should not configure the WSUS server to store update metadata and configure a second WSUS server in the remote office in replica mode. This solution requires an additional server and results in higher than necessary traffic levels to download update files.

Question 146

You have a computer running Windows 7.

The computer is currently configured to use the Balanced power plan.

You want to require a password to wake the computer up only if the computer goes to sleep when running on battery.

What should you do?

• Open Power Options and click Require a password on wakeup.
• Open Power Options and access Advanced Power Settings for the Balanced power plan.
• Open User Accounts and access User Account Control Settings.
• Open Ease of Access Center.

Answer 146

Open Power Options and access Advanced Power Settings for the Balanced power plan.

You should open Power Options and access Advanced Power Settings for the Balanced power plan. The Advanced Power Settings dialog box allows you to configure whether the user needs to supply the password when waking a computer up from sleep based on whether the computer is plugged in or on battery power. You can access Advanced Power Settings for a default power plan or a custom power plan. Another way to make this configuration change would be to apply it through Group Policy.

You should not open Power Options and click Require a password on wakeup. This option allows you to select whether to require a password for wakeup, but it does not allow you to set the option separately based on whether the computer is running on battery power or plugged in.

You should not open User Accounts and access User Account Control Settings. These settings allow you to configure the circumstances under which you are prompted for elevation of permissions. It does not allow you to configure whether a user is prompted for a password during wakeup.

You should not open the Ease of Access Center. The Ease of Access Center is used to configure accessibility options, such as the narrator and magnifier.

Question 147

You created a custom Windows image (WIM) file to deploy Microsoft Windows 7. The image was created to support English language installations only.

You need to modify the image file to support multiple languages for use in a multilingual deployment. You want to keep the hardware and administrative effort required to a minimum.

What should you do?

• Create a new reference image containing the necessary language packs and recreate the image.
• Use Windows System Image Manager (SIM) to modify the existing image.
• Use DISM to modify the existing image.
• Use DISM to reconfigure and modify a default retail image.

Answer 147

Use DISM to modify the existing image.

You should use the Deployment Image Servicing and Management (DISM) tool to modify the existing image. DISM is designed to let you service offline images. Available service options include adding language packs and international settings to an existing custom image.

You should not create a new reference image containing the necessary language packs and recreate the image. This requires both more effort and more hardware than using DISM to modify the existing custom image.

You should not use Windows SIM to modify the existing image. You can use Windows SIM to create an answer file that can be used, in turn, with DISM to modify an offline image. You cannot use Windows SIM to directly modify the image.

You should not use DISM to reconfigure and modify a default retail image. It would require more effort to match the modified image to the custom image than to directly modify the custom image.

Question 148

You have a computer running Windows 7 Ultimate.

You need to prevent users from installing applications that do not have a digitally signed .msi file.

What should you do?

• Create an AppLocker Script rule based on the Hash condition.
• Create a Certificate rule in Software Restriction Policies.
• Create a Hash rule in Software Restriction Policies.
• Create an AppLocker Windows Installer rule based on the Publisher condition.

Answer 148

Create an AppLocker Windows Installer rule based on the Publisher condition.

You should create an AppLocker Windows Installer rule based on the Publisher condition. An AppLocker Windows Installer rule is used to limit which .msi and .msp files a user can execute. When you create an Allow rule based on the Publisher condition, you limit the Windows Installer files that can be installed to those signed by a publisher. You can allow any signed files to execute by using the wildcard (*) character.

You should not create an AppLocker Script rule based on the Hash condition. A Script rule is used to limit which script files a user can execute, including PowerShell files, VB Script files, JavaScript files, and batch files. The Hash condition calculates a hash of the file and compares it with the hash specified in the rule. If the two values do not match, the rule is not enforced. In this case, you cannot calculate a hash because any digitally signed .msi file should be permitted.

You should not create a Certificate rule in Software Restriction Policies. Software Restriction Policies can be used to limit which applications a user can execute on a Windows XP, Windows Vista, or Windows 7 computer. It is used for backwards compatibility. A Certificate rule is used to configure a rule that is enforced for an application signed by a specific publisher. You must select a certificate when configuring a certificate rule.

You should not create a Hash rule in Software Restriction Policies. The Hash rule calculates a hash of the file and compares it with the hash specified in the rule. If the two values do not match, the rule is not enforced.

Question 149

You have 20 computers running Microsoft Windows Vista Business. You plan to install Windows 7 Ultimate on all of them. You need to repartition the computers so that all computers have identical partition schemes.

You need to ensure that user preferences and user documents are preserved. You must choose the fastest migration strategy.

What should you do first?

• Execute ScanState with the hardlink option.
• Perform an upgrade.
• Create an image backup of each computer.
• Execute ScanState and store the results on a network share.

Answer 149

Execute ScanState and store the results on a network share.

You should execute ScanState and store the results on a network share. ScanState is a User State Migration Tool (USMT) command that allows you to save local user profiles and documents in a compressed or uncompressed format. When performing an installation that does not have a supported upgrade path, you can use ScanState to store the data and LoadState to configure the computer using the stored state data and documents. Because you must repartition the drive, you need to store the data to a network share.

You should not execute ScanState with the hardlink option. The hardlink option provides better performance because it stores the data locally. However, you cannot use the hardlink option when you need to repartition the drive.

You cannot perform an upgrade. Although you can upgrade from Windows Vista Business to Windows Vista Ultimate, you cannot repartition the drive during an upgrade.

You should not create an image backup of each computer. An image backup can be used to recover a system to its exact state. It is not used during migration.

Question 150

You have a Microsoft Windows 7 computer. The computer has a single basic disk that has three simple volumes: the system volume, volume C, and volume D. Volume C is 200 GB, is formatted using NTFS, and has 10 GB of available space. Volume D is 30 GB, is formatted using FAT32, and has 20 GB of available space. The disk has no unallocated space.

You need to create a new 15 GB volume.

What should you do first?

• Shrink volume C.
• Convert the disk to a dynamic disk.
• Convert volume D to NTFS.
• Shrink volume D.

Answer 150

Convert volume D to NTFS.

You should first convert volume D to NTFS. You need to create unallocated space by either deleting a volume or shrinking a volume. Deleting a volume results in data loss. Shrinking a volume does not result in data loss. However, you can only shrink an NTFS volume. Therefore, you need to convert volume D to NTFS before shrinking it.

You should not shrink volume C. You cannot shrink a volume beyond the amount of used disk space. You need a 15 GB volume, and there is only 10 GB of unused space available on volume C.

You do not need to convert the disk to a dynamic disk. You can shrink a volume on a basic disk.

You should not shrink volume D first. You must convert volume D to NTFS before you can shrink it.

Question 151

You have a computer running Microsoft Windows 7 Ultimate.

The computer stores confidential data. Users sometimes need to be able to take the data offsite using a Universal Serial Bus (USB) flash drive.

You need to ensure that the data is encrypted on the flash drive and can only be accessed by a user who supplies the correct Personal Identification Number (PIN).

What should you do?

• In Local Group Policy, enable Removable Disks: Deny write access.
• Encrypt all confidential files using Encrypting File System (EFS).
• In Local Group Policy, enable Deny write access to removable data drives not protected by BitLocker.
• Execute the cipher /r command.

Answer 151

In Local Group Policy, enable Deny write access to removable data drives not protected by BitLocker.

You should enable Deny write access to removable data drives not protected by BitLocker in Local Group Policy. BitLocker To Go allows you to protect the contents of a removable drive to prevent unauthorized access by users who cannot authenticate using a PIN or smart card. The policies that govern BitLocker To Go are located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.

You should not enable Removable Disks: Deny write access. Enabling this policy will prevent users from writing data to a removable drive. If this policy and the Deny write access to removable data drives not protected by BitLocker policy are enabled, the Removable Disks: Deny write access policy takes precedence.

You should not encrypt all confidential files using EFS. If an encrypted file is copied to a non-NTFS file system, it loses encryption. Therefore, a user could copy a confidential file to a FAT32 removable drive, and security of the data would be compromised.

You should not execute the cipher /r command. The cipher /r command is used to create an EFS Recovery Agent certificate. You would use an EFS Recovery Agent certificate to decrypt files if the certificate used to encrypt files using EFS was no longer available.

Question 152

You need to enable Remote Desktop connections to a Microsoft Windows 7 computer. Only users logged in to a technician’s computer should be able to access the computer using a remote connection.

You need to make the necessary configuration changes.

What should you do?

• Modify the Remote Desktop Outbound rule of Windows Firewall.
• Modify the Remote Desktop Inbound rule of Windows Firewall.
• Add Remote Desktop to the Allowed Programs list of Windows Firewall.
• Add the technician computers to the Remote Desktop Users Group.

Answer 152

Modify the Remote Desktop Inbound rule of Windows Firewall.

You should modify the Remote Desktop Inbound rule of Windows Firewall. Inbound rules allow you to configure which computers are allowed to access specific applications using an inbound request. In this case, you will enable the Remote Desktop inbound rule and add the technician computers to the Authorized Computers list.

You cannot modify the Remote Desktop Outbound rule of Windows Firewall. Remote Desktop is an inbound rule, not an outbound rule because another computer initiates the communication.

You should not add Remote Desktop to the Allowed Programs list of Windows Firewall. If you add Remote Desktop to the Allowed Programs list, Remote Desktop sessions will be allowed from any computer, not just from technician computers.

You should not add the technician computers to the Remote Desktop Users group. You use the Remote Desktop Users group to assign permission for a user to log on through a Remote Desktop session. You do not add computers to the Remote Desktop Users group. Also, by default, Windows Firewall does not allow Remote Desktop sessions.

Question 153

You are configuring offline access to files for mobile devices running Microsoft Windows 7.

You need to configure encryption for locally cached files. The files are cached on the internal hard disk drives of the computers. You need to provide protection for the files even if the mobile computer is lost or stolen.

What should you do?

• Implement Encrypting File System (EFS) on the client.
• Implement Encrypting File System (EFS) on the server.
• Implement BitLocker drive encryption on the server.
• Implement BitLocker drive encryption on the client.
• Implement BitLocker To Go drive encryption on the client.
• Implement BitLocker To Go drive encryption on the server.

Answer 153

Implement BitLocker drive encryption on the client.

You should implement BitLocker drive encryption on the client. You need to implement some type of encryption on the client to protect the files. BitLocker provides a high level of protection even if the computer is lost or stolen. Not only is data on the hard disk encrypted, but you can require multifactor authentication before the computer can be booted.

You should not implement EFS on the client. EFS provides less protection if the computer is lost or stolen, which would give a hacker time to break the encryption.

You should not implement EFS or BitLocker drive encryption on the server as a way of protecting cached files. Encrypting the file on the server does not cause the file to be automatically encrypted when it is cached on the client.

You should not implement BitLocker To Go drive encryption on the client or the server. BitLocker To Go is a version of BitLocker that can be used on removable media to provide encryption.

Question 154

Your network is configured as an Active Directory domain. Domain controllers run Microsoft Windows Server 2008 R2. Client computers run Windows 7.

You need to track folder access on member computers in your network. You need to track user access for specific shared folders. You need to limit tracking to specific folders. You want to keep the effort necessary to accomplish your goal to a minimum.

What should you do?

• Create and link a Group Policy defining File System Object Access.
• Create and link a Group Policy defining File Share Object Access.
• Create and link a Group Policy defining File System Global Object Access Auditing.
• Configure resource auditing locally on each computer.
• Create scripts to enable auditing and run the scripts on each computer to be audited.

Answer 154

Create and link a Group Policy defining File System Object Access.

You should create and link a Group Policy File defining System Object Access. The enhanced auditing supported for Windows Server 2008 and Windows 7 gives you the ability to configure a file system access control list (SACL) for any or all file system objects, including both files and folders. You can specify the audit events and specific events to be audited.

You should not create and link a Group Policy defining File Share Object Access. This policy would apply to all shared folders on the computer and does not let you limit auditing to specific folders.

You should not create and link a Group Policy defining File System Global Object Access Auditing. When you define a Global Object Access Auditing SACL, the SACL applies to every object of that type. If a computer is configured with both a file system SACL and global SACL, the effective audit policy will be a combination of both the file system and global policy settings.

You should not configure resource auditing locally on each computer or create scripts to enable auditing and run the scripts on each computer to be audited. Either of these methods would take more effort than necessary. These methods would be necessary to configure the auditing needed on older Windows versions, but not for Windows 7 or Windows Server 2008.

Question 155

You have a computer running Windows 7. The computer can connect to computers on the local network, but not to computers on the Internet.

A portion of the Network and Sharing Center window is shown in the exhibit.

You need to resolve the problem.

What should you do?

• Change the network location of the Wireless Network Connection to Home network.
• Change the network location of the Wireless Network Connection 2 to Public network.
• Set the default gateway for the Wireless Network Connection to the correct value.
• Set the default gateway address for the Wireless Network Connection 2 to the correct value

Answer 155

Set the default gateway for the Wireless Network Connection to the correct value.

You should set the default gateway for the Wireless Network Connection to the correct value. Because you can access local resources, but not Internet resources, you know that the problem is caused by an invalid default gateway or an invalid subnet mask. When the default gateway is not correctly configured, the network is displayed as an unidentified public network.

You cannot change the network location of the Wireless Network Connection to Home network. You cannot change the network location until after you resolve the IP configuration issue.

You should not change the network location of the Wireless Network Connection 2 to Public network. The Wireless Network Connection 2 network is not currently connecting to a network. Also, you configure a network as a Public network to increase security when connecting to public Wi-Fi networks.

You should not set the default gateway address for the Wireless Network Connection 2 to the correct value. The Wireless Network Connection 2 network is not currently connecting to a network. The network settings that need to be reconfigured are those associated with Wireless Network Connection.

Question 156

You support several computers that run Microsoft Windows 7.

You are trying to correct application compatibility problems. You created a centralized custom shim database that is accessed from a central location by all client computers. You need to test and deploy an additional shim for a newly discovered problem. You need to protect the integrity of the current shim database and avoid introducing new problems.

What should you do (organize these in the right order)?

Answer 156

1. Create a second custom shim database and add the shim you need to test
2. Test the shim through customer acceptance testing
3. Open the master copy of the shim database
4. Copy and paste the shims from the secondary database to the master database

When adding a shim to a custom shim database, you should:

* Create a second custom shim database and add the shim you need to test.
* Test the shim through customer acceptance testing.
* Open the master copy of the shim database.
* Copy and paste the shims from the secondary database into the master database.

You should not add the shim directly to the master copy of the shim database for testing in case the shim introduces additional problems. Instead, you should test the shim from a second database. Once you have verified that the fix works and does not introduce new problems, you can copy the shim (or shims) into the master copy of the shim database.

Question 157

What are the 5 Vista versions?

Answer 157

1. Vista Home Basic
2. Vista Home Premium
3. Vista Ultimate
4. Vista Business
5. Vista Enterprise

Question 158

What are the 5 Windows 7 versions?

Answer 158

1. Windows 7 Home Basic
2. Windows 7 Home Premium
3. Windows 7 Ultimate
4. Windows 7 Professional
5. Windows 7 Enterprise

Question 159

Windows Vista Home Basic can upgrade to what versions of Windows 7?

Answer 159

1. Windows 7 Home Basic
2. Windows 7 Home Premium
3. Windows 7 Ultimate

Question 160

Windows Vista Home Premium can upgrade to what versions of Windows 7?

Answer 160

1. Windows 7 Home Premium
2. Windows 7 Ultimate

Question 161

Windows Vista Ultimate can upgrade to what versions of Windows 7?

Answer 161

1. Windows 7 Ultimate

Question 162

Windows Vista Business can upgrade to what versions of Windows 7?

Answer 162

1. Windows 7 Professional
2. Windows 7 Enterprise
3. Windows 7 Ultimate

Question 163

Windows Vista Enterprise can upgrade to what versions of Windows 7?

Answer 163

1. Windows 7 Enterprise

Question 164

1. What encryption protocols does it support?
2. What authentication methods does it support?
3. Does it require a pre-shared key?

Answer 164

1. TKIP or AES
2. 802.1x server or a pre-shared key
3. No

Question 165

1. What encryption protocols does it support?
2. What authentication methods does it support?
3. Does it require a pre-shared key?

Answer 165

1. TKIP or AES
2. Pre-shared key (PSK)
3. Yes

Question 166

1. What encryption protocols does it support?
2. What authentication methods does it support?
3. Does it require a pre-shared key?

Answer 166

1. WEP
2. Protected Extensible Authenticatioin Protocol (PEAP) or certificate authentication
3. No