Chapter 10: Lesson Review Answers Answers 823
Lesson 2
1. Correct Answer: D
a. Incorrect: PPTP VPNs do not support the VPN Reconnect feature in Windows 7.
B. Incorrect: L2TP/IPsec VPNs do not support the VPN Reconnect feature in Windows 7.
c. Incorrect: SSTP VPNs do not support the VPN Reconnect feature in Windows 7.
D. Correct: The IKEv2 VPN type is the only VPN type that supports the VPN Reconnect
feature in Windows 7.
2. Correct Answer: A
a. Correct: SSTP VPN connections work using the same ports as secure Web browsing
connections. This allows users who can browse the Web using a motel Internet
connection to connect through VPN.
B. Incorrect: IKEv2 uses UDP port 500, which is likely to be blocked by firewalls that block
other forms of traffic except common protocols used by Web browsers.
c. Incorrect: PPTP uses port 1723, which is likely to be blocked by firewalls that block other
forms of traffic except common protocols used by Web browsers.
D. Incorrect: L2TP/IPsec uses UDP port 1701, which is likely to be blocked by firewalls that
block other forms of traffic except common protocols used by Web browsers.
3. Correct Answers: C and D
a. Incorrect: SSTP is supported only on Routing and Remote Access servers running
Windows Server 2008 and Windows Server 2008 R2.
B. Incorrect: IKEv2 is supported only on Routing and Remote Access servers running
Windows Server 2008 R2.
c. Correct: PPTP is supported by Routing and Remote Access servers running Windows
Server 2003 R2.
D. Correct: L2TP/IPsec is supported by Routing and Remote Access servers running
Windows Server 2003 R2.
4. Correct Answers: A, B, and C
a. Correct: You can use the PEAP authentication protocol with an IKEv2 VPN.
B. Correct: You can use the EAP-MSCHAP v2 authentication protocol with an IKEv2 VPN.
c. Correct: You can use Microsoft Smart Card or Other Certificate to authenticate an

IKEv2 VPN.
D. Incorrect: You cannot use the CHAP protocol with an IKEv2 VPN. IKEv2 VPNs can be
authenticated only using EAP or computer certificates.
5. Correct Answer: C
a. Incorrect: DirectAccess is not available on computers running Windows 7 Professional. If
DirectAccess were available, this solution would work.
8 2 4 Answers
B. Incorrect: You should not configure Remote Desktop Connection to use the Remote
Desktop Gateway at remote-desktop.contoso.internal and then connect to rdgateway.
contoso.com as the remote desktop gateway is located at rdgateway.contoso.com. In this
answer, the positions of the RD gateway server and the remote desktop services server
are switched.
c. Correct: You should configure Remote Desktop Connection to use the Remote Desktop
Gateway at rdgateway.contoso.com and then connect to remote-desktop.contoso.internal.
D. Incorrect: DirectAccess is not available on computers running Windows 7 Professional.
If it were, you would want to connect to remote-desktop.contoso.internal rather than to
the Remote Desktop Gateway server.
Chapter 10: Case Scenario Answers
Case Scenario 1: Wingtip Toys DirectAccess
1. Upgrade the server to Windows Server 2008 R2. The rest of the server’s configuration
supports DirectAccess because it is a member of the domain, has two consecutive public IP
addresses assigned to its Internet interface, and has the appropriate computer certificates
installed. You can install the DirectAccess feature on this server once it has been upgraded to
the newer operating system.
2. You should create a global security group in the Wingtip Toys domain.
3. Upgrade the client computers to Windows 7 Enterprise or Ultimate edition. Add them to the
security group that you have configured to support DirectAccess. Install computer certificates.
Case Scenario 2: Remote Access at Tailspin Toys
1. Windows 7 Enterprise supports IKEv2 VPNs, though Windows Server 2003 R2 x64 Routing
and Remote Access servers do not. It is necessary to upgrade the Routing and Remote Access

server to Windows Server 2008 R2 to support IKEv2 VPNs.
2. Install an antivirus update server and a WSUS server on the quarantine network so that clients
can update themselves to become compliant.
3. You should use the EAP-MS-CHAPv2 authentication protocol because this allows password
authentication.
Chapter 11: Lesson Review Answers
Lesson 1
1. Correct Answers: A, D, and E
a. Correct: A BitLocker-encrypted volume must be configured with a unique identifier
to be used with a DRA. You must configure the Prove The Unique Identifiers For Your
Organization policy to assign this identifier.
Chapter 11: Lesson Review Answers Answers 825
B. Incorrect: The Choose Default Folder For Recovery Password policy allows the recovery
password to be saved in a particular location. A recovery password is different for a DRA,
which involves a special certificate that can be used to recover all BitLocker-encrypted
volumes in an organization.
c. Incorrect: The Choose How Users Can Recover BitLocker Protected Drivers policy
specifies whether recovery occurs via a password or a USB flash drive and key. This is
separate from a DRA, which involves a special certificate that can be used to recover all
BitLocker-encrypted volumes in an organization.
D. Correct: You need to specify the DRA to be used in the Computer Configuration\
Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption policy
to configure BitLocker to support DRAs.
e. Correct: You need to configure the Choose How BitLocker-Protected Operating System
Drives Can Be Recovered policy and specify that a DRA can be used to recover protected
operating system drives.
2. Correct Answers: C and D
a. Incorrect: The Control Use Of BitLocker On Removable Drives policy allows BitLocker to
be used on removable drives. You cannot use this policy to restrict usage of removable
drives only to those configured with BitLocker.

B. Incorrect: The Store BitLocker Recovery Information In Active Directory Domain Services
policy, which applies to clients running Windows Vista rather than Windows 7, allows for
BitLocker recovery keys to be stored within AD DS. You cannot use this policy to restrict
usage of removable drives only to those configured with BitLocker.
c. Correct: You need to configure the Deny Write Access To Removable Drives Not Protected
By BitLocker policy. This policy allows you to deny write access to drives not protected by
BitLocker and to specify which BitLocker identifiers are associated with your organization.
D. Correct: The Provide The Unique Identifiers For Your Organization policy allows you to
specify which BitLocker identifiers are associated with your organization. If the BitLocker
identifier that is used with a removable device does not match one of the identifiers
configured in this policy and the Deny Write Access To Removable Drives Not Protected
By BitLocker policy is configured appropriately, users are unable to write data to these
removable devices.
3. Correct Answer: A
a. Correct: By configuring the Require Additional Authentication At Startup policy, it is possible
to disable the BitLocker requirement that a computer have a compatible TPM chip.
B. Incorrect: The Allow Enhanced PINs for Startup policy allows you to use an enhanced
PIN with startup. Configuring this policy does not allow you to bypass the BitLocker
requirement for a TPM chip.
c. Incorrect: The Configure TPM Platform Validation Profile policy configures how the TPM
chip secures the BitLocker encryption key. Configuring this policy does not allow you to
bypass the BitLocker requirement for a TPM chip.
8 2 6 Answers
D. Incorrect: The Configure Minimum PIN Length For Startup policy allows you to configure
a minimum PIN length for the startup PIN. Configuring this policy does not allow you to
bypass the BitLocker requirement for a TPM chip.
4. Correct Answer: B
a. Incorrect: The Configure Use Of Passwords For Removable Data Drives policy allows you
to configure password policies for removable data drives. You cannot use this policy to
ensure that BitLocker To Go Reader is available on all FAT-formatted removable devices

protected with BitLocker.
B. Correct: The Allow Access To BitLocker-Protected Removable Data Drives From Earlier
Versions Of Windows policy allows you to ensure that BitLocker To Go Reader is available
on all FAT-formatted removable devices protected with BitLocker.
c. Incorrect: The Choose How BitLocker-Protected Removable Drives Can Be Recovered
policy allows you to configure removable device recovery options. You cannot use this
policy to ensure that BitLocker To Go Reader is available on all FAT-formatted removable
devices protected with BitLocker.
D. Incorrect: The Control Use Of BitLocker On Removable Drives policy determines whether
you can use BitLocker with removable devices on the computer to which the policy
applies. You cannot use this policy to ensure that BitLocker To Go Reader is available on
all FAT-formatted removable devices protected with BitLocker.
5. Correct Answer: A
a. Correct: You can use the Manage-bde.exe command-line utility to determine the
identification string assigned to a BitLocker-protected volume.
B. Incorrect: The Cipher.exe utility allows you to manage EFS rather than BitLocker
encryption. You cannot use Cipher.exe to determine the identification string associated
with a BitLocker-protected volume.
c. Incorrect: The Bcdedit.exe utility allows you to manage boot configuration. You cannot
use Bcdedit.exe to determine the identification string associated with a BitLocker-protected
volume.
D. Incorrect: The Sigverif.exe utility allows you to verify the digital signatures of files.
You cannot use Sigverif.exe to determine the identification string associated with
a BitLocker-protected volume.
Lesson 2
1. Correct Answer: C
a. Incorrect: The command powercfg.exe –devicequery all_devices lists all devices. It does
not provide information about which devices are configured to wake the computer from
any sleep state.
B. Incorrect: The command powercfg.exe –hibernate enables the hibernate option. You

cannot use this command to provide a list of devices that are configured to wake the
computer from any sleep state.
Chapter 11: Lesson Review Answers Answers 827
c. Correct: The command powercfg.exe –devicequery wake_armed displays a list of devices
on a computer running Windows 7 that are configured to wake the computer from any
sleep state.
D. Incorrect: The command powercfg.exe –list displays a list of all power schemes in the
current user’s environment. It does not display a list of devices that are configured to
wake the computer from a sleep state.
2. Correct Answers: A, B, and C
a. Correct: A user account that is not a member of the local administrators group can be
used to select a different power plan.
B. Correct: A user account that is not a member of the local administrators group can be
used to create a new power plan.
c. Correct: A user account that is not a member of the local administrators group can be
used to change what the power buttons do.
D. Incorrect: A user account that is not a member of the local administrators group cannot
be used to change the Require A Password On Wakeup setting.
3. Correct Answer: C
a. Incorrect: You cannot use the Power Options control panel to migrate a custom power
plan from one computer running Windows 7 to another.
B. Incorrect: Although you can use the Local Group Policy Editor (Gpedit.msc) to edit power
plan settings, you cannot use the Local Group Policy Editor to migrate power plan settings.
Only security-related settings can be migrated using the Local Group Policy Editor.
c. Correct: You can use Powercfg.exe to migrate a power plan from one computer running
Windows 7 to another.
D. Incorrect: Bcdedit.exe is used to modify a computer’s boot configuration; it cannot be
used to modify a power plan.
4. Correct Answer: B
a. Incorrect: Credential Manager is used to manage stored authentication credentials. You

cannot use Credential Manager to resolve offline file sync conflicts.
B. Correct: The Sync Center control panel can be used to resolve offline file sync conflicts.
c. Incorrect: HomeGroup is used to manage HomeGroup settings. HomeGroup cannot be
used to resolve offline file sync conflicts.
D. Incorrect: Network And Sharing Center cannot be used to resolve offline file sync
conflicts. Network And Sharing Center is used to manage network configuration.
5. Correct Answer: D
a. Incorrect: The Configure Slow Link Speed policy allows you to configure a threshold
value for transitioning to Slow Link mode. Slow Link mode works with files configured
to be available offline. The question states that it is not necessary to specify that a file is
available offline.
8 2 8 Answers
B. Incorrect: The Configure Slow Link Mode policy allows you to configure the computer to
be able to use Slow Link mode, which is the default setting for clients running Windows 7.
Slow Link mode works with files configured to be available offline. The question states
that it is not necessary to specify that a file is available offline.
c. Incorrect: The Exclude Files From Being Cached policy is used to block certain file types
from being available offline. This policy cannot be used to configure a client running
Windows 7 to cache files.
D. Correct: Transparent caching allows Windows 7 to cache files locally when the round-trip
latency to the remote file server exceeds a specific value in milliseconds.
Chapter 11: Case Scenario Answers
Case Scenario 1: Accessing Offline Files at Contoso
1. You need to use Powercfg.exe to export the custom power plan from the reference computer
and import the custom power plan on each of the other branch office computers. Group
Policy cannot be used with computers that are not members of an AD DS domain.
2. Enable transparent caching. You cannot enable BranchCache because none of the file servers
at Contoso have the Windows Server 2008 R2 operating system installed.
3. Sync Center is the tool used to resolve offline file synchronization conflicts.
Case Scenario 2: Using BitLocker at Tailspin Toys

1. You can allow users to use BitLocker To Go–encrypted USB storage devices on computers
that are running Windows XP or Windows Vista by configuring the Allow Access To
BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy.
2. You can restrict removable device usage through Group Policy so that only devices that are
protected by BitLocker To Go and which have a specific organizational string configured
within BitLocker can be used on clients running Windows 7. You can do this through the Deny
Write Access To Removable Drives Not Protected By BitLocker policy and through the Provide
The Unique Identifiers For Your Organization policy.
3. You can configure a DRA to be used with removable volumes and configure policies to back
up keys and passwords to AD DS.
Chapter 12: Lesson Review Answers
Lesson 1
1. Correct Answer: B
a. Incorrect: Uninstalling installed updates requires elevated privileges and cannot be
performed with a standard user account.
Chapter 12: Lesson Review Answers Answers 829
B. Correct: The default Windows 7 Windows Update settings allow standard users to install
updates.
c. Incorrect: The default Windows 7 Windows Update settings do not allow standard
users to change when updates are installed. It is necessary to use elevated privileges to
perform these tasks.
D. Incorrect: The default Windows 7 Windows Update settings do not allow standard users
to change update download and installation behavior. It is necessary to use elevated
privileges to perform these tasks.
e. Incorrect: The default Windows 7 Windows Update settings do not allow standard users
to hide updates. It is necessary to use elevated privileges to perform this task.
2. Correct Answers: B and C
a. Incorrect: You should not change the update settings. Changing the update settings to
stop updates being installed does not ensure that other important updates published
through Windows Update are deployed to clients running Windows 7.

B. Correct: You should uninstall the update. This allows the custom software package to run.
c. Correct: You should hide the update after uninstalling the update. If you do not hide the
update, the update becomes available for installation. Because standard users are able
to install updates by default, this could lead to the problematic update being reinstalled.
Once the fix for the custom software application becomes available, you can unhide the
update and then reinstall it.
D. Incorrect: You should not install the update. This causes problems with the custom
software application.
3. Correct Answer: C
a. Incorrect: You should not configure the Re-Prompt For Restart With Scheduled
Installations policy because it sets the amount of time that a user can postpone
a scheduled restart. It does not ensure that updates scheduled for installation when the
computer was switched off are installed the next time the computer is switched on.
B. Incorrect: You should not configure the Delay Restart For Scheduled Installations policy
because it determines how long Windows waits before automatically restarting after
a scheduled installation. It does not ensure that updates scheduled for installation when
the computer was switched off are installed the next time the computer is switched on.
c. Correct: You should configure the Reschedule Automatic Updates Scheduled Installations
policy because it allows you to configure a computer that is switched off during the
scheduled update period to install updates after it is turned on.
D. Incorrect: You should not configure the No Auto-Restart With Logged On Users For
Scheduled Automatic Updates Installation policy because it allows a user to remain
logged on when installed updates require a restart. It does not ensure that updates
scheduled for installation when the computer was switched off are installed the next time
the computer is switched on.
8 3 0 Answers
4. Correct Answer: D
a. Incorrect: You should not configure the Turn Off Software Notification policy. This
policy relates to user notification about available updates. You cannot use it to configure
Windows Update to use a WSUS server rather than the Microsoft Update servers.

B. Incorrect: You should not configure the Automatic Updates Detection Frequency policy.
This policy determines how often Windows Update checks for updates. You cannot use it to
configure Windows Update to use a WSUS server rather than the Microsoft Update servers.
c. Incorrect: You should not configure the Configure Automatic Updates policy. This policy
configures which updates should be installed and whether they should be downloaded or
installed, or whether the logged-on user should be notified. You cannot use it to configure
Windows Update to use a WSUS server rather than the Microsoft Update servers.
D. Correct: You should configure the Specify Intranet Microsoft Update Service Location
policy because it allows you to specify a local WSUS server for updates.
5. Correct Answer: D
a. Incorrect: Microsoft Update does not provide centralized reports for organizations telling
them which clients in the organization are missing specific updates. Microsoft Update
serves as the source for updates in organizations that do not use solutions like WSUS,
System Center Essentials 2007, and SCCM 2007.
B. Incorrect: Because a WSUS server is not deployed in the organization, you cannot use
a WSUS server to determine if updates are missing.
c. Incorrect: You cannot use the Group Policy Management Console to determine whether
updates are missing. The Group Policy Management Console is used to manage Group
Policy in a domain environment.
D. Correct: You can use the MBSA to scan computers that you have administrative
privileges to as a way of determining if they are missing software updates.
Lesson 2
1. Correct Answer: D
a. Incorrect: You should not configure the security level of the Intranet Zone. The security
level manages how Internet Explorer deals with downloads and cookies. Configuring this
setting does not enable Internet Explorer to trust the CA that issued the certificate to
timesheet.contoso.internal.
B. Incorrect: Turning off the Pop-Up Blocker allows pop-ups, but does not allow Internet
Explorer to trust this Web site certificate.
c. Incorrect: Browsing to the Web site using InPrivate Mode does not allow Internet

Explorer to trust the certificate issued to the Web site. Using InPrivate Mode stops
Internet Explorer from recording browser navigation information.
D. Correct: Because the Web site’s certificate has been issued by an internal CA and you
do not work for the organization directly, Internet Explorer has not been configured to
Chapter 12: Lesson Review Answers Answers 831
trust the internal CA. To trust the internal CA, navigate to its Web site and download and
install the CA’s certificate.
2. Correct Answers: A and B
a. Correct: To ensure that users do not accidentally blog using the default Blog With
Windows Live accelerator, you should disable it.
B. Correct: To ensure that users are able to use the custom blog accelerator, it is necessary
to install the accelerator.
c. Incorrect: You should not set the Blog With Windows Live accelerator as the default Blog
accelerator for Internet Explorer. Because you do not want users to use this accelerator
accidentally, you should disable it.
D. Incorrect: You should not disable the custom blog accelerator because you want users to
use this accelerator to blog to the intranet site.
3. Correct Answers: A and C
a. Correct: You should configure the www.wingtiptoys.com site as an exception so that
pop-up windows on this site are displayed by Internet Explorer.
B. Incorrect: You should not set the blocking level to Medium because this lets pop-ups
through from sites other than those that are on the exception list.
c. Correct: You should configure the blocking level to High because this blocks all pop-up
windows except those from sites on the exceptions list.
D. Incorrect: You should not set the blocking level to Low because this lets pop-ups
through from sites other than those that are on the exception list.
4. Correct Answer: D
a. Incorrect: The problem is not related to InPrivate Browsing; the problem is related to
Compatibility View as indicated by the statement in the question that the Web sites
display without problems on Windows XP and Vista clients running Internet Explorer.

Although Windows XP and Vista clients can run Internet Explorer 8, this hint suggests
that compatibility is the issue.
B. Incorrect: The problem is not related to InPrivate Filtering; the problem is related to
Compatibility View as indicated by the statement in the question that the Web sites
display without problems on Windows XP and Vista clients running Internet Explorer.
Although Windows XP and Vista clients can run Internet Explorer 8, this hint suggests
that compatibility is the issue.
c. Incorrect: The question states that the Web sites display without problems on Windows
XP and Vista clients running Internet Explorer. Although Windows XP and Vista clients
can run Internet Explorer 8, this hint suggests that compatibility is the issue. Disabling
Compatibility View does not resolve the problem.
D. Correct: You should configure the list of intranet sites that do not display properly
through the Use Policy List Of Internet Explorer 7 Sites policy. Internet Explorer displays
these sites using Compatibility View.
8 3 2 Answers
5. Correct Answer: B
a. Incorrect: Starting an InPrivate Browsing session does not stop third-party Web sites
from tracking you if they provide content to multiple sites that you visit. InPrivate
Browsing sessions still accept cookies and transmit data.
B. Correct: Enabling InPrivate Filtering allows Internet Explorer to locate and block content
from third-party Web sites that appear across multiple separate sites during a browsing
session.
c. Incorrect: Disabling the Pop-Up Blocker does not block third-party Web sites that
provide content to a number of sites that you visit from tracking your browsing session
across those sites. Disabling the Pop-Up Blocker means that you are presented with
pop-up Web pages that normally would be blocked.
D. Incorrect: You should not disable SmartScreen Filter. SmartScreen Filter protects you
from phishing attacks. If you disable SmartScreen Filter, Internet Explorer does not warn
you when you visit a Web site that contains malicious software or is suspected of being
involved in phishing.

Chapter 12: Case Scenario Answers
Case Scenario 1: Windows Update at Contoso
1. You should configure the Specify Intranet Microsoft Update Service Location policy for the
computers in the Canberra office. This policy allows you to specify the local WSUS server
a d d r e s s .
2. You should configure the Enabling Windows Update Power Management To Automatically
Wake Up The System To Install Scheduled Updates. When this policy is configured on
compatible computers, the computer wakes from hibernation at the scheduled update time.
3. Log on to each computer at the Brisbane and Adelaide offices remotely using Remote
Desktop. Uninstall the update and then hide the update. This ensures that the update is not
installed again automatically.
Case Scenario 2: Internet Explorer at Wingtip Toys
1. You can disable the use of Internet Explorer accelerators through Group Policy. Although it is
possible to disable accelerators manually, unless you disable accelerators through Group Policy,
it is possible for users to reinstall them, or other accelerators, manually.
2. Instruct them to enable InPrivate Filtering. InPrivate Filtering stops browsing sessions being
tracked across multiple sites. InPrivate Browsing does not block browsing sessions being
tracked across multiple sites; it blocks browsing history and data being recorded by Internet
Explorer.
3. Add them to the list of sites to use with Compatibility View, either through the Compatibility
View Settings dialog box or by distributing the list through Group Policy.